Page 1 of 1

Simple question - bridges

Posted: Wed Jan 10, 2018 11:10 am
by sjafka
Hello Guys and Girls!

I would like to ask you a question:why do the clients from the two bridges see each other (i can ping from 192.168.30.X to 192.168.31.X and vica versa).
What is the connection/relation between theese two bridges? Is it the neighbor discovery and if not what does it do?

Here is my config: (PS.: ignore the firewall block rule, it is disabled, i just left it there, when i realized that somehow the two bridges "see each other")

# jan/10/2018 09:34:53 by RouterOS 6.41
# software id = MBQQ-NK0W
#
# model = 2011UiAS
# serial number = 763107C27E60
/interface bridge
add fast-forward=no name="Bridge1(ServerNetwork)"
add fast-forward=no name="Bridge2(ServiceNetwork)"
/interface ethernet
set [ find default-name=ether2 ] name="LAN2(ServerNetwork)"
set [ find default-name=ether3 ] name="LAN3(ServerNetwork)"
set [ find default-name=ether4 ] name="LAN4(ServerNetwork)"
set [ find default-name=ether5 ] name="LAN5(ServerNetwork)"
set [ find default-name=ether7 ] name="LAN7(ServiceNetwork)"
set [ find default-name=ether8 ] name="LAN8(ServiceNetwork)"
set [ find default-name=ether9 ] name="LAN9(ServiceNetwork)"
set [ find default-name=ether10 ] name="LAN10(ServiceNetwork)"
set [ find default-name=ether1 ] name="WAN1(ServerNetwork)"
set [ find default-name=ether6 ] name="WAN2(ServiceNetwork)"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=SzervizHalozat ranges=192.168.31.10-192.168.31.254
add name=dhcp_pool2 ranges=192.168.31.6-192.168.31.254
add name=dhcp_pool3 ranges=192.168.31.6-192.168.31.254
add name=dhcp_pool4 ranges=192.168.31.6-192.168.31.254
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface="Bridge2(ServiceNetwork)" name=\
dhcp1
/interface bridge port
add bridge="Bridge1(ServerNetwork)" interface="LAN2(ServerNetwork)"
add bridge="Bridge1(ServerNetwork)" interface="LAN3(ServerNetwork)"
add bridge="Bridge1(ServerNetwork)" interface="LAN4(ServerNetwork)"
add bridge="Bridge1(ServerNetwork)" interface="LAN5(ServerNetwork)"
add bridge="Bridge2(ServiceNetwork)" interface="LAN7(ServiceNetwork)"
add bridge="Bridge2(ServiceNetwork)" interface="LAN8(ServiceNetwork)"
add bridge="Bridge2(ServiceNetwork)" interface="LAN9(ServiceNetwork)"
add bridge="Bridge2(ServiceNetwork)" interface="LAN10(ServiceNetwork)"
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.30.5/24 interface="Bridge1(ServerNetwork)" network=192.168.30.0
add address=192.168.31.5/24 interface="Bridge2(ServiceNetwork)" network=192.168.31.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="WAN1(ServerNetwork)"
add dhcp-options=hostname,clientid disabled=no interface="WAN2(ServiceNetwork)"
/ip dhcp-server network
add address=192.168.31.0/24 dns-server=192.168.31.5 gateway=192.168.31.5
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=drop chain=forward disabled=yes in-interface="Bridge2(ServiceNetwork)" \
out-interface="Bridge1(ServerNetwork)"
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.31.0/24
add action=masquerade chain=srcnat src-address=192.168.30.0/24
/system clock
set time-zone-name=Europe/Budapest

Re: Simple question - bridges

Posted: Wed Jan 10, 2018 11:31 am
by ADahi
yes it should see each other because of using wrong nat rules
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.31.0/24
add action=masquerade chain=srcnat src-address=192.168.30.0/24


You have to specify output interface for each one.
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.31.0/24 out-interface="WAN1(ServerNetwork)"
add action=masquerade chain=srcnat src-address=192.168.30.0/24 out-interface="WAN2(ServiceNetwork)"

or on top of all nat rules add, it also fix your isues
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16

