I want you to give me a hand to see if I can get this thing out that is killing me and I am not being able to solve it
Currently my DHCP range for the LAN
It is a 192.168.0/22
Where my gateway is 192.168.0.222
I have devices that have a static IP on the network cards (ip range: 192.168.0.1 – 192.168.0.255)
and Wifi DHCP (IP Range: 192.168.3.1 – 3.255)
I have a printer with fixed IP 192.168.0.116 Subnet mask 255.255.252.0 and the gateway: 192.168.0.222.
And I have the notebooks that are Wifi that are within the mentioned DHCP range (192.168.3.xxx), now well. From the computers, I PING the printer's ip and it answers OK. But I can't "share" the printer and print, if I want to see the web access of the printer it doesn't work either.
Now, if one of these notebooks is changed to a Static IP within the 192.168.0.xxx range, everything works fine.
Now, everything is a single NETWORK from the mikrotik everything is managed and it has created a /22 in the addresses and the DHCP is created as /22 although in the pool it only leaves the /24 of the 3.x enabled
Config Mikrotik
Code: Select all
# may/04/2023 12:50:38 by RouterOS 6.49
# software id = U9Z6-AYZG
#
# model = 2011UiAS-2HnD
/interface bridge
add arp=proxy-arp comment="DHCP LAN Eth 2 al Eth 10" name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment="UPLINK CLARO" speed=100Mbps
set [ find default-name=ether2 ] comment=\
"UPLINK TELECENTRO - FAILOVER SECUNDARIO" speed=100Mbps
set [ find default-name=ether3 ] comment="UPLINK SWITCH OF 801" speed=100Mbps
set [ find default-name=ether4 ] comment=LIBRE speed=100Mbps
set [ find default-name=ether5 ] comment="UPLINK SWITCH OF 803" speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
"NVR 1"
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=LIBRE
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=LIBRE
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=LIBRE
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=LIBRE
set [ find default-name=sfp1 ] disabled=yes
/interface ethernet switch port
set 6 vlan-mode=fallback
set 7 vlan-mode=fallback
set 8 vlan-mode=fallback
set 9 vlan-mode=fallback
set 10 vlan-mode=fallback
set 12 vlan-mode=fallback
/ip pool
add name=pool-VPN ranges=172.10.1.2-172.10.1.100
add name="DHCP NUEVO" ranges=192.168.3.1-192.168.3.254
/ip dhcp-server
add address-pool="DHCP NUEVO" disabled=no interface=bridge1 lease-time=12h \
name="DHCP - GENERAL"
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
up-port=1700
add address=eu1.cloud.thethings.industries down-port=1700 name=\
"TTS Cloud (eu1)" up-port=1700
add address=nam1.cloud.thethings.industries down-port=1700 name=\
"TTS Cloud (nam1)" up-port=1700
add address=au1.cloud.thethings.industries down-port=1700 name=\
"TTS Cloud (au1)" up-port=1700
add address=eu1.cloud.thethings.network down-port=1700 name="TTN V3 (eu1)" \
up-port=1700
add address=nam1.cloud.thethings.network down-port=1700 name="TTN V3 (nam1)" \
up-port=1700
add address=au1.cloud.thethings.network down-port=1700 name="TTN V3 (au1)" \
up-port=1700
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=192.168.0.222 \
name=VPN-L2TP-MAC remote-address=pool-VPN use-compression=yes \
use-encryption=yes
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=192.168.0.222 \
name="VPN EXTERNOS" only-one=yes remote-address=pool-VPN use-compression=\
no use-encryption=yes
/queue simple
add disabled=yes max-limit=10M/20M name=queue3 target=192.168.0.113/32
add disabled=yes max-limit=10M/10M name=queue2 target=192.168.0.104/32
add disabled=yes max-limit=10M/22M name=queue1 target=192.168.0.115/32
add disabled=yes max-limit=10M/22M name=queue4 target=192.168.0.82/32
/queue type
set 5 pcq-classifier=dst-address
/queue interface
set wlan1 queue=only-hardware-queue
/snmp community
set [ find default=yes ] addresses=186.22.24.145/32 write-access=yes
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether6
add bridge=bridge1 hw=no interface=ether7
