Community discussions

MikroTik App
 
wedwo1
just joined
Topic Author
Posts: 10
Joined: Sun Jul 30, 2023 12:11 pm

Isolate a single ethernet interface from the rest of the LAN

Mon Jun 24, 2024 3:02 pm

I have router OS 7.8 on an hAP ax3
I have two WAN ports, 3 LAN ports and a single bridge.
I manually enable / disable the WAN ports when switching between internet service providers.

I want to connect my neighbour's router to one LAN port and isolate it from the rest of my LAN, but allow WAN routing to both his network and mine.
I'd prefer to run DHCP services on my hAP ax3 for his network.
What approach should I take here?

Thanks in advance!
 
User avatar
spippan
Member
Member
Posts: 484
Joined: Wed Nov 12, 2014 1:00 pm

Re: Isolate a single ethernet interface from the rest of the LAN

Mon Jun 24, 2024 3:12 pm

if you are familiar with "vlan-filtering" on your bridge, you could assign your neighbour to a separate VLAN and manage desired access levels fia firewall filter fules

or even additionally create a new VRF and assign your neighbour's interface to that VRF and build up from there
 
wedwo1
just joined
Topic Author
Posts: 10
Joined: Sun Jul 30, 2023 12:11 pm

Re: Isolate a single ethernet interface from the rest of the LAN

Mon Jun 24, 2024 3:27 pm

Thanks @spippan, is there a preferred approach given that I might in future want to apply some QOS or speed threshold rules?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22312
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate a single ethernet interface from the rest of the LAN

Mon Jun 24, 2024 3:29 pm

First: Dont understand why you play with WANs turning off an on manually.
What is the requirement that drives that........ Why not primary secondary tertiary OR load balance between all three, or some combination????

It would seem that the requirement in terms of neighbour connectivity is PRIMARILY an extra WAN connection.
WHY???
If your neighbour has the same internet connection as you ( chances are very high as you have three ) then there is no benefit in doing so. If the connection to your ISP is down, then so will his.................

What router does he have???
 
User avatar
spippan
Member
Member
Posts: 484
Joined: Wed Nov 12, 2014 1:00 pm

Re: Isolate a single ethernet interface from the rest of the LAN

Mon Jun 24, 2024 3:38 pm

Thanks @spippan, is there a preferred approach given that I might in future want to apply some QOS or speed threshold rules?
for a simpler setup i'd prefer simple VLAN separation
but as anav also chimed in ... you might be in good company for further configuration assistance from here on
 
wedwo1
just joined
Topic Author
Posts: 10
Joined: Sun Jul 30, 2023 12:11 pm

Re: Isolate a single ethernet interface from the rest of the LAN

Mon Jun 24, 2024 4:08 pm

First: Dont understand why you play with WANs turning off an on manually.
What is the requirement that drives that........ Why not primary secondary tertiary OR load balance between all three, or some combination????

It would seem that the requirement in terms of neighbour connectivity is PRIMARILY an extra WAN connection.
WHY???
If your neighbour has the same internet connection as you ( chances are very high as you have three ) then there is no benefit in doing so. If the connection to your ISP is down, then so will his.................

What router does he have???
Hey Anav, thanks for the response. For the WANs, I have an interesting scenario. I'm in a rural part of the country (South Africa) and we occasionally have intermittent issues with internet, so I have two connections:
1x Starlink
1x LTE

Starlink is unofficially supported in SA on a roaming package, so we don't have ground stations and traffic is routed via ground stations in the host country (Malawi in my case) depending on the destination. In some cases, traffic is routed to the UK or US (for example) and breaks out to fibre at that point via terrestrial stations. As a result, my latency on Starlink is not as good as LTE when LTE behaves well.
My speed on LTE is capped at 30mbps so it's slower than Starlink in general, but great for VoIP etc... when it's working.
So I have an LTE router with WiFi and LAN/WAN interfaces connected via cable to WAN port 1 of my hAP ax3 (available via another wireless LAN). I also have Starlink connected to my second WAN port of my hPA ax3. Previously I had automatic failover setup where WAN 1 was the primary and if it goes down for 20 seconds, traffic routes via WAN 2 automagically until it's back up. The trouble with that is we go through phases where LTE access is flaky at best and it goes up and down like a yoyo so throughout the day I have 20 second periods where there's no internet before it switches over to the backup connection. I found that painful so prefer to just be able to quickly turn one or the other off permanently. It's hardly a chore - it's quite useful to have both and be able to use both when I want...
e.g. I sometimes have WAN 1 (LTE) disabled in RouterOS and WAN 2 as the gateway which gives everyone else entire network access to the internet via Starlink while I can connect to the LTE router's WiFi network and route via LTE for my own PC alone - especially useful if the family is streaming while I want to have a work call uninterrupted over a low latency connection.

