Community discussions

MikroTik App
 
Pedro2016
just joined
Topic Author
Posts: 4
Joined: Thu Oct 13, 2016 10:35 am

2 families, 2 ISPs and a shared network printer

Fri Oct 14, 2016 1:06 am

Good day!

I bought a RouterBoard 750 hEX Lite, because we have 2 different families in our house with 2 ISPs and would like to share a network printer.
We cannot change very much within the configuration of the 2 different routers from our ISPs.
But perhaps it is possible that we don't need to share our internet connections while sharing one network printer.
So I started to make some tests and this is my rotten configuration so far:
# oct/13/2016 21:01:37 by RouterOS 6.37.1
# software id = XXXX-XXXX
#
/interface ethernet
set [ find default-name=ether1 ] name=Port1_LAN1
set [ find default-name=ether2 ] name=Port2_WAN1
set [ find default-name=ether3 ] name=Port3_LAN2
set [ find default-name=ether4 ] name=Port4_WAN2
set [ find default-name=ether5 ] name=Port5_LAN3
/interface list
add name=list_drop_LAN2
add name=list_drop_LAN1
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool_LAN1 ranges=192.168.1.100-192.168.1.199
add name=dhcp_pool_LAN2 ranges=192.168.3.100-192.168.3.199
add name=dhcp_pool_LAN3 ranges=192.168.5.100-192.168.5.199
/ip dhcp-server
add address-pool=dhcp_pool_LAN1 disabled=no interface=Port1_LAN1 lease-time=\
    3d name=dhcp_LAN1
add address-pool=dhcp_pool_LAN2 disabled=no interface=Port3_LAN2 lease-time=\
    3d name=dhcp_LAN2
add address-pool=dhcp_pool_LAN3 disabled=no interface=Port5_LAN3 name=\
    dhcp_LAN3
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface list member
add interface=Port3_LAN2 list=list_drop_LAN1
add interface=Port4_WAN2 list=list_drop_LAN1
add interface=Port1_LAN1 list=list_drop_LAN2
add interface=Port2_WAN1 list=list_drop_LAN2
/ip address
add address=192.168.1.10/24 interface=Port1_LAN1 network=192.168.1.0
add address=192.168.2.10/24 interface=Port2_WAN1 network=192.168.2.0
add address=192.168.3.10/24 interface=Port3_LAN2 network=192.168.3.0
add address=192.168.4.10/24 interface=Port4_WAN2 network=192.168.4.0
add address=192.168.5.10/24 interface=Port5_LAN3 network=192.168.5.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.10 gateway=192.168.1.10 \
    netmask=24
add address=192.168.3.0/24 dns-server=192.168.3.10 gateway=192.168.3.10
add address=192.168.5.0/24 dns-server=192.168.5.10 gateway=192.168.5.10
/ip dns
set allow-remote-requests=yes servers=192.168.2.1
/ip firewall filter
add action=drop chain=forward in-interface=Port1_LAN1 out-interface-list=\
    list_drop_LAN1
add action=drop chain=forward in-interface=Port3_LAN2 out-interface-list=\
    list_drop_LAN2
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=Port1_LAN1 \
    new-routing-mark=LAN1 passthrough=no
add action=mark-routing chain=prerouting in-interface=Port3_LAN2 \
    new-routing-mark=LAN2 passthrough=no
add action=mark-routing chain=prerouting in-interface=Port5_LAN3 \
    new-routing-mark=LAN3 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Port2_WAN1
add action=masquerade chain=srcnat out-interface=Port4_WAN2
/ip route
add distance=1 gateway=192.168.2.1 routing-mark=LAN1
add distance=1 dst-address=192.168.5.0/24 gateway=Port5_LAN3 routing-mark=\
    LAN1
add distance=1 gateway=192.168.4.1 routing-mark=LAN2
add distance=1 dst-address=192.168.5.0/24 gateway=Port5_LAN3 routing-mark=\
    LAN2
add distance=1 gateway=192.168.2.1 routing-mark=LAN3
add distance=1 dst-address=192.168.5.0/24 gateway=Port5_LAN3 routing-mark=\
    LAN3
/ip service
set api disabled=yes
/system ntp client
set enabled=yes primary-ntp=176.9.102.215 secondary-ntp=176.9.31.215
/system routerboard settings
set cpu-frequency=850MHz protected-routerboot=disabled
Just for the purpose of explanation:
Physical Port1 is LAN1 for Family 1 (connected to various computers from Family 1)
Physical Port2 is WAN1 for Family 1 (connected to the router from Family 1 ISP)
Physical Port3 is LAN2 for Family 2 (connected to various computers from Family 2)
Physical Port4 is WAN2 for Family 2 (connected to the router from Family 2 ISP)
Physical Port5 is LAN3 for shared Network-Printer