add bridge=bridge1 hw=no interface=ether8
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether9
add bridge=bridge1 hw=no interface=ether10
/interface pptp-server server
set authentication=pap default-profile="VPN EXTERNOS" enabled=yes
/ip address
add address=192.168.0.222/22 interface=bridge1 network=192.168.0.0
/ip dhcp-client
add comment="DHCP para Telecentro - Distance 2 - Enlace de Backup" \
default-route-distance=2 disabled=no interface=ether2 use-peer-dns=no
/ip dhcp-server network
add address=172.10.1.0/24 gateway=172.10.1.1
add address=192.168.0.0/22 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.222
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=forward dst-address=192.168.0.116 in-interface=\
bridge1 src-address=192.168.0.0/22
add action=accept chain=forward dst-address=192.168.0.0/22 in-interface=\
bridge1 src-address=192.168.0.116
add action=accept chain=input comment="L2TP - VPN" dst-port=4500 protocol=udp
add action=accept chain=input comment="L2TP - VPN" dst-port=500 protocol=udp
add action=accept chain=input comment="L2TP - VPN" dst-port=1701 protocol=udp
add action=accept chain=input comment=PPTP dst-port=1723 in-interface=ether1 \
protocol=tcp
add action=accept chain=input comment=PPTP dst-port=1723 in-interface=ether2 \
protocol=tcp
add action=accept chain=input comment=PPTP protocol=gre
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=drop chain=input comment="Bloquear Ataques FTP" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="Proteccion VSC contra ataques via SSH" \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=accept chain=input dst-port=22 in-interface=bridge1 protocol=tcp
add action=drop chain=input disabled=yes protocol=icmp
add action=accept chain=input disabled=yes dst-port=1723 protocol=tcp
add action=drop chain=input disabled=yes src-address=201.102.85.5
add action=drop chain=forward disabled=yes src-address=201.102.85.5
add action=drop chain=input comment="BLOQUEO DNS CACHE EXTERNO" dst-port=53 \
in-interface=ether1 protocol=udp
add action=drop chain=input comment="BLOQUEO DNS CACHE EXTERNO" dst-port=53 \
in-interface=ether2 protocol=udp
add action=drop chain=output disabled=yes dst-address=1.1.1.1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list" \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners" \
src-address-list="port scanners"
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT to Internet" out-interface=\
ether1
add action=masquerade chain=srcnat comment="NAT to Internet" out-interface=\
ether2
add action=masquerade chain=srcnat comment=\
"Hairpin NAT (Ip publica dentro de la RED LAN)" dst-address=\
!192.168.0.222 src-address=192.168.0.0/22
/ip route
add check-gateway=ping distance=1 gateway=1.1.1.1
/ip service
set telnet disabled=yes
set www address=192.168.0.0/24
set ssh disabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
,ether9,ether10"
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=192.168.0.222 \
name="Profile VPN SG" only-one=yes remote-address=*2 use-compression=no \
use-encryption=yes
set *FFFFFFFE dns-server=8.8.8.8,8.8.4.4 local-address=192.168.0.222 \
only-one=yes remote-address=*2
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Argentina/Salta
/system clock manual
set time-zone=-03:00
/system identity
set name="MikroTik RB2011UiAS"
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge1 disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set ether6 disabled=yes display-time=5s
set ether7 disabled=yes display-time=5s
set ether8 disabled=yes display-time=5s
set ether9 disabled=yes display-time=5s
set ether10 disabled=yes display-time=5s
set <pptp-ivelez> disabled=yes display-time=5s
/system logging
add topics=debug,pptp,radius
add action=disk topics=info
add topics=error
add topics=route
/system ntp client
set enabled=yes primary-ntp=66.60.22.202 secondary-ntp=200.160.7.186
Thank you all in advance and have a great day!