I have two IP schemes a) 10.0.1.0/24 and b) 10.0.2.0/24 on a single network with Mikrotik router and also have two WAN connections.
network a & network b communicate with each other very fine.
When I want to add routing mark from IP/firewall/mangel to both of the networks for their selected wan routing for WAN1 and WAN2.
Network a & network b stops communication with each other.
if you are going to add routing mark in prerouting. then before it just accept the destination address before marking the routing marks as under.
chain=prerouting action=accept dst-address=10.0.1.0/24
chain=prerouting action=accept dst-address=10.0.2.0/24
then add the marking routes
chain=prerouting action=mark-routing new-routing-mark=ISP1 passthrough=no src-address=10.0.2.0/24 dst-address-type=""
chain=prerouting action=mark-routing new-routing-mark=ISP1 passthrough=no src-address=10.0.1.0/24 dst-address-type=""
Related
so the setup I've got:
Main Router which receives the internet connection and is my primary WIFI network: 192.168.1.0/24
Secondary Router which I've connected via the following method to create a separate LAN: 10.3.3.0/24. Main Router's LAN port --> Secondary Router's WAN port.
I've got this setup fine and can get internet from the Secondary Router's LAN, no problem.
My question is: Is it normal behavior to be able to ping a device connected to the main router from the secondary router?
I would like to isolate devices on each LAN so that devices connected to the separate LAN's can't communicate and wondering if I'm able to achieve this using 2 consumer grade routers?
Cheers!
This is normal behavior because the secondary router knows that IPs in the 192.168.1.0/24 subnet should be forwarded to its WAN port, so it can access hosts connected to that network.
Sadly, you usually can't create 2 segregated subnets with 2 consumer-grade routers, as these only have 2 network interfaces (one for WAN and one for the built-in switch).
I also do not recommend doing this, as double NAT can have unexpected side effects. If you really want to separate devices on your local network, looking into VLANs is a better way. You can use your existing router but will need a compatible switch.
If your routers support vlan management you should use separate vlans for both subnets. Otherwise you cant devide your networks.
my network consist of two Fritz! routers, the main one (192.168.188.1) and another that creates a subnet below the previous (192.168.178.1). I'm about to add the IP camera (Unifi G3 Bullet) with the 192.168.178.AAA address but I want it to be accessible by the server with 192.168.188.BBB ip address. Is it something I can achieve by static ipv4 routing in the router settings or something that is rather not possible? How would I go about creating those routes or is there other solution to this problem? network diagram for clarity
I managed to solved this problem by opening TCP port 554 for 192.168.178.AAA:554 in the "178" router and than I addressed this cammera in the main router network by 192.168.188.(sub-router IP in main network):554 and it works flawlessly.
After 20 pages of SO results about Mikrotik and some more google results, I'm come here, down on my knees to request some enlightment.
I have a network with static IP and some public IP (248 mask).
So far I've configured the network to use one of those public IP and use it for 2 subnets (192.168.85.X and 192.168.5.X) wich are isolated from each other and both can access internet.
What I'm trying to achieve is to add a second WAN ip to the router, and route traffic to a specific server to use that IP.
What i mean is:
Any PC from 192.168.85.X should use WAN IP1 and use internet with it.
Any PC from 192.168.85.X trying to access www.facebook.com should use WAN IP2 to browse and navigate to that website (while all the rest of the traffic goes through WAN IP1).
The device that gives me the WAN link only has 1 "out" port, so there is no way to put 2 cables from the "modem" to the Mikrotik, right now there is 1 cable going from the modem to the Mikrotik device. I've seen some forum post where the first part can be solved by just connecting 2 cables and then assign different IP for each interface.
As you may notice, I'm really raw in networking and routing, so any GUI/Winbox instruction is appreciated, but CLI commands would be just fine.
This info is for reference for anyone who may want to do this in the future:
1.- If you assing the IP to the WAN interface using the same notation X.X.X.X/29, the router will know that you want to use all the IP but set the default route to use the given IP as the prefered. This can be looked up in IP > Routes.
2.- If you want to use different IP for different traffic, you have to a) Mark that traffic and b) Force that traffic to go out by an specific IP. You do this in IP > Firewall > Mangle to mark the traffic and IP > Routes to add the new route for that traffic. There are contradictory info about if you need or not to add NAT (IP > Firewall > NAT) rules for the traffic and i'm really lost about it (it doesn't work with or without, but sometimes does work).
This is all i can contribute to this, i'll keep trying to find and answer in serverfault as #SergGr suggested.
Just in advance im sorry for my limited expertise with networking, i know the basics tho...
So the issue i have which i am hoping someone can shed some light on..
I want to have 2 routers, each with either own vlan, and i want one router to be able to talk the other but not vise versa,
So my Main router (192.168.1.1) is connected to the modem,
I want to get a second router and connect it to my main router,
The second router i want to have its own vlan (192.168.2.1)
Now that part is pretty easy, here is where i am in over my head
I want the computers on my Main router, to be able to access the ones on the second router... like ping, RDP, ETC
BUT - i dont want the computers on the second router to have access to the ones on the main router.....