Re: Simple question - bridges

Posted: Wed Jan 10, 2018 2:06 pm
by sjafka
yes it should see each other because of using wrong nat rules
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.31.0/24
add action=masquerade chain=srcnat src-address=192.168.30.0/24


You have to specify output interface for each one.
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.31.0/24 out-interface="WAN1(ServerNetwork)"
add action=masquerade chain=srcnat src-address=192.168.30.0/24 out-interface="WAN2(ServiceNetwork)"

or on top of all nat rules add, it also fix your isues
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16

Thank you! You were right!
And now if i would like, that the clients from 192.168.30.0 can see the clients from 192.168.31.0 do i need to make a NAT or a Firewall rule?

Re: Simple question - bridges

Posted: Wed Jan 10, 2018 2:10 pm
by sebastia
"i can ping from 192.168.30.X to 192.168.31.X and vica versa"

You can ping because your router routes traffic for network 30 from network 31 and vice versa. These (default) routes are defined under /ip route and are result of "connected networks".

If you don't want them to reach each other you need to filter in the forward table. Just enable the rule, add reverse too, and networks will be isolated.

And modify your nat rule to only masquerade when out-interface is WAN and source adress !=local.

Re: Simple question - bridges

Posted: Wed Jan 10, 2018 2:39 pm
by sjafka
"i can ping from 192.168.30.X to 192.168.31.X and vica versa"

You can ping because your router routes traffic for network 30 from network 31 and vice versa. These (default) routes are defined under /ip route and are result of "connected networks".

If you don't want them to reach each other you need to filter in the forward table. Just enable the rule, add reverse too, and networks will be isolated.

And modify your nat rule to only masquerade when out-interface is WAN and source adress !=local.
Thank you for your time Sebastia!
As "ADahi" said, my NAT rules were not properly configured. I fixed that, now not only source address is given, but an outgoing interface too, like this:

/ip firewall nat
add action=masquerade chain=srcnat out-interface="WAN2(ServiceNetwork)" src-address=\
192.168.31.0/24
add action=masquerade chain=srcnat out-interface="WAN1(ServerNetwork)" src-address=\
192.168.30.0/24

Now there is no connection between the two LAN networks! (how it was intended)
And now came the question, how can i make the 30.X see the 31.X network.

Re: Simple question - bridges

Posted: Wed Jan 10, 2018 4:57 pm
by sjafka
yes it should see each other because of using wrong nat rules
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.31.0/24
add action=masquerade chain=srcnat src-address=192.168.30.0/24


You have to specify output interface for each one.
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.31.0/24 out-interface="WAN1(ServerNetwork)"
add action=masquerade chain=srcnat src-address=192.168.30.0/24 out-interface="WAN2(ServiceNetwork)"

or on top of all nat rules add, it also fix your isues
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16
Dear ADahi(and everyon else :) )

i can still ping from LAN1 my LAN2 IP address. (from 192.168.30.111 -> 192.168.31.5[this is the ip of the other bridge] and vice versa [from the 192.168.31.X -> 192.168.30.5[this is the ip of other bridge]). I cannot pint any of the "leaseable" addresses, only the bridge interfaces IP address.
I dont think this should happen, or if yes, would you be so kind to explain why it does?
Thank you in advance!

Re: Simple question - bridges

Posted: Thu Jan 11, 2018 5:19 pm
by sebastia
Bridge addresses are local to RB, and traffic to them is bypassing forward firewall rules, as it's being directed to RB itself during routing, which is after prerouting but before forward.

Re: Simple question - bridges

Posted: Thu Jan 11, 2018 5:23 pm
by sebastia
Regarding "And now came the question, how can i make the 30.X see the 31.X network."

Allow in forward:
* traffic from 30 -> 31
* traffic from 31 -> 30 which is related and established ONLY. So no new connections allowed.
* (optional) to ensure 31 can't learn of 30's ip, srcnat traffic from 30 to 31, using RB ip