Community discussions

 
Silvermoon
just joined
Topic Author
Posts: 12
Joined: Fri Nov 01, 2013 9:45 am

Multiple Lan on single wan

Thu Dec 26, 2013 12:44 pm

Hi All,
I am having a bitch of a time getting things to work how I think they should...
I have a 951h2nd, and have set up ppp-oe, wireless and all ports working, now I need eth-5
to be a separate lan, so far so good, everything seems to be set up, dhcp is working etc.
The only machine on the second network is a backup of my work SBS2003 server, it can ping
8.8.8.8 no problem but it cannot browse the web. I have disabled IE enhanced Security, disabled the firewall
but still nothing.. the only rules in my RouterOS firewall are
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface=WAN protocol=udp
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Multiple Lan on single wan

Thu Dec 26, 2013 1:08 pm

You should post "/ip firewall nat" also. If you are not masquerading your localnet ips, it will not be able to access the internet.

I presume you have a valid default route in "/ip route" if other interfaces work ok.
 
Silvermoon
just joined
Topic Author
Posts: 12
Joined: Fri Nov 01, 2013 9:45 am

Re: Multiple Lan on single wan

Thu Dec 26, 2013 1:15 pm

Cheers SurferTim,
Below is my complete config. I also have issues where machines on my home lan (192.168.0.0) can connect to the net fine but machines on work lan (10.0.0.0) can't. (they can ping all over the place though :-) )
# jan/03/1970 03:10:49 by RouterOS 6.2
# software id = 34SD-GKT9
#
/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n disabled=no distance=indoors ht-rxchains=0,1 \
    ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=ISD wds-default-bridge=\
    bridge-local wds-mode=dynamic wireless-protocol=802.11
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 name=ether5-silvermoon
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway name=WAN \
    password=********** use-peer-dns=yes user=**********
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm \
    wpa-pre-shared-key=********** wpa2-pre-shared-key=**********
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.100
add name=Silvermoon ranges=10.0.0.200-10.0.0.210
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
add address-pool=Silvermoon disabled=no interface=ether5-silvermoon name=\
    Silvermoon
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/interface wireless access-list: not used for 10.0.0.0
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=wlan1 \
    network=192.168.1.0
add address=10.0.0.1/24 interface=ether5-silvermoon network=10.0.0.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    ether1-gateway
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router
add address=10.0.0.1 name=Silvermoon
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface=WAN protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface="(unknown)"
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=80 \
    protocol=tcp to-addresses=192.168.1.2 to-ports=80
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=yes distance=1 gateway=192.168.1.254
/ip service
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system leds
set 0 interface=wlan1
add leds=user-led modem-signal-treshold=-51 type=modem-signal
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-silvermoon
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-silvermoon
add interface=wlan1
add interface=bridge-local
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Multiple Lan on single wan

Thu Dec 26, 2013 1:23 pm

You need a valid out-interface here, like ether1-gateway.
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface="(unknown)"
 
Silvermoon
just joined
Topic Author
Posts: 12
Joined: Fri Nov 01, 2013 9:45 am

Re: Multiple Lan on single wan

Thu Dec 26, 2013 1:36 pm

Cheers Tim,
Where do I add that? I have a terminal open and I keep getting suggested commands... right pain in the ass!
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Multiple Lan on single wan

Thu Dec 26, 2013 1:38 pm

If in doubt, add this rule and remove the rule with unknown in it.
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1-gateway
 
Silvermoon
just joined
Topic Author
Posts: 12
Joined: Fri Nov 01, 2013 9:45 am

Re: Multiple Lan on single wan

Thu Dec 26, 2013 2:01 pm

Thanks Tim, that went well... NOT.
Completely killed net connection :-)
Luckily I have been coding since 1980 so I know how important a backup is :-)

N.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Multiple Lan on single wan

Thu Dec 26, 2013 2:10 pm

Is your pppoe interface called WAN? Try that as the out-interface on your nat.
 
Silvermoon
just joined
Topic Author
Posts: 12
Joined: Fri Nov 01, 2013 9:45 am

Re: Multiple Lan on single wan

Thu Dec 26, 2013 2:15 pm

Just tried it... i get
"input does not match any value of interface"
 
Silvermoon
just joined
Topic Author
Posts: 12
Joined: Fri Nov 01, 2013 9:45 am

Re: Multiple Lan on single wan

Thu Dec 26, 2013 2:17 pm

-gnore that.. had the case wrong :-)
 
Silvermoon
just joined
Topic Author
Posts: 12
Joined: Fri Nov 01, 2013 9:45 am

Re: Multiple Lan on single wan

Thu Dec 26, 2013 2:20 pm

you beauty!!!
Many thanks Tim, my old SBS is now updating :-)
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Multiple Lan on single wan

Thu Dec 26, 2013 2:24 pm

Good deal! My bad about the interface name. I did not see the pppoe part of your setup at first.
 
Silvermoon
just joined
Topic Author
Posts: 12
Joined: Fri Nov 01, 2013 9:45 am

Re: Multiple Lan on single wan

Thu Dec 26, 2013 2:32 pm

Doh, it didnt work :-(
IE just got further with windows updating.....
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Multiple Lan on single wan

Thu Dec 26, 2013 2:38 pm

If all your local interfaces lost internet connection when you removed that one nat rule, then try a "shotgun" nat. It masquerades all interfaces, even between local interfaces. Add this and remove any other srcnat rules.
/ip firewall nat
add chain=srcnat action=masquerade
BTW, what ip/subnet are you getting on your pppoe connection?

Who is online

Users browsing this forum: Google [Bot] and 27 guests