Community discussions

MikroTik App
 
iccupop
just joined
Topic Author
Posts: 7
Joined: Sun Apr 30, 2023 3:04 am

unable to access second router from first router

Sun Apr 30, 2023 3:51 am

I can usually eventually figure out what I want to do with RouterOS but I'm at a loss now. I had a router connected successfully to my telco router for years where I have wired and wireless devices on a "trusted" subnet (172.16.0.1/24) and a couple "untrusted" virtual wifi subnets (172.16.0.4/24 172.16.0.5/24). Recently I bought another router with faster wifi and pulled some cat6 from the attic down to the first floor to 1) extend the wifi range to a certain area and 2) allow wired Gbit to a "trusted" device (we'll call him bob) on the 172.16.0.1/24 network that was previously only on the original router (R1) wireless. So now I have:

telco <-> R1 <-> R2

R1 gets an IP from the telco router via dhcp on eth1. eth2-5 are bridged on 172.16.0.1/24 along with wlan1. There are two virtual wlans of 172.16.0.4/24 and 172.16.0.5/24 which are untrusted and don't need to access anything on 172.16.0.1/24 and vice-versa. eth5 is connected to R2 eth1.

R2 has a static IP of 172.16.0.2 on eth1. eth2 is connected to the trusted device (bob, now getting 172.16.100.2) on a bridge with wlan1 of R2 with address 172.16.100.0/24. There is a virtual wlan on another bridge on R2 with address 172.16.104.0/24 which only needs internet access and not access to any other subnet.

I have things mostly working. All the subnets have internet access and the untrusted subnets can't access any of the routers including the telco router or each other. The trusted devices on R2 are also able to access devices on the trusted subnet on R1. The problem is none of the trusted devices on R1 can access anything on R2. I can ping 172.16.0.2 from 172.16.0.1/24 obviously but not 172.16.100.1 or 172.16.100.2. I can only reach the router config on R2 from R1 if I use 172.16.0.2.

I first started putting R2 in bridge mode so that bob would get a 172.16.0.1/24 address which is ideal because I need samba access to it as well as some other port forwarding on R1. For some reason I could never get the virtual wlan with address 172.16.104.1/24 to access the internet in this configuration. I convinced myself this was impossible because I was trying to do L3 like routing on L2 bridges on R2. I realize switching to router behind router isn't ideal because of double-nat (not sure exacly why but I hear it all the time) and yes I realize vlan is sexy but I'm just looking for functionality at this point. I don't have the time or patients to convert both routers to vlans. I feel like what I have should work at this point but I seem to be missing some last detail. Here are the meaningful parts of the configs.

R1 config:
# apr/29/2023 18:18:50 by RouterOS 6.33.3
# software id = 0S1K-08QJ
#
/interface bridge
add name=bridge-local

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local
set [ find default-name=ether6 ] master-port=ether2-master-local name=\
    ether6-slave-local

/interface wireless manual-tx-power-table
set wlan1 comment="physical wireless interface and lan master"

/ip pool
add name=dhcp ranges=172.16.0.32-172.16.0.254
add name=guest-tv ranges=172.16.4.32-172.16.4.254
add name=guest-wireless ranges=172.16.5.2-172.16.5.254

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=\
    3d10m name=default
add address-pool=guest-tv disabled=no interface=wlan-tv lease-time=15m \
    name=guest-tv
add address-pool=guest-wireless disabled=no interface=wlan-guest \
    lease-time=30m name=guest-wireless

/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1

/ip address
add address=172.16.0.1/24 comment="default configuration" interface=\
    ether2-master-local network=172.16.0.0
add address=172.16.0.10/22 disabled=yes interface=ether1-gateway \
    network=172.16.0.0
add address=172.16.4.1/24 interface=wlan-tv network=172.16.4.0
add address=172.16.5.1/24 interface=wlan-guest network=172.16.5.0

/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid \
    disabled=no interface=ether1-gateway use-peer-dns=no
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.0.1 \
    netmask=24
add address=172.16.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.4.1 \
    netmask=24
add address=172.16.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.5.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=172.16.1.1 name=router
/ip firewall address-list
add address=172.16.0.0/24 comment="home lan" list="internal trusted"
add address=172.16.4.0/24 comment="TVs and STB wireless" list=\
    "untrusted devices"
add address=172.16.5.0/24 comment="guest wireless" list=\
    "untrusted devices"
add address=172.16.104.0/24 comment="5G wifi on downstairs router" \
    list="untrusted devices"
add address=172.16.100.0/24 comment="2nd router trusted" list=\
    "internal trusted"