If I disable the static route with Routing Mark "LAN3" and Dst. Address 0.0.0.0/0 then I can ping the network printer from LAN1 and LAN2 and reverse. I also can't ping between LAN1 and LAN2 as expected. And I even can traceroute a public URL and see the correct hops. But I have no internet access from LAN3!
Aside from that it seems not possible to access a network share in LAN3 with the name of the computer. I have to enter \\192.168.5.xxx to access the network share. This might be a problem because I would like to install the printer via it's node name and not via it's IP.

If I enable the static route with Routing Mark "LAN3" and Dst. Address 0.0.0.0/0 then I can't ping between the subnets any more, but I have internet access from LAN3.

Perhaps you can tell me how I can get everything to run?

Best regards...Pedro2016
 
tibobo
newbie
Posts: 41
Joined: Tue Sep 27, 2016 8:54 am

Re: 2 families, 2 ISPs and a shared network printer

Fri Oct 14, 2016 2:39 am

My first thought would have been to try some VRF setup but this has also some drawbacks which can be non trivial to solve.

So I came up with another design : just reroute whats coming from the 2 families LANs and NOT going to your printer network to their respective internet gateway.
Basically :
/ip firewall mangle
add action=route chain=prerouting dst-address=!192.168.5.0/24 in-interface=Port1_LAN1 passthrough=no route-dst=192.168.2.1
add action=route chain=prerouting dst-address=!192.168.5.0/24 in-interface=Port3_LAN2 passthrough=no route-dst=192.168.4.1
This way you can avoid playing with routing-mark altogether.
The printer will choose whatever outgoing connection is available.

I ended up with the following configuration :

/interface ethernet
set [ find default-name=ether1 ] name=Port1_LAN1
set [ find default-name=ether2 ] name=Port2_WAN1
set [ find default-name=ether3 ] name=Port3_LAN2
set [ find default-name=ether4 ] name=Port4_WAN2
set [ find default-name=ether5 ] name=Port5_LAN3

/ip pool
add name=dhcp_pool_LAN1 ranges=192.168.1.100-192.168.1.199
add name=dhcp_pool_LAN2 ranges=192.168.3.100-192.168.3.199
add name=dhcp_pool_LAN3 ranges=192.168.5.100-192.168.5.199

/ip dhcp-server
add address-pool=dhcp_pool_LAN1 disabled=no interface=Port1_LAN1 lease-time=3d name=dhcp_LAN1
add address-pool=dhcp_pool_LAN2 disabled=no interface=Port3_LAN2 lease-time=3d name=dhcp_LAN2
add address-pool=dhcp_pool_LAN3 disabled=no interface=Port5_LAN3 name=dhcp_LAN3

/ip address
add address=192.168.1.10/24 interface=Port1_LAN1 network=192.168.1.0
add address=192.168.2.10/24 interface=Port2_WAN1 network=192.168.2.0
add address=192.168.3.10/24 interface=Port3_LAN2 network=192.168.3.0
add address=192.168.4.10/24 interface=Port4_WAN2 network=192.168.4.0
add address=192.168.5.10/24 interface=Port5_LAN3 network=192.168.5.0

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.10 gateway=192.168.1.10 netmask=24
add address=192.168.3.0/24 dns-server=192.168.3.10 gateway=192.168.3.10
add address=192.168.5.0/24 dns-server=192.168.5.10 gateway=192.168.5.10

/ip dns
set allow-remote-requests=yes servers=192.168.2.1

/ip firewall mangle
add action=route chain=prerouting dst-address=!192.168.5.0/24 in-interface=Port1_LAN1 passthrough=no route-dst=192.168.2.1
add action=route chain=prerouting dst-address=!192.168.5.0/24 in-interface=Port3_LAN2 passthrough=no route-dst=192.168.4.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=Port2_WAN1
add action=masquerade chain=srcnat out-interface=Port4_WAN2

/ip route
add distance=1 gateway=192.168.2.1 check-gateway=ping
add distance=2 gateway=192.168.4.1 check-gateway=ping
You can of course add whatever firewall rules you prefer to prevent any unauthorized forwarding, but I don't see how unauthorized forwarding could happen here.

