2 networks on one router

guajojo · Wed May 22, 2024 11:39 pm

What is supposed to be a simple config is giving me headaches.
I have a RB750Gr3
port1 and 2 for ISP, port 4 for a guest network (only internet) and port 5 for local LAN
I've been working with a LOCAL lan brindge no issues until I decided to put an AP directly connected to port 4 and manage a guest network; I've followed the basics, created a new bridge including port 3 and 4 (in case I add another AP on port 3 on the future)

gave the bridge an IP address: 10.1.1.254

created a new DHCP server for the guest network 10.1.1.0/24, it has its own network and pool on the same range.

2024-05-22 16_23_40-Window.png

I cannot even ping this new address from the router, I've tried disabling all the firewall rules in case there was the issue, but no.

[root@RouterOS] > /ip address export                  
# 2024-05-22 16:32:58 by RouterOS 7.14.3
# software id = G6P4-6R9U
#
# model = RB750Gr3
# serial number = XXXXXXXXXXX
/ip address
add address=192.168.1.201/24 comment=defconf interface=LOCAL_Oncos network=192.168.1.0
add address=10.1.1.254/24 comment=invitados interface=invitados_Oncos network=10.1.1.0
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=32
add disabled=no dst-address=8.8.8.8/32 gateway=172.16.1.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=31
[root@RouterOS] > /interface/
6to4                dot1x        gre        l2tp-client     lte         ovpn-client     pppoe-client     sstp-client     vpls      wireguard     disable     find                reset-counters   
bonding             eoip         gre6       l2tp-ether      macsec      ovpn-server     pppoe-server     sstp-server     vrrp      wireless      edit        monitor-traffic     set              
bridge              eoipv6       ipip       l2tp-server     macvlan     ppp-client      pptp-client      veth            vxlan     blink         enable      print               
detect-internet     ethernet     ipipv6     list            mesh        ppp-server      pptp-server      vlan            wifi      comment       export      reset               
/interface bridge
add admin-mac=48:A9:8A:EB:60:96 auto-mac=no comment=defconf name=LOCAL_Oncos port-cost-mode=short
add name=invitados_Oncos
/interface ethernet
set [ find default-name=ether1 ] name=ether1_ISP1
set [ find default-name=ether2 ] name=ether2_ISP2
set [ find default-name=ether4 ] name=ether4_invitados
set [ find default-name=ether5 ] name=ether5_ONCOS
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=LOCAL_Oncos comment=defconf ingress-filtering=no interface=ether5_ONCOS internal-path-cost=10 path-cost=10
add bridge=invitados_Oncos interface=ether4_invitados
/interface list member
add comment=defconf interface=LOCAL_Oncos list=LAN
add comment=defconf interface=ether1_ISP1 list=WAN
add interface=ether2_ISP2 list=WAN
add interface=invitados_Oncos list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip dhcp-server
add address-pool=default-dhcp interface=LOCAL_Oncos lease-time=10m name=defconf
add address-pool=pool_invitados interface=invitados_Oncos lease-time=10m name=server_invitados
/ip dhcp-server lease
add address=192.168.1.190 mac-address=F4:B1:C2:6D:E0:40
add address=192.168.1.195 mac-address=00:19:BA:08:C1:66
add address=192.168.1.200 mac-address=00:17:61:10:7F:5A
add address=192.168.1.254 mac-address=00:5F:67:75:F7:69
add address=192.168.1.249 client-id=ff:70:5c:d1:7b:0:1:0:1:2d:32:dd:4:6:77:70:5c:d1:7b mac-address=06:77:70:5C:D1:7B server=defconf
add address=192.168.1.198 client-id=1:8e:b5:47:46:80:d6 mac-address=8E:B5:47:46:80:D6 server=defconf
add address=192.168.1.253 client-id=1:e:31:c4:c0:d8:3 comment="TRUENAS oserv1" mac-address=0E:31:C4:C0:D8:03 server=defconf
add address=192.168.1.250 comment=truenas_mirror mac-address=BC:24:11:02:11:95
/ip dhcp-server network
add address=10.1.1.0/24 comment=invitados dns-server=8.8.8.8 gateway=10.1.1.254 netmask=24
add address=192.168.1.0/24 comment=defconf dns-server=8.8.8.8 gateway=192.168.1.201 netmask=24
/ip firewall address-list
add address=192.168.1.111 list=dns_server
/ip firewall connection tracking
set udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=noLAN_
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward disabled=yes
add action=accept chain=input disabled=yes
/ip firewall mangle
add action=mark-connection chain=prerouting comment="marks from ISP interface" connection-mark=no-mark connection-state=new disabled=yes in-interface=ether1_ISP1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new disabled=yes in-interface=ether2_ISP2 new-connection-mark=ISP2_conn passthrough=yes
add action=mark-routing chain=output comment="marks toISP interface" connection-mark=ISP1_conn disabled=yes new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn disabled=yes new-routing-mark=ISP2 passthrough=yes
add action=mark-connection chain=prerouting comment="marks from LAN interface" connection-mark=no-mark connection-state=new disabled=yes dst-address-type=!local in-interface=LOCAL_Oncos new-connection-mark=ISP1_conn passthrough=yes \
    per-connection-classifier=src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new disabled=yes dst-address-type=!local in-interface=LOCAL_Oncos new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=src-address-and-port:2/1
add action=mark-routing chain=prerouting comment="marks to LAN interface" connection-mark=ISP1_conn disabled=yes in-interface=LOCAL_Oncos new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn disabled=yes in-interface=LOCAL_Oncos new-routing-mark=ISP2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address-list=!dns_server to-addresses=8.8.8.8
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address-list=!dns_server to-addresses=8.8.8.8
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