/ip firewall filter
add chain=input comment="default configuration - allow all icmp" \
    disabled=yes protocol=icmp
add chain=input comment=\
    "default configuration - accept established/related" \
    connection-state=established,related log-prefix=in-esr
add action=drop chain=input comment="drop invalid connections" \
    connection-state=invalid
add chain=input comment="accept from internal trusted to router - allow \
    router config only from trusted devices" log-prefix="[cfg]" \
    src-address-list="internal trusted"
add chain=input comment="accept from internal untrusted to router - don'\
    t enable this or untrusted devices will have access to router config\
    " disabled=yes src-address-list="untrusted devices"
add action=drop chain=input comment="drop all other input connections" \
    log-prefix="[drop in]"
add action=fasttrack-connection chain=forward comment=\
    "default configuration" connection-state=established,related
add chain=forward comment=\
    "default configuration - accept established/related" \
    connection-state=established,related
add action=drop chain=forward comment=\
    "default configuration - drop invalid forward" connection-state=\
    invalid
add chain=forward comment="accept internal trusted" log-prefix="[fwd]" \
    out-interface=ether1-gateway src-address-list="internal trusted"
add chain=forward comment=\
    "accept untrusted devices to everything on eth1-gateway but modem" \
    dst-address=!192.168.100.1 out-interface=ether1-gateway \
    src-address-list="untrusted devices"
add action=drop chain=forward comment=\
    "drop all other forward connections" log-prefix="[drop fwd]"

/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "default configuration ;; router nat to gateway" log-prefix="[NAT]" \
    out-interface=ether1-gateway

/ip route
add disabled=yes distance=1 gateway=172.16.0.1
add distance=1 dst-address=172.16.100.0/24 gateway=ether5-slave-local \
    pref-src=172.16.100.1
add disabled=yes distance=1 dst-address=172.16.104.0/24 gateway=\
    ether5-slave-local
    
R2 config:
# apr/29/2023 18:43:56 by RouterOS 7.6
# software id = 1VR7-FHFT

/interface bridge
add comment=defconf name=bridge-local
add name=bridge-wlan1-tv

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp-local ranges=172.16.100.2-172.16.100.254
add name=dhcp-wlan1-tv ranges=172.16.104.2-172.16.104.254

/ip dhcp-server
add address-pool=dhcp-local authoritative=after-2sec-delay interface=bridge-local name=dhcp-local
add address-pool=dhcp-wlan1-tv interface=bridge-wlan1-tv name=dhcp-wlan1-tv

/interface bridge port
add bridge=bridge-local comment=defconf interface=ether2
add bridge=bridge-local comment=defconf interface=ether3
add bridge=bridge-local comment=defconf interface=ether4
add bridge=bridge-local comment=defconf interface=ether5
add bridge=bridge-local comment=defconf interface=ether6
add bridge=bridge-local comment=defconf interface=ether7
add bridge=bridge-local comment=defconf interface=ether8
add bridge=bridge-local comment=defconf interface=ether9
add bridge=bridge-local comment=defconf interface=ether10
add bridge=bridge-local comment=defconf interface=sfp-sfpplus1
add bridge=bridge-local comment=defconf interface=wlan1
add bridge=bridge-local comment=defconf interface=wlan2
add bridge=bridge-wlan1-tv interface=wlan1-tv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-local list=LAN
add comment=defconf interface=ether1-gateway list=WAN
add interface=bridge-wlan1-tv list=LAN

/ip address
add address=172.16.100.1/24 interface=bridge-local network=172.16.100.0
add address=172.16.104.1/24 interface=bridge-wlan1-tv network=172.16.104.0
add address=172.16.0.2/24 interface=ether1-gateway network=172.16.0.0

/ip dhcp-server network
add address=172.16.100.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 gateway=172.16.100.1 netmask=24
add address=172.16.104.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.104.1

/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.16.100.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.0.0/24 list="trusted home LAN"
add address=172.16.104.0/24 comment="untrused wifi" list=wlan1-tv
add address=192.168.100.1 comment="telco router" list="restricted addresses"
add address=172.16.0.1 comment="upstairs router" list="restricted addresses"
add address=172.16.100.0/24 comment="2nd level trusted lan subnet" list="trusted home LAN"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked log-prefix="[acc]"
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="only accept input from local bridge" in-interface=bridge-local
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=accept chain=input comment="accept from 1st level trusted lan" disabled=yes dst-address=172.16.100.0/24 src-address=172.16.0.0/24
add action=accept chain=input comment="allow trusted lan connections to this router config" dst-address-type=local in-interface-list=WAN log-prefix="[cfg]" src-address-list=\
    "trusted home LAN"
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=drop chain=input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="forward local trusted" out-interface=ether1-gateway src-address-list="trusted home LAN"
add action=accept chain=forward comment="forward anything from untrusted wifi except to the telco router" dst-address-list="!restricted addresses" in-interface=bridge-wlan1-tv \
    out-interface=ether1-gateway
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.0.1 pref-src="" routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: unable to access second router from first router

Wed May 03, 2023 12:37 pm

6.33.3?