The neighbour's connection is primarily to allow them to access the internet via my hAP ax3 device. They are seasonal visitors to the area and only spend 3 weeks of the year here, so it doesn't make sense for them to pay for a service that (often) requires 2 year subscription, or expensive hardware (Starlink), so I have offered to let them piggyback off my system. I know I can connect their router's WAN port to my system and let mine provide DHCP to their WAN port and isolate it that way, but I want to avoid double a NAT situation. I also don't want to create confusion with two DHCP servers on my LAN if they accidentally connect my system to a LAN port of their wireless router while they have DHCP enabled on the LAN side of their router, so if I can isolate them and disable their router's DHCP services, their (wireless) router will effectively just be a Wifi access point to give them access to my WAN.

I only have 2 internet providers.
Thanks!
Last edited by wedwo1 on Mon Jun 24, 2024 4:15 pm, edited 1 time in total.
 
User avatar
jvanhambelgium
Forum Guru
Forum Guru
Posts: 1120
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Isolate a single ethernet interface from the rest of the LAN

Mon Jun 24, 2024 4:14 pm

Take 1 interface out of the bridge and put a small subnet on it (eg /30) ?
Then have the cable run to the neighbor and let him config the correct IP on his "WAN" interface.
Secure what needs to be secured with some FW-rules (eg. make sure the "connection subnet" /30) cannot connector to some of your internal systems ?
Off course make sure it is allowed to go out on Internet.

You have inbound services that needs to be accessible ? Your neighbor has webservers running ? Wants Wireguard VPN or something ?
 
wedwo1
just joined
Topic Author
Posts: 10
Joined: Sun Jul 30, 2023 12:11 pm

Re: Isolate a single ethernet interface from the rest of the LAN

Mon Jun 24, 2024 4:18 pm

Take 1 interface out of the bridge and put a small subnet on it (eg /30) ?
Then have the cable run to the neighbor and let him config the correct IP on his "WAN" interface.
Secure what needs to be secured with some FW-rules (eg. make sure the "connection subnet" /30) cannot connector to some of your internal systems ?
Off course make sure it is allowed to go out on Internet.

You have inbound services that needs to be accessible ? Your neighbor has webservers running ? Wants Wireguard VPN or something ?
No local services that I need to offer to my neighbour, they just need internet via one LAN port on my Mikrotik box while being isolated from the rest of my LAN. The only issue with him connecting via his WAN interface is the double NAT it introduces which I want to avoid.

*EDIT* I should probably say I'm trying to avoid triple NAT in some cases - like with LTE - I have the LTE router connected to a WAN port on the Mikrotik and the LTE router is doing it's own NAT, so we have double there already, which becomes triple on the neighbour's side if we introduce his WAN port to my LAN.
Last edited by wedwo1 on Mon Jun 24, 2024 4:30 pm, edited 1 time in total.
 
User avatar
jvanhambelgium
Forum Guru
Forum Guru
Posts: 1120
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Isolate a single ethernet interface from the rest of the LAN

Mon Jun 24, 2024 4:29 pm

That will be hard to avoid (the double-NAT) unless you have extra public IP's and can ROUTE some traffic up to his WAN-port.
OPTIONAL -> If you & the neighbor can agree a on IP-subnet he can disable NAT on his router and ROUTE all the traffic. You would be responsible for the NAT action then.

eg. your LAN 192.168.1.x /24 , his LAN = 192.168.100.x/24. You can "glue" both router together across a 192.168.99.0/30 small subnet.
you need to add static route for 192.168.100.0/24 with next-hop 192.168.99.2 (for example)
You must make sure NAT is in place for 192.168.1.x (yourself) and 192.168.100.x/24 (his prefix)