Regarding your node name issue, you could add a static DNS entry but I don't know if your windows computer will use that instead of netbios name resolution.
/ip dns static add address=xxxxx name=yyy
Another way which would allow for netbios would involve playing with bridges and bridge firewalls.
But it would also add some drawbacks that could lead to real havoc.

Best regards
 
Pedro2016
just joined
Topic Author
Posts: 4
Joined: Thu Oct 13, 2016 10:35 am

Re: 2 families, 2 ISPs and a shared network printer

Fri Oct 14, 2016 11:15 pm

Hello tibobo,

many thanks for your help. Your configuration looks like a clever solution and today I had some time to try your configuration - the LAN-Access works good, but I have no internet access from both familiy LANs and I don't know why. When I PING a WWW host the IP don't gets resolved.
I just resetted the router without default config, connected via WinBox with MAC and imported your configuration in a terminal.

But I also have another problem...our 2 main computers are notebooks with Windows 7, which are used in different environments(when I drive to my parents for example) and because of this we use DHCP on these computers. The shared printer is connected with static IPv4, but uses SMB to store scanned files to different shared folder on different computers(e.g. "\\notebook1\scanfiles"). So I need to find a way how I can resolve these network paths from within LAN3 to our computers with DHCP in LAN1 and LAN2. Is this possible and do you have an idea how I can manage this with the RouterBoard?

Best regards
Pedro
 
razortas
newbie
Posts: 40
Joined: Tue Nov 20, 2012 1:07 am

Re: 2 families, 2 ISPs and a shared network printer

Wed Oct 19, 2016 3:48 am

Not sure what version your using but action=route - confusing ?
Here is my suggestion:

/interface ethernet
set [ find default-name=ether1 ] name=Port1_LAN1
set [ find default-name=ether2 ] name=Port2_WAN1
set [ find default-name=ether3 ] name=Port3_LAN2
set [ find default-name=ether4 ] name=Port4_WAN2
set [ find default-name=ether5 ] name=Port5_LAN3

/ip pool
add name=dhcp_pool_LAN1 ranges=192.168.1.100-192.168.1.199
add name=dhcp_pool_LAN2 ranges=192.168.3.100-192.168.3.199
add name=dhcp_pool_LAN3 ranges=192.168.5.100-192.168.5.199

/ip dhcp-server
add address-pool=dhcp_pool_LAN1 disabled=no interface=Port1_LAN1 lease-time=3d name=dhcp_LAN1
add address-pool=dhcp_pool_LAN2 disabled=no interface=Port3_LAN2 lease-time=3d name=dhcp_LAN2
add address-pool=dhcp_pool_LAN3 disabled=no interface=Port5_LAN3 name=dhcp_LAN3

/ip address
add address=192.168.1.10/24 interface=Port1_LAN1 network=192.168.1.0
add address=192.168.2.10/24 interface=Port2_WAN1 network=192.168.2.0
add address=192.168.3.10/24 interface=Port3_LAN2 network=192.168.3.0
add address=192.168.4.10/24 interface=Port4_WAN2 network=192.168.4.0
add address=192.168.5.10/24 interface=Port5_LAN3 network=192.168.5.0

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.10 gateway=192.168.1.10 netmask=24
add address=192.168.3.0/24 dns-server=192.168.3.10 gateway=192.168.3.10
add address=192.168.5.0/24 dns-server=192.168.5.10 gateway=192.168.5.10

/ip dns
set allow-remote-requests=yes servers=192.168.2.1

/ip firewall mangle
add chain=prerouting dst-address=!192.168.5.0/24 in-interface=Port1_LAN1 passthrough=no action=mark-routing new-routing-mark=LAN1-to-WAN1
add chain=prerouting dst-address=!192.168.5.0/24 in-interface=Port3_LAN2 passthrough=no action=mark-routing new-routing-mark=LAN2-to-WAN2

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 out-interface=Port2_WAN1 action=src-nat to-address=192.168.2.10
add chain=srcnat src-address=192.168.3.0/24 out-interface=Port4_WAN2 action=src-nat to-address=192.168.4.10

/ip route
dst-address=0.0.0.0/0 add distance=1 gateway=192.168.2.1 check-gateway=ping routing-mark=LAN1-to-WAN1
dst-address=0.0.0.0/0 add distance=1 gateway=192.168.4.1 check-gateway=ping routing-mark=LAN2-to-WAN2

You may want to add your external DNS to the DHCP listings rather than use DNS from the router, may work better.
 