Upgrade to 6.48.6.
 
iccupop
just joined
Topic Author
Posts: 7
Joined: Sun Apr 30, 2023 3:04 am

Re: unable to access second router from first router

Sun May 21, 2023 4:50 am

>> I first started putting R2 in bridge mode so that bob would get a 172.16.0.1/24 address which is ideal because I need samba access to it as well as some other port forwarding on R1. For some reason I could never get the virtual wlan with address 172.16.104.1/24 to access the internet in this configuration.

I was able to eventually get this to work in bridge mode (without upgrading FW) based on something I saw in another thread. On R2 I added a default route dest 0.0.0.0/0 with gateway 172.16.0.1. The routes on R2 now look like:

# DST-ADDRESS GATEWAY DISTANCE
0 As 0.0.0.0/0 172.16.0.1 1
DAc 172.16.0.0/24 bridge-local 0
DAc 172.16.104.0/24 bridge-wlan1-tv 0

And on R1:

0 ADS 0.0.0.0/0 <WAN IP> 1
1 X S 0.0.0.0/0 172.16.0.1 1
2 ADC <WAN range> <WAN IP> ether1-gateway 0
3 ADC 172.16.0.0/24 172.16.0.1 bridge-local 0
4 ADC 172.16.4.0/24 172.16.4.1 wlan-tv 0
5 A S 172.16.104.0/24 172.16.0.2 1

I've tested that all the untrusted subnets can not access trusted ones and everyone has internet access. Good. Now I have a new problem...

I have a PLEX sever running on 172.16.0.14 which I can successfully access from PLEX apps both 172.16.0.0/24 (trusted) and 172.16.4.0/24 (untrusted) on R1. I'm unable to access the server from PLEX apps on 172.16.104.0/24 on R2.

I have a forward chain rule on R1 that allows 172.16.4.0/24 to 172.16.0.14. I added 172.16.104.0/24 to that rule and I can see traffic going out of R2 and coming into R1 but then gets dropped by the invalid forward rule on R1.

R2-plex forward: in:bridge-wlan1-tv out:bridge-local, connection-state:new, proto TCP (SYN), 172.16.104.3:38694->172.16.0.14:32400, len 60
R1-inv forward: in:bridge-local out:bridge-local, proto TCP (SYN,ACK), 172.16.0.14:32400->172.16.104.3:38694, len 60

I'm struggling to understand why 172.16.4.0/24 on R1 can access the server but 172.16.104.0/24 on R2 can not. Am I missing a dst-nat on R2? I don't specifically have any dst rule on R1 other than the forward rule to 172.16.0.14 yet 172.16.4.0/24 can access the server just fine.

16 ;;; accept 32400 from wireless tv for plex
chain=forward action=accept protocol=tcp dst-address=172.16.0.14
src-address-list=plex allowed dst-port=32400 log=no log-prefix=""
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: unable to access second router from first router

Sun May 21, 2023 4:15 pm

Detailed Diagram................
 
iccupop
just joined
Topic Author
Posts: 7
Joined: Sun Apr 30, 2023 3:04 am

Re: unable to access second router from first router

Sun May 21, 2023 8:45 pm

To be clear, I'm not interested in allowing remote access to PLEX server. Only trying to get internal clients on the 172.16.104.x subnet to see it and connect.
homenet.png
You do not have the required permissions to view the files attached to this post.
 
iccupop
just joined
Topic Author
Posts: 7
Joined: Sun Apr 30, 2023 3:04 am

Re: unable to access second router from first router

Wed Jul 05, 2023 1:40 am

Still trying to get this working. Here are the firewall rules on R1. When the plex clients on R2 wireless try to discover the plex server on R1 it hits the invalid forward rule with log-prefix=inv.

