Hi, Could you please explain what does this do? In any case - I've simplified my example a bit. In reality we have multiple subnets which need protection, and I would like to have one single rule without needing to remember to update it if we add another subnet. Is that possible? Like dropping every...

Yes that is how I have it now.

But what will prevent someone on Guest network changing his IP to 192.168.10.X and getting access to the network?

Oh by the way, the how-to link posted here also says to add DROP rules to INPUT chain, which did NOT work for me, I had to add them to FORWARD chain. By the way, the DROP rules are filtered by IP addresses. Is it possible to have them more universal, so to drop ALL traffic between guest and private ...

I did. The issue was that I specified ether interface, and not the bridge (ether was bridged with other wifi)

Hello,

I'm trying to do this. Guest WiFi appears, I can connect it, I get an ip address, but internet doesn't work. On firewall NAT tab no packets are listed on srcnat line..

What could I have done wrong?

Hello, I'm trying to setup a list of simple queues for bw monitoring purposes. No traffic shaping, just monitoring. I want to add a queue per IP to see who uses bandwidth. The problem I have: if I add a queue, and add destination address, two things happen: 1) traffic is only captured if I select &q...

Oh... you are right! It works just fine! I KNEW there was a easy way out! Thanks for showing it to me! [happy]

actually, I see where I confused you (and myself). It's by scrambling these adresses!

Problem is, I own two IPs from different subnets - 8.1.1.1 [router] and 8.1.2.1 [server].

Sorry for mistaking you..

No, no, it does! It's just that I have to enter 8.1.2.1 on the router, which does not belong to me

I have to assign IP on same subnet as 8.1.2.1 [my server's given IP], but it doesn't belong to me

If server interface is eth1, and I add a public IP I do not own to this interface, it won't cause problems on WAN interface, or will it?

I will try it out tomorrow, thanks!

Thank you very much. I'm really hoping I can solve this with real IP assigment on Windows box, and without resorting to additional networks / nats / other hacks. Btw, just to remind - it worked fine when this public IP was on the same interface as other, NATed, private IP. So I think it's only a mat...

Actually, I was thinking about 4) - i don't really care about other ISP addresses in that range, there's nothing interesting for us there ;) But I would rather do it proper way.. NAT doesn't seem "proper" - I can have it NAT way using private IPs only, but I would like to separate private ...

Thats how I had it in the first place. But I don't want that! I can't believe it's not possible to just tell the router that, hey, this IP is connected to you! I've tried manually adding ARP address to ARP table, and while ARP ping works fine, normal ping doesn't get through..

ISP assigned configuration: 8.1.2.1, 255.255.255.255, gateway 8.1.1.1 I can't paste you actual configuration because microtik has a complex additional network, nat, firewall configuration, and the IPs I show here are also diffferent.. :( I think you might be right that windows does not bind to the p...

Ok, so current configuration: Router - 85.1.2.1 Router additional network - 10.1.2.1/24 Router route to 85.1.2.2 via 10.1.2.2 Server - 85.1.2.2 AND 10.1.2.2 This works for incoming connections. Outgoing connections from server fail. If I add a masquarade, outgoing connections appear to come from 85....

Ok, I've tried it "additional private network" way. And it works just fine for incoming connections - they find their way to the public IP just fine. However, that does not work at all for outgoing connections via that network. If I don't add anything, they just dont go through. If I add a...

Frankly, I'm so new to mikrotik, that I'm using WinBox interface, and not even sure of the command lines.. Anyway, my way doesnt really work :( It worked when 8.1.2.1 was on same adapter which also had an internal IP address. When we put in a new adapter, it no longer works.. I have to look into you...

It is exactly as you described, precisely.

And it works!

Adding route did not work, until I explicitely specified interface. When I did that, it started working. My guess, is that it sends arp request and the server responds to it, so they know they are connected directly. Could this be true?

I've actually changed all the IPs in question, so I'm not even sure what to show :) Routers external IP is 85.1.1.1, LAN IP is 10.1.1.1, subnet mask is 10.1.1.255. Internal servers lan IP is 10.1.1.200. It also has a second interface, which has a 85.1.2.1 IP assigned. And I added a new route to 8.1....

lan

I think I forgot to tell something - the server is connected directly to the router via a switch. So there is no path anymore, the packet just has to be delivered to the recipient

thats the issue - it's public IP, and it's only one IP that our ISP has given to us (in addition to our router IP). So how to route it IS my question :) For now I have it working like this: 85.1.1.1 is public IP for our router [well, I've changed it, but lets assume its like that] 85.1.2.1 is public...

For now I've done it adding a simple route to 85.1.2.1 using 85.1.2.1 as the gateway. It seems to work, though I'm not sure if it might have any consequences?

Hello, this should be very simple, but I'm so uneducted in this topic, that I'm facing issues :) Scenario: WAN <-> MikroTik <-> LAN + RoutedDirectIP What I mean, is that MikroTik serves WAN access to LAN using NAT. And, also has one server directly connected to it, which has external IP address. Mik...

Hello, consider following infrastructure: wan -> Mikrotik -> lan on WAN interface, Mikrotik has external IP adress, say 81.1.1.1. It is used to provide wan access for all the lan clients. now, we need to have one of lan servers directly accessible from wan. So we have another IP address, 81.1.1.2. W...