What is even more strange is that im copying this config from another router that has the exact configuration I want to apply here, and only in this router is failing
Current state is clients receive an IP and correct DHCP settings, gateway, DNS, etc.
But they can only talk to each other, no link to the internet, not even ping to their own gateway 10.1.1.254

anav · Thu May 23, 2024 1:35 am

Should work... but only use one bridge or no bridges.
Dont use same DNS site for DNS and for routes recursive
Where is ISP2 routing etc...???
What is the purpose of the DNS server at .111 when you push everyone by to 8.8.8.8
If no vpns to the router and no port forwarding to LAN devices then mangling can be reduced.
REMOVE NETMASK settings on dhpc-server network !!!

So not LB the Guest network.

2024-05-22 16:32:58 by RouterOS 7.14.3
# software id = G6P4-6R9U
#
# model = RB750Gr3
# serial number = "hidden"
/ip address
add address=192.168.1.201/24 comment=defconf interface=LOCAL_Oncos network=192.168.1.0
add address=10.1.1.254/24 comment=invitados interface=ether4_invitados network=10.1.1.0
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=32
add disabled=no dst-address=8.8.4.4/32 gateway=172.16.1.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=31
?????????
??????????

/interface bridge
add admin-mac=48:A9:8A:EB:60:96 auto-mac=no comment=defconf name=LOCAL_Oncos port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1_ISP1
set [ find default-name=ether2 ] name=ether2_ISP2
set [ find default-name=ether4 ] name=ether4_invitados
set [ find default-name=ether5 ] name=ether5_ONCOS
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface bridge port
add bridge=LOCAL_Oncos comment=defconf ingress-filtering=no interface=ether5_ONCOS internal-path-cost=10 path-cost=10

/interface list member
add comment=defconf interface=LOCAL_Oncos list=LAN
add comment=defconf interface=ether1_ISP1 list=WAN
add interface=ether2_ISP2 list=WAN
add interface=ether4_invitados list=LAN

/ip dhcp-server
add address-pool=default-dhcp interface=LOCAL_Oncos lease-time=10m name=defconf
add address-pool=pool_invitados interface=ether4_invitados lease-time=10m name=server_invitados
\
/ip dhcp-server network
add address=10.1.1.0/24 comment=invitados dns-server=8.8.8.8 gateway=10.1.1.254
add address=192.168.1.0/24 comment=defconf dns-server=8.8.8.8 gateway=192.168.1.201

Missing fastrack rule, first rule in forward chain, modifed for mangling
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related connection-mark=no-mark

/ip firewall mangle
add action=mark-connection chain=forward comment="marks from LAN interface" connection-mark=no-mark \
dst-address-type=!local in-interface=LOCAL_Oncos new-connection-mark=ISP1_conn \
passthrough=yes per-connection-classifier=src-address-and-port:2/0
add action=mark-connection chain=forward connection-mark=no-mark dst-address-type=!local \
in-interface=LOCAL_Oncos new-connection-mark=ISP2_conn passthrough=yes \
per-connection-classifier=src-address-and-port:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2_conn new-routing-mark=ISP2 passthrough=no

guajojo · Thu May 23, 2024 3:50 pm

Hello anav, followed all your recomendations,

Deleted the bridge and pointed directly to the ethport4 that has the AP - May I ask why this needs to be changed?

changed the DNS to be different from the recursive DNS - May I ask why this needs to be changed?

deleted Netmask config from DHCP server network - May I ask why this needs to be changed?

The ISP2 and mangling rules are a remanent when I actually had 2 ISP providers, nowdays I only have one, I deleted those old rules.
Same for DNS server at 111, I had pihole before but it brought me too much trouble, also deleted this rule and now all DNS just points to my mikrotik and there the NAT rule just forces everyone to 1.1.1.1

I dont understand this: So not LB the Guest network. You mean loopback? do I need to change something?

2024-05-23 08_40_12-ONCOS - AnyDesk.png

After these changed still the guest network has no internet access and I cannot ping the guest gateway even from inside the mikrotik terminal

2024-05-23 08_48_35-ONCOS - AnyDesk.png

anav · Thu May 23, 2024 4:04 pm

Please post your latest config with the changes.

guajojo · Thu May 23, 2024 7:45 pm

Please post your latest config with the changes.