Here is the log message from R2 which shows the client 172.16.104.3 when I tell it to connect to the server:
Message plex forward: in:bridge-wlan1-tv out:bridge-local, connection-state:new src-mac 84:ea:ed:a8:8d:c8, proto TCP (SYN), 172.16.104.3:34534->172.16.0.14:32400, len 60

And here is the invalid forward rule on R1 logged:
Message inv forward: in:bridge-local out:bridge-local, src-mac b4:2e:99:eb:5b:0e, proto TCP (SYN,ACK), 172.16.0.14:32400->172.16.104.3:34534, len 60
/ip firewall address-list
add address=172.16.0.0/24 comment="home lan" list="internal trusted"
add address=172.16.4.0/24 comment="TVs and STB wireless" list="untrusted devices"
add address=172.16.104.0/24 comment="5G wifi on downstairs router" list="untrusted devices"
add address=172.16.4.0/24 comment="wireless tvs on upstairs radio" list="plex allowed"
add address=172.16.104.0/24 comment="wireless tvs on downstairs radio" list="plex allowed"

/ip firewall filter
add chain=input comment="default configuration - allow all icmp" disabled=yes protocol=icmp
add chain=input comment="default configuration - accept established/related" connection-state=established,related log-prefix=in-esr
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add chain=input comment="accept from internal trusted to router - allow router config only from trusted devices" log-prefix="[cfg]" \
    src-address-list="internal trusted"
add chain=input comment="accept from internal untrusted to router - don't enable this or untrusted devices will have access to router config" \
    disabled=yes src-address-list="untrusted devices"
add action=drop chain=input comment="drop all other input connections" log-prefix="[drop in]"
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add chain=forward comment="default configuration - accept established/related" connection-state=established,related
[b]add action=drop chain=forward comment="default configuration - drop invalid forward" connection-state=invalid log-prefix=inv[/b]
add chain=forward comment="accept internal trusted" log-prefix="[fwd]" out-interface=ether1-gateway src-address-list="internal trusted"
add chain=forward comment="accept untrusted devices to everything on eth1-gateway but modem" dst-address=!192.168.1.254 out-interface=ether1-gateway \
    src-address-list="untrusted devices"
add chain=forward comment="forward web and squeeze to wunderbox from tablet" dst-address=172.16.0.14 dst-port=80 protocol=tcp src-address=\
    172.16.4.0/24
add chain=forward dst-address=172.16.0.14 dst-port=443 protocol=tcp src-address=172.16.4.0/24
add chain=forward dst-address=172.16.0.14 dst-port=9000 protocol=tcp src-address=172.16.4.0/24
add chain=forward comment="accept 32400 on htpc from wireless tv for plex" dst-address=172.16.0.36 dst-port=32400 protocol=tcp src-address-list=\
    "plex allowed"
add chain=forward dst-address=172.16.0.14 dst-port=32400 protocol=tcp src-address-list="plex allowed"
add chain=forward comment="print from vlan gwtv" dst-address=172.16.0.35 dst-port=137 protocol=udp src-address=172.16.4.0/24
add chain=forward dst-address=172.16.0.35 dst-port=161 protocol=udp src-address=172.16.4.0/24
add chain=forward comment="allow dst-nat forwarding to wunderbox" connection-nat-state=dstnat dst-address=172.16.0.14
add action=drop chain=forward comment="drop all other forward connections" log-prefix="[drop fwd]"

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration ;; router nat to gateway" log-prefix="[NAT]" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="http/https hairpin nat for LAN" dst-address=172.16.0.14 dst-port=443 log-prefix="[HP]" out-interface=\
    bridge-local protocol=tcp src-address=172.16.0.0/16
add action=masquerade chain=srcnat dst-address=172.16.0.14 dst-port=80 out-interface=bridge-local protocol=tcp src-address=172.16.0.0/16
add action=masquerade chain=srcnat comment="hairpin for tablet" dst-address=172.16.0.14 dst-port=80 out-interface=wlan-tv protocol=tcp src-address=\
    172.16.4.0/24
add action=masquerade chain=srcnat dst-address=172.16.0.14 dst-port=443 out-interface=wlan-tv protocol=tcp src-address=172.16.4.0/24
add action=dst-nat chain=dstnat comment="port forwarding to wunderbox from internal ;; this works because of dst addr type local" dst-address=\
    !172.16.0.0/16 dst-address-type=local dst-port=443 in-interface=bridge-local log-prefix="[lan dst]" protocol=tcp src-address=172.16.0.0/16 \
    to-addresses=172.16.0.14
add action=dst-nat chain=dstnat dst-address=!172.16.0.0/16 dst-address-type=local dst-port=80 in-interface=bridge-local protocol=tcp src-address=\
    172.16.0.0/16 to-addresses=172.16.0.14
add action=dst-nat chain=dstnat comment="port forwarding to wunderbox from tablet" dst-address=!172.16.4.0/24 dst-address-type=local dst-port=80 \
    in-interface=wlan-tv protocol=tcp src-address=172.16.4.0/24 to-addresses=172.16.0.14
add action=dst-nat chain=dstnat dst-address=!172.16.4.0/24 dst-address-type=local dst-port=443 in-interface=wlan-tv protocol=tcp src-address=\
    172.16.4.0/24 to-addresses=172.16.0.14
add action=dst-nat chain=dstnat comment="port forwarding to plex server from fast wireless" dst-address=!172.16.104.0/24 dst-address-type=local \
    dst-port=32400 in-interface=bridge-local protocol=tcp src-address=172.16.104.0/24 to-addresses=172.16.0.14
add action=dst-nat chain=dstnat comment="port forwarding to wunderbox from external" dst-address-type=local dst-port=443 in-interface=ether1-gateway \
    protocol=tcp to-addresses=172.16.0.14
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=172.16.0.14
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: unable to access second router from first router