Is this possible?
Thank you,
If you are using home routers the key is in the WAN interface.
All the hosts connected in the LAN ports can access the hosts in the WAN port, but not viceversa. Your border router act this way: if you want a hosts communicate directly from WAN to LAN you have to forward a port. For example, if you have DVR with cameras and you want to monitor them from Internet, you will have to forward the ports the DVR uses.
So, you could connect in the 192.168.2.1 subnet (just to clarify, this is not a VLAN, this is a subnet, or you can also call it just a net, VLANs are another thing) the PCs that you don´t want to be accessed from the other hosts.
VLANs are kind of partition of a LAN where the broadcast can propagate inside it but cannot go out. They are used for security, performance and easy of administration. They belong to the 2nd. layer of the OSI model.
The final topology in your case is as follows:
Let´s separate your computers in two groups: group A are the ones you don´t anyone has access and group B are the ones you want to be accessed from another PCs.
First you have your modem connected to the router that will act as border router. It´s LAN IP will be 192.168.1.1/24 (/24 is a notation for the subnet mask 255.255.255.0).
To that router you will connect to it´s LAN ports the group B PCs with IPs ranging from 192.168.1.2 to 192.168.1.254 (.0 is reserved, .1 is you border router and .255 is also reserved).
Also to that router you will connect the second router to its WAN port. In the second router you will set an static IP in its WAN port that belongs to the subnet of the border router. For example 192.168.1.2.
The second router LAN IP will be 192.168.2.1/24. Finally, you will connect the group A PCs to the second router LAN ports. With IPs from 192.168.2.2 to 192.168.2.254. This will be the more "protected" LAN.
I hope this could help!
We have two subnets
Router 1
192.168.2.1
255.255.254.0
Router 2
192.168.1.1
255.255.255.0
Modem >> switch
>> router1 wan port >> from lan port to switch >> Different computers
>> router2 wan port >> from lan port to switch >> Different computers
Please note two different static public ips(of same subnet) for both routers.
I would like to know how I can access a host from Router 1 to a host in Router 2 or vice-versa.
use a single router:
Modem >> router >> switch >> lan1 >> computers in lan1
>> lan2 >> computers in lan2
You don't even need two LANs formally, since the PCs don't need a special routing rule to reach all local systems in this case.
You use two address sets: 192.168.1.xxx and 192.168.2.xxx and a network mask of /23 or even /16, no difference there. This way all PCs know they can simply send out packages to everything inside 192.168... Whereas for packages outside they need a rule routing those packages through the router. The routing of packages between the two areas on the LAN side is done automatically by the switch. That is what a switch is build for.
This is an explanation of how you would do it assuming that you must keep these as two separate subnets!
That is, you'll have to set up access for each IP address in the other router's firewall, and then specify to which internal system it will connect.
Note: It's only safe to do this because you have two static IP addresses! There really isn't an easy, safe way to do this with dynamic IPs.
In that case, Router 1 will have to grant access to Router 2's public IP address and vice versa. How you do this completely dependent on the make and model of the router.
The routers will know how to route to each other, because they'll be using the public IPs.
So, the data path will be: System1 (subnet1)->Router1->Internet->Router2->System2
Since different routers have you specify addresses in different ways, make sure you know how yours expects you to input the address or range of addresses.
However, that's not enough. Because you have multiple systems on each subnet, all sharing the same public IP address, you also have to specify which inbound traffic goes to what subnet host.
That is, you start on System1 in the above data path. The data goes out Router1 and back into Router2. How does Router2 know where to send it? It only has ONE external IP address.
Again, there are different ways of doing this for different routers. On some, you can specify that data on certain ports gets sent to certain systems. (Port Forwarding)
Using Telnet as an example (you shouldn't! Telnet isn't secure. It's just easy to use as an example)...
You want to get from System1 (on subnet1) to System3 (subnet2).
On Router1 you specify that incoming data on Port 23 (Telnet port) should go to System1. On Router2 you send all Port 23 data to System3.
Port Forwarding, however, is somewhat limited insofar as, in the setup above, only System1 and System3 can receive Telnet data.
The other common way to do this is to have all data from a particular IP sent to one particular system on your subnet. That won't work for you, because you have multiple systems on each subnet!
I hope this isn't too non-specific! (Or too rambling! :-) ) I'm trying to be as non-specific as possible, but it makes it difficult to explain things! Unfortunately, since each company's routers use different interfaces, it's impossible for me to exactly what you need to do!
Let us know what your routers are. Then I can possibly be more specific.
In the meantime, however, look for the sections in your router to 1) the other router's data in, and 2) specify what data goes to which system on the subnet!
I hope this helps!