There would be only few cases where a double-NAT will actually cause issue. For most classic Internet usage it will be fine.
 
wedwo1
just joined
Topic Author
Posts: 10
Joined: Sun Jul 30, 2023 12:11 pm

Re: Isolate a single ethernet interface from the rest of the LAN

Mon Jun 24, 2024 4:36 pm

That will be hard to avoid (the double-NAT) unless you have extra public IP's and can ROUTE some traffic up to his WAN-port.
I just want him to be on my LAN via his router's LAN switch, while preventing access to the systems on my LAN via that cable.
OPTIONAL -> If you & the neighbor can agree a on IP-subnet he can disable NAT on his router and ROUTE all the traffic. You would be responsible for the NAT action then.

eg. your LAN 192.168.1.x /24 , his LAN = 192.168.100.x/24. You can "glue" both router together across a 192.168.99.0/30 small subnet.
you need to add static route for 192.168.100.0/24 with next-hop 192.168.99.2 (for example)
You must make sure NAT is in place for 192.168.1.x (yourself) and 192.168.100.x/24 (his prefix)


There would be only few cases where a double-NAT will actually cause issue. For most classic Internet usage it will be fine.
Thanks, so if I connect my LAN port to his WAN port and configure independent DHCP / routing on his router for his use, can I just set up rules to prevent routing between that LAN port (that his WAN connects to) and the rest of my LAN?
 
User avatar
jvanhambelgium
Forum Guru
Forum Guru
Posts: 1120
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Isolate a single ethernet interface from the rest of the LAN

Mon Jun 24, 2024 4:50 pm

>Thanks, so if I connect my LAN port to his WAN port and configure independent DHCP / routing on his router for his use, can I just set up rules to prevent >routing between that LAN port (that his WAN connects to) and the rest of my LAN?

Sure, you can craft some FW-rules based on different parameters. The "inbound" interface will be dedicated for your neighbor, the IP-range between your 2 routers would be a separate subnet so you can also play with that.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22312
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate a single ethernet interface from the rest of the LAN  [SOLVED]

Mon Jun 24, 2024 5:42 pm

Keep it simple!! no need for static routes or the like. This is a basic providing private IP to second router using a dedicated LAN subnet.

You can do it many ways, bridge-subnet and ether5 subnet
(or what I usually prefer is VLAN5 for home VLAN10 for guest house).

/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=10.10.10.1/30 interface=ether5 network=10.10.10.0

/interface bridge ports
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4

/interface list members
add interface=bridge list=LAN
add interface=ether5-guestWAN list=LAN

/ip firewall rules (forward chain)
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid

{ admin rules }
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable or remove if not required }
add action=drop chain=forward comment="drop all else"


In this way, all users have internet access but ether5 cannot access bridge subnet and bridge subnet cannot access ether5 as there is no layer2 connection between bridge and ether5.
The firewall rules drop all traffic not accepted above drop all rule.

If you were to do it via vlans....... all ports are on bridge.
/ip vlan
add interface=bridge name=homeVLAN5 vlan-id=5
add interface=bridge name=guestVLAN10 vlan-id=10

/ip address
add address=192.168.88.1/24 interface=homeVLAN5 network=192.168.88.0
add address=10.10.10.1/30 interface=guestVLAN10 network=10.10.10.0

/interface bridge ports
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untaggged interface=ether2 pvid=5
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untaggged interface=ether3 pvid=5
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untaggged interface=ether4 pvid=5
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untaggged interface=ether5 pvid=10

/interface list members
add interface=homeVLAN5 list=LAN
add interface=guestVLAN10 list=LAN

/ip firewall rules (forward chain)
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid

{ admin rules }
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable or remove if not required }
add action=drop chain=forward comment="drop all else"


Here vlans keep the two subnets separated at layer2 and firewall rules drop all traffic not accepted above the drop rule.

(note last step is to turn bridge vlan filtering on)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

All the neighbour has to do is plug in his router to your etherport 5 and he gets internet only and an IP address of 10.10.10.2.
The only thing that may require work is if he wants to host some service and that depends if you have a publicly available IP address ( VPN etc...).