Wed Jul 05, 2023 2:18 am

Dont understand your setup, if router1 is connected to the internet, why is router2 simply not setup as a switch?
 
iccupop
just joined
Topic Author
Posts: 7
Joined: Sun Apr 30, 2023 3:04 am

Re: unable to access second router from first router

Sun Jul 09, 2023 12:26 am

It is now. I couldn't get bridge mode to work on R2 initially and the original post was when I gave up and tried router behind router. I eventually switched back to bridge mode and eventually was able to get all subnets to talk to the internet while having them all isolated from each other. The only problem I have now is that the wireless devices on R2 are unable to access the plex server on R1.

This is what is confusing me. If R2 is just a switch then the firewall rules on R1 should work for both the 172.16.4.x wireless clients and the 172.16.104.x wireless clients just the same. Or that's what I thought. For some reason 172.16.4.x works and 172.16.104.x doesn't.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: unable to access second router from first router

Sun Jul 09, 2023 3:07 am

Please post both configs less router serial numbers and any public WANIP info.
I will ensure that they work together. Part configs dont help by the way.
 
iccupop
just joined
Topic Author
Posts: 7
Joined: Sun Apr 30, 2023 3:04 am

Re: unable to access second router from first router

Sun Jul 16, 2023 8:03 pm

Thanks for the help! My guess is from your previous reply my problem is likely going to be on R2 but maybe more than one issue :( Here is R1:
/interface bridge
add admin-mac=----------------- auto-mac=no name=bridge-local
add name=bridge-pool
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce comment="physical wireless interface and lan master" \
    default-authentication=no disabled=no distance=indoors frequency=\
    auto hide-ssid=yes mode=ap-bridge ssid=------- wireless-protocol=\
    802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local
set [ find default-name=ether6 ] master-port=ether2-master-local name=\
    ether6-slave-local
set [ find default-name=ether7 ] name=ether7-master-pool
set [ find default-name=ether8 ] master-port=ether7-master-pool name=\
    ether8-slave-pool
set [ find default-name=sfp1 ] disabled=yes master-port=\
    ether2-master-local name=sfp1-slave-local
/interface wireless manual-tx-power-table
set wlan1 comment="physical wireless interface and lan master"
/interface wireless nstreme
set wlan1 comment="physical wireless interface and lan master" \
    enable-polling=no
/ip neighbor discovery
set ether1-gateway discover=no
set wlan1 comment="physical wireless interface and lan master"
/interface wireless
add comment="guest wireless" default-forwarding=no hide-ssid=yes \
    mac-address=----------------- master-interface=wlan1 name=\
    wlan-guest security-profile=guest-wireless ssid=-------- vlan-id=2 \
    vlan-mode=use-tag
add comment="TVs and set top boxes" default-authentication=no \
    default-forwarding=no disabled=no hide-ssid=yes mac-address=\
    ----------------- master-interface=wlan1 max-station-count=5 name=\
    wlan-tv security-profile=guest-tv ssid=------- vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-cost=0
/interface wireless manual-tx-power-table
set wlan-guest comment="guest wireless"
set wlan-tv comment="TVs and set top boxes"
/interface wireless nstreme
set *F comment="guest wireless"
set *D comment="TVs and set top boxes"
/ip neighbor discovery
set wlan-guest comment="guest wireless"
set wlan-tv comment="TVs and set top boxes"
/ip pool
add name=dhcp ranges=172.16.0.32-172.16.0.254
add name=guest-tv ranges=172.16.4.32-172.16.4.254
add name=guest-wireless ranges=172.16.5.2-172.16.5.254
add name=guest-pool ranges=172.16.7.32-172.16.7.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=\
    3d10m name=default
add address-pool=guest-tv disabled=no interface=wlan-tv lease-time=15m \
    name=guest-tv
add address-pool=guest-wireless disabled=no interface=wlan-guest \
    lease-time=30m name=guest-wireless