Pedro2016
just joined
Topic Author
Posts: 4
Joined: Thu Oct 13, 2016 10:35 am

Re: 2 families, 2 ISPs and a shared network printer

Fri Oct 21, 2016 12:50 am

Hello razortas,

Many thanks to you, for your help and yor working suggestion, but still SMB only works when I use fixed IPs instead of Hostnames.
Perhaps my aims are not possible with separate subnets? I suppose that SMB uses something like Broadcasts, which shouldn't be forwarded to other subnets, right?
In this case I probably have to use fixed IPs in the "alternate configuration" tab in Windows 7 to use the scanner at home and dynamic IPs in other locations.
Or I assign a lease statically, either based on the MAC-Address or the Hostname...
You may want to add your external DNS to the DHCP listings rather than use DNS from the router, may work better.
I allready noticed that I specified only 1 DNS Server(192.168.2.1) and in case of disconnecting this router I also have no internet access inside LAN3. So I added 8.8.8.8 to all DHCP Networks.

Greetings
Pedro
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2 families, 2 ISPs and a shared network printer

Fri Oct 21, 2016 3:03 am

Two questions:
The shared printer is connected with static IPv4, but uses SMB to store scanned files to different shared folder on different computers(e.g. "\\notebook1\scanfiles").
Do you know how this works, where does the printer get this name ("notebook1") from?
We cannot change very much within the configuration of the 2 different routers from our ISPs.
Just out of curiosity, lets call it scouting for ideas for plan C, but it may be dead end. By "cannot change very much" you mean:
a) you can't change anything
b) you can change some things; specifically I'd be interested in ability to add static route within LAN
 
agnostic
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Fri Mar 21, 2014 8:23 pm

Re: 2 families, 2 ISPs and a shared network printer

Fri Oct 21, 2016 5:52 pm

tried hairpin nat or it gets dropped by your firewall rules??
 
Pedro2016
just joined
Topic Author
Posts: 4
Joined: Thu Oct 13, 2016 10:35 am

Re: 2 families, 2 ISPs and a shared network printer

Sat Oct 22, 2016 12:56 am

Do you know how this works, where does the printer get this name ("notebook1") from?
These settings are configured inside the web-interface of the printer. You can choose SMB in a configuration tab and provide a networkpath, a username and a password. There are other protocols available like FTP, FTPS, NetWare IPX/SPX and NetWare TCP/IP.
Just out of curiosity, lets call it scouting for ideas for plan C, but it may be dead end. By "cannot change very much" you mean:
a) you can't change anything
b) you can change some things; specifically I'd be interested in ability to add static route within LAN
Answer b) is correct. I have access to the routers, but I can only change basic stuff like LAN-IP or DHCP-Range, but there is no way to add a static route.
tried hairpin nat or it gets dropped by your firewall rules??
I hear this term the first time, but isn't this technique used for accessing internal ressources using a public IP?
Since I have no filter rules in the mikrotik firewall and my clients in subnet LAN1 can access their shares using hostnames and my clients in subnet LAN3 can access the shares in LAN1 using IPs, I thought the problem may be associated with broadcast domains.

Greetings
Pedro
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2 families, 2 ISPs and a shared network printer

Sat Oct 22, 2016 3:19 am

Try to add static DNS record pointing to notebook:
/ip dns static
add address=192.168.x.x name=notebook1
Then make the printer use router as DNS server. If it won't work, try to use some FQDN, e.g. notebook1.lan (and then \\notebook1.lan\scanfiles). If you succeed with any of these, add DHCP reservation for notebook1 to keep its address static.
 
agnostic
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Fri Mar 21, 2014 8:23 pm

Re: 2 families, 2 ISPs and a shared network printer

Sat Oct 22, 2016 10:07 am

well, you could try to add 2 mangle rules:
chain prerouting src address {your lan's 1 subnet (192.168.1.0/24)} dst address {your printer address (192.168.5.x)} action accept
chain prerouting src address {your lan's 2 subnet (192.168.3.0/24)} dst address {your printer address (192.168.5.x)} action accept
before the other prerouting chains

but you will also need to add a route to one gateway with no routing marks or make one as default (with no marks) and mark only the other to other isp gateway
if you choose to mark one route then you will need one mangle rule for printer only
 
flynno
Member Candidate
Member Candidate
Posts: 297
Joined: Wed Aug 27, 2014 8:11 pm

Re: 2 families, 2 ISPs and a shared network printer

Mon Oct 24, 2016 5:00 pm

Printers are cheap these days, just buy another one :)

Who is online

Users browsing this forum: karlisi and 47 guests