Sure, here:

[root@RouterOS] > /export compact
# 2024-05-23 12:39:07 by RouterOS 7.14.3
# software id = G6P4-6R9U
#
# model = RB750Gr3
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=48:A9:8A:EB:60:96 auto-mac=no comment=defconf name=LOCAL_Oncos port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1_ISP1
set [ find default-name=ether2 ] name=ether2_ISP2
set [ find default-name=ether4 ] name=ether4_invitados
set [ find default-name=ether5 ] name=ether5_ONCOS
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.190
add name=pool_invitados ranges=10.1.1.10-10.1.1.253
/ip dhcp-server
add address-pool=default-dhcp interface=LOCAL_Oncos lease-time=10m name=defconf
add address-pool=pool_invitados interface=ether4_invitados lease-time=10m name=server_invitados
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/queue simple
add max-limit=2/10 name=queue_invitados target=10.1.1.0/24
add max-limit=7M/35M name=queue1 queue=pcq-upload-default/pcq-download-default target=192.168.1.0/24
/routing table
add disabled=yes fib name=ISP1
add disabled=yes fib name=ISP2
/interface bridge port
add bridge=LOCAL_Oncos comment=defconf ingress-filtering=no interface=ether5_ONCOS internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=LOCAL_Oncos list=LAN
add comment=defconf interface=ether1_ISP1 list=WAN
add interface=ether2_ISP2 list=WAN
add interface=ether4_invitados list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.201/24 comment=defconf interface=LOCAL_Oncos network=192.168.1.0
add address=10.1.1.254/24 comment=invitados interface=ether4_invitados network=10.1.1.0
/ip dhcp-client
add comment=defconf interface=ether1_ISP1
add disabled=yes interface=ether2_ISP2
/ip dhcp-server lease

/ip dhcp-server network
add address=10.1.1.0/24 comment=invitados dns-server=10.1.1.254 gateway=10.1.1.254
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.201 gateway=192.168.1.201
/ip dns
set allow-remote-requests=yes servers=192.168.1.201
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=noLAN_
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward disabled=yes
add action=accept chain=input disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp to-addresses=1.1.1.1
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=1.1.1.1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=32
add disabled=no dst-address=8.8.8.8/32 gateway=172.16.1.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=31

The export is not showing all my router Idkw

2024-05-23 12_44_33-ONCOS - AnyDesk.png

sindy · Sun May 26, 2024 11:07 am

The export is not showing all my router Idkw

Because export only shows the static configuration, whereas print shows the complete one, including the dynamically added items (in this particular case, the routes to connected subnets that are dynamically added as you configure interface addresses and masks, and the default route added using DHCP). Winbox is somehow a fusion of both but it gives far less bits of information per square unit of screen.

anav · Sun May 26, 2024 4:13 pm

(1) One thing I would change is put actual dns servers remote available.
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9

(2) Remove this old default setting
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(3) This is a very dangerous rule because it will allow external user to spam, flood your router for DNS.
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp to-addresses=1.1.1.1
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=1.1.1.1

Change it at least too.
add action=dst-nat chain=dstnat in-interface-list=LAN dst-port=53 protocol=tcp to-addresses=1.1.1.1
add action=dst-nat chain=dstnat in-interface-list=LAN dst-port=53 protocol=udp to-addresses=1.1.1.1

jaclaz · Sun May 26, 2024 8:58 pm

Maybe not relevant, but what is the meaning of these two static routes?

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=32
add disabled=no dst-address=8.8.8.8/32 gateway=172.16.1.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=31

They seem part of a recursive routing approach (that has IMHO little sense if you don't have a second ISP for failover).
You already have a dynamic (active) rule coming from the dhcp, with 0.0.0.0/0 dst-address going through 172.16.1.1 gateway, and the dymanic routes coming from the LAN and WAN subnets, you should not need any other route to connect to the internet.

As sindy suggested, the "export" won't "catch" dynamic settings, such as routes and ip addresses assigned dynamically, you can add to the "export" output, the output of
/ip address print
and
/ip route print

anav · Sun May 26, 2024 9:37 pm

Hi Jaclaz,
I just took at is he really wants to know if his ISP has connectivity to the internet vice having the ISP seemingly functional but no internet.
Nothing wrong with it but yes a tad strange as no alternative.

As a note I am really getting peeved at dynamic print!. There is no reason why not to show the actual routes at time of export as if dynamic print was added and especially any back to home vpn settings as well.

guajojo · Tue Jun 04, 2024 8:11 pm

found the problem, my queue for the guests network was 3/10 forgot the "M"......

2 networks on one router

2 networks on one router

Re: 2 networks on one router

Re: 2 networks on one router

Re: 2 networks on one router

Re: 2 networks on one router

Re: 2 networks on one router

Re: 2 networks on one router

Re: 2 networks on one router

Re: 2 networks on one router

Re: 2 networks on one router