add address-pool=guest-pool disabled=no interface=bridge-pool \
    lease-time=3d10m name=guest-pool
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-pool interface=ether7-master-pool
/ip address
add address=172.16.0.1/24 comment="default configuration" interface=\
    ether2-master-local network=172.16.0.0
add address=172.16.4.1/24 interface=wlan-tv network=172.16.4.0
add address=172.16.5.1/24 interface=wlan-guest network=172.16.5.0
add address=172.16.7.1/24 interface=ether7-master-pool network=\
    172.16.7.0
add address=192.168.1.65/24 interface=ether1-gateway network=\
    192.168.1.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid \
    disabled=no interface=ether1-gateway use-peer-dns=no
/ip dhcp-server lease
add address=172.16.7.254 comment="Pool static IP" mac-address=\
    ----------------- server=guest-pool
add address=172.16.0.35 client-id=------------------- comment=\
    "Printer Static IP" mac-address=----------------- server=default
add address=172.16.0.36 client-id=------------------- comment=\
    "static ip for htpc 0.36" mac-address=----------------- server=\
    default
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=-------,------- gateway=172.16.0.1 \
    netmask=24
add address=172.16.4.0/24 dns-server=-------,------- gateway=172.16.4.1 \
    netmask=24
add address=172.16.5.0/24 dns-server=-------,------- gateway=172.16.5.1
add address=172.16.7.0/24 dns-server=-------,------- gateway=172.16.7.1
add address=172.16.104.0/24 dns-server=-------,------- gateway=\
    172.16.104.1
/ip dns
set allow-remote-requests=yes servers=-------,-------
/ip dns static
add address=172.16.1.1 name=router
/ip firewall address-list
add address=172.16.0.0/24 comment="home lan" list="internal trusted"
add address=172.16.4.0/24 comment="TVs and STB wireless" list=\
    "untrusted devices"
add address=172.16.5.0/24 comment="guest wireless" list=\
    "untrusted devices"
add address=172.16.7.0/24 comment="Pool swubnet" list=\
    "untrusted devices"
add address=172.16.104.0/24 comment="5G wifi on downstairs router" \
    list="untrusted devices"
add address=172.16.100.0/24 comment="2nd router trusted" disabled=yes \
    list="internal trusted"
add address=172.16.4.0/24 comment="wireless tvs on upstairs radio" \
    list="plex allowed"
add address=172.16.104.0/24 comment="wireless tvs on downstairs radio" \
    list="plex allowed"
/ip firewall filter
add chain=input comment="default configuration - allow all icmp" \
    disabled=yes protocol=icmp
add chain=input comment=\
    "default configuration - accept established/related" \
    connection-state=established,related log-prefix=in-esr
add action=drop chain=input comment="drop invalid connections" \
    connection-state=invalid
add chain=input comment="accept from internal trusted to router - allow \
    router config only from trusted devices" log-prefix="[cfg]" \
    src-address-list="internal trusted"
add chain=input comment="accept from internal untrusted to router - don'\
    t enable this or untrusted devices will have access to router config\
    " disabled=yes src-address-list="untrusted devices"
add action=drop chain=input comment="drop all other input connections" \
    log-prefix="[drop in]"
add action=fasttrack-connection chain=forward comment=\
    "default configuration" connection-state=established,related
add chain=forward comment=\
    "default configuration - accept established/related" \
    connection-state=established,related
add action=drop chain=forward comment=\
    "default configuration - drop invalid forward" connection-state=\
    invalid log-prefix=inv
add chain=forward comment="accept internal trusted" log-prefix="[fwd]" \
    out-interface=ether1-gateway src-address-list="internal trusted"
add chain=forward comment=\
    "accept untrusted devices to everything on eth1-gateway but modem" \
    dst-address=!192.168.1.254 out-interface=ether1-gateway \
    src-address-list="untrusted devices"
add chain=forward comment=\
    "forward web and squeeze to wunderbox from tablet" dst-address=\
    172.16.0.14 dst-port=80 protocol=tcp src-address=172.16.4.0/24
add chain=forward dst-address=172.16.0.14 dst-port=443 protocol=tcp \
    src-address=172.16.4.0/24
add chain=forward dst-address=172.16.0.14 dst-port=9000 protocol=tcp \
    src-address=172.16.4.0/24
add chain=forward comment=\
    "accept 32400 on htpc from wireless tv for plex" dst-address=\
    172.16.0.36 dst-port=32400 protocol=tcp src-address-list=\
    "plex allowed"
add chain=forward dst-address=172.16.0.14 dst-port=32400 protocol=tcp \
    src-address-list="plex allowed"
add chain=forward comment=\
    "untrusted -> trusted plex - this doesn't appear to be needed" \
    disabled=yes dst-address=172.16.4.0/24 protocol=tcp src-address=\
    172.16.0.0/24 src-port=32400
add chain=forward comment="allow dst-nat forwarding to wunderbox" \
    connection-nat-state=dstnat dst-address=172.16.0.14
add chain=forward comment="allow dst-nat for pool" \
    connection-nat-state=dstnat disabled=yes dst-address=172.16.7.254
add action=drop chain=forward comment=\
    "drop all other forward connections" log-prefix="[drop fwd]"
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "default configuration ;; router nat to gateway" log-prefix="[NAT]" \
    out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=\
    "http/https hairpin nat for LAN" dst-address=172.16.0.14 dst-port=\
    443 log-prefix="[HP]" out-interface=bridge-local protocol=tcp \
    src-address=172.16.0.0/16
add action=masquerade chain=srcnat dst-address=172.16.0.14 dst-port=80 \
    out-interface=bridge-local protocol=tcp src-address=172.16.0.0/16
add action=masquerade chain=srcnat comment="hairpin for plex" \
    dst-address=172.16.0.14 dst-port=32400 out-interface=bridge-local \
    protocol=tcp src-address=172.16.104.0/24
add action=masquerade chain=srcnat comment="hairpin for tablet" \
    dst-address=172.16.0.14 dst-port=80 out-interface=wlan-tv protocol=\
    tcp src-address=172.16.4.0/24
add action=masquerade chain=srcnat dst-address=172.16.0.14 dst-port=443 \
    out-interface=wlan-tv protocol=tcp src-address=172.16.4.0/24
add action=dst-nat chain=dstnat comment="port forwarding to wunderbox fr\
    om internal ;; this works because of dst addr type local" \
    dst-address=!172.16.0.0/16 dst-address-type=local dst-port=443 \
    in-interface=bridge-local log-prefix="[lan dst]" protocol=tcp \
    src-address=172.16.0.0/16 to-addresses=172.16.0.14
add action=dst-nat chain=dstnat dst-address=!172.16.0.0/16 \
    dst-address-type=local dst-port=80 in-interface=bridge-local \
    protocol=tcp src-address=172.16.0.0/16 to-addresses=172.16.0.14
add action=dst-nat chain=dstnat comment=\
    "port forwarding to wunderbox from tablet" dst-address=\
    !172.16.4.0/24 dst-address-type=local dst-port=80 in-interface=\
    wlan-tv protocol=tcp src-address=172.16.4.0/24 to-addresses=\
    172.16.0.14
add action=dst-nat chain=dstnat dst-address=!172.16.4.0/24 \
    dst-address-type=local dst-port=443 in-interface=wlan-tv protocol=\
    tcp src-address=172.16.4.0/24 to-addresses=172.16.0.14
add action=dst-nat chain=dstnat comment=\
    "port forwarding to plex server from fast wireless" dst-address=\
    !172.16.104.0/24 dst-address-type=local dst-port=32400 \
    in-interface=bridge-local protocol=tcp src-address=172.16.104.0/24 \
    to-addresses=172.16.0.14
add action=dst-nat chain=dstnat comment=\
    "port forwarding to wunderbox from external" dst-address-type=local \
    dst-port=443 in-interface=ether1-gateway protocol=tcp to-addresses=\
    172.16.0.14
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 \
    in-interface=ether1-gateway protocol=tcp to-addresses=172.16.0.14
add action=dst-nat chain=dstnat disabled=yes dst-port=22 in-interface=\
    ether1-gateway protocol=tcp to-addresses=172.16.0.13
/ip route
add disabled=yes distance=1 gateway=172.16.0.1
add disabled=yes distance=1 dst-address=172.16.100.0/24 gateway=\
    172.16.0.2 pref-src=172.16.100.1
add distance=1 dst-address=172.16.104.0/24 gateway=172.16.0.2
 
iccupop
just joined
Topic Author
Posts: 7
Joined: Sun Apr 30, 2023 3:04 am

Re: unable to access second router from first router

Sun Jul 16, 2023 8:05 pm

...and R2:
/interface bridge
add admin-mac=----------------- auto-mac=no comment=defconf name=bridge-local
add name=bridge-wlan1-tv
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX default-authentication=no disabled=no distance=indoors frequency=auto hide-ssid=yes \
    mode=ap-bridge secondary-frequency=auto ssid=----------------- wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=2 band=2ghz-b/g/n channel-width=20/40mhz-XX country="united states3" default-authentication=no distance=indoors frequency=auto hide-ssid=\
    yes mode=ap-bridge ssid=------------------ wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless
add default-authentication=no default-forwarding=no disabled=no hide-ssid=yes mac-address=----------------- master-interface=wlan1 name=wlan-tv1 security-profile=wlan-tv ssid=---------- \
    wps-mode=disabled
/ip pool
add name=dhcp-local ranges=172.16.100.2-172.16.100.254
add name=dhcp-wlan1-tv ranges=172.16.104.2-172.16.104.254
/ip dhcp-server
add address-pool=dhcp-wlan1-tv interface=bridge-wlan1-tv lease-time=24m name=dhcp-wlan1-tv
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge-local comment=defconf interface=ether2
add bridge=bridge-local comment=defconf interface=ether3
add bridge=bridge-local comment=defconf interface=ether4
add bridge=bridge-local comment=defconf interface=ether5
add bridge=bridge-wlan1-tv comment=defconf interface=ether6
add bridge=bridge-wlan1-tv comment=defconf interface=ether7
add bridge=bridge-wlan1-tv comment=defconf interface=ether8
add bridge=bridge-wlan1-tv comment=defconf interface=ether9
add bridge=bridge-wlan1-tv comment=defconf interface=ether10
add bridge=bridge-local comment=defconf interface=sfp-sfpplus1
add bridge=bridge-local comment=defconf interface=wlan1
add bridge=bridge-local comment=defconf interface=wlan2
add bridge=bridge-local comment=defconf interface=ether1
add bridge=bridge-wlan1-tv interface=wlan-tv1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=LAN
add interface=*13 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
/ip address
add address=172.16.0.2/24 comment=defconf interface=bridge-local network=172.16.0.0
add address=172.16.104.1/24 interface=bridge-wlan1-tv network=172.16.104.0
/ip dhcp-server network
add address=172.16.104.0/24 dns-server=-------,------- gateway=172.16.104.1 next-server=0.0.0.0
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.16.0.2 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.0.0/24 list="trusted home LAN"
add address=172.16.104.0/24 comment="untrused wifi" list="untrusted wlan1-tv"
add address=192.168.1.254 comment="telco router" list="restricted endpoints"
add address=172.16.0.0/24 comment="telco connected router" list="restricted endpoints"
add address=172.16.0.2 comment="this router" disabled=yes list="restricted endpoints"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked log-prefix="[acc]"
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="only accept input from local bridge" disabled=yes in-interface=bridge-local
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=accept chain=input comment="allow trusted lan connections to this router config" dst-address-type=local log-prefix="[cfg]" src-address-list="trusted home LAN"
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=drop chain=input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="untrusted wireless to plex server" dst-address=172.16.0.14 dst-port=32400 log-prefix=plex protocol=tcp src-address-list="untrusted wlan1-tv"
add action=accept chain=forward comment="forward trusted lan" out-interface=bridge-local src-address-list="trusted wlan1"
add action=accept chain=forward comment="forward anything from untrusted wifi except to the telco router" dst-address-list="!restricted endpoints" out-interface=bridge-local \
    src-address-list="untrusted wlan1-tv"
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface=bridge-wlan1-tv
/ip route
add disabled=no dst-address="" gateway=172.16.0.1 routing-table=main suppress-hw-offload=no
add gateway=172.16.0.1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
 
LdB
Member Candidate
Member Candidate
Posts: 141
Joined: Thu May 20, 2021 4:23 pm

Re: unable to access second router from first router

Thu Jul 20, 2023 4:57 pm

Last time I got that I had saved the config of one router and loaded it into the second as a shortcut in setting it up.

What I forgot is when you do that it transfers the MAC address and you now have two routers with same MAC address and they don't route very well between each other :-)

To solve it I had to go to each ethernet interface and reset the MAC address then it started working !!!

Who is online

Users browsing this forum: coreshock, freemannnn and 63 guests