MikroTik

Community discussions
https://forum.mikrotik.com/

1 RB, 1 LAN, 2 WLAN, 2 GW

https://forum.mikrotik.com/viewtopic.php?t=139232

Page 1 of 1

1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Sat Sep 15, 2018 10:34 am
by luddite
Hi, wanting to know if possible for 2 wireless networks to share same LAN but be forced out seperate gateways?

Want them to access same printers, network shares etc but to use a different internet connection.

I got stuck on a mangle rule and in out matcher not being possible.

Would be grateful for example or link.

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Sat Sep 15, 2018 11:47 am
by Jotne
I would use two VLAN, one for each WLAN. Then connect them together in the router.
You can add the printer to one of the VLAN or add a third VLAN for the Printer/etc.
These two VLAN could then have two different internet gw.

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Sat Sep 15, 2018 1:51 pm
by sindy
Hi, wanting to know if possible for 2 wireless networks to share same LAN but be forced out seperate gateways?

Want them to access same printers, network shares etc but to use a different internet connection.

I got stuck on a mangle rule and in out matcher not being possible.
There are multiple ways to achieve your goal, however, a requirement to use the same IP subnet for both wireless networks makes it complicated (as you've found already). If your only reason to do that is that printers and network storages would be accessible from both WLANs, you can place these resources to a dedicated subnet and let the devices in other subnets talk to them via routing; as the wireless interfaces always talk to the rest of the world via CPU, there is not much difference between L2 bridging and L3 routing in terms of CPU load. Plus you can set up firewall rules if you want to control the traffic between the subnets.

The policy routing can then be used to choose a WAN/gateway for each local subnet, just don't remember to exclude local traffic from policy routing or provide routes for it.

Have a look here, here and here.

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Sun Sep 16, 2018 10:54 am
by luddite
you can place these resources to a dedicated subnet and let the devices in other subnets talk to them via routing;
Sindy with say printers being visible on another subnet, how will discovery work with say Mac's finding printers, I think they might use mDNS / Bonjour - I am thinking that is L2, will that work as if it is one subnet across a VLAN?

I know my customer will not be stoked if with a new system the printers and shares are not visible just as easily as they were before. :)

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Sun Sep 16, 2018 11:46 am
by sindy
In that case:
Code: Select all
/interface bridge filter
add action=mark-packet chain=input in-interface=one-of-the-wlan-ones new-packet-mark=via-WAN2

/ip firewall mangle
add action=mark-routing chain=forward new-routing-mark=via-WAN2 packet-mark=via-WAN2 passthrough=yes
Or (I don't know which variant requires more CPU):
Code: Select all
/interface bridge settings
set use-ip-firewall=yes

/ip firewall mangle
add action=mark-routing chain=forward new-routing-mark=via-WAN2 in-bridge-port=one-of-the-wlan-ones passthrough=yes

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Tue Sep 18, 2018 1:06 am
by luddite
Sindy thanks, I got this when I tried
/ip firewall mangle
add action=mark-routing chain=forward new-routing-mark=via-WAN2 in-bridge-port=one-of-the-wlan-ones passthrough=yes

failure: routing-mark allowed only in output and prerouting chains

Appreciate your help.

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Tue Sep 18, 2018 10:33 am
by sindy
Sorry, use chain=prerouting instead of chain=forward in the mangle rule.

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Sun Sep 23, 2018 1:29 pm
by luddite
Sindy can I please get your opinion on the following idea?

This works except when same device joins wlan2, device takes ages to get lease or it doesent get one - Mikrotik grants a lease (can see in log with dhcp debug on) but device doesent seem to accept it.
I did a test and made a pool in a different range (192.168.3.1--254) and then it would get lease easily. So it doesent like two dhcp servers granting leases from two pools sharing same range?
Code: Select all
/ip address
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
add address=192.168.2.2/24 interface=bridge2 network=192.168.2.0


/interface bridge
add fast-forward=no name=bridge1
add fast-forward=no name=bridge2

/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge2 interface=wlan2


/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1

/ip dhcp-server
add address-pool=wan1 disabled=no interface=bridge1 name=dhcp-wlan1
add address-pool=wan2 disabled=no interface=bridge2 name=dhcp-wlan2

/ip pool
add name=wan1 ranges=192.168.2.150-192.168.2.200
add name=wan2 ranges=192.168.2.201-192.168.2.250


/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=wan1 passthrough=yes \
    src-address=192.168.2.150-192.168.2.200
add action=mark-routing chain=prerouting new-routing-mark=wan2 passthrough=yes \
    src-address=192.168.2.201-192.168.2.250

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=lte1


/ip route
add distance=5 gateway=ether2 routing-mark=wan1
add distance=5 gateway=lte1 routing-mark=wan2

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Sun Sep 23, 2018 2:23 pm
by sindy
Sindy can I please get your opinion on the following idea?
My opinion is that having the same IP subnet on two different bridges (or any other interfaces) is a ticket to a madhouse. I'd have to replicate that configuration to see how exactly RouterOS works with ARP in this case, because the routing needs to choose the right bridge (interface) for each destination IP address. The arp table contains mappings from an IP address not only to a MAC address but also to an interface, but whether the ARP request used to populate the table when it contains no record for that IP address yet is sent out all interfaces whose subnet contains the destination address is out of my knowledge.

It is also out of my knowledge whether broadcast packets (which are the very reason why you venture all this) are forwarded between interfaces which bear the same subnet; normally, broadcasts are not forwarded between connected subnets, so an exceptional handling would have to be implemented for this special case. Maybe it has been implemented (as you say that everything works) but you have to check.

DHCP normally sends the Offer out the same interface through which it has received the Discover, but it is again out of my knowledge how it works when the same MAC address already has a pending lease.

But at first place I don't understand what made you go this way. In my suggestion, everything was in a single IP subnet on a single bridge, and the group to which the device belonged was determined by the SSID it used, translated into a wlan interface name. Were you unable to make it work? Or you wanted to strictly separate the address pool for each SSID?

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Sun Sep 23, 2018 2:37 pm
by luddite
Most decent of you to reply in such detail, and also for your earlier suggestion.
I didn't try yet as it is stretching my networking skills, but I will learn if I try so pushing on with it now.
Very grateful for your help.

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Thu Sep 27, 2018 12:49 pm
by luddite
Ok, hopefully I am getting closer, pretty sure I have made a fundamental error here with vlan, any comments welcome.
Code: Select all
/interface lte
set [ find ] name=lte1


/interface bridge
add fast-forward=no name=bridge-Albatross
add fast-forward=no name=bridge-LAN
add fast-forward=no name=bridge-Riverhawk


/interface vlan
add comment=LAN interface=ether3 name=VLAN-100-LAN vlan-id=100
add comment="Wlan1 Riverhawk" interface=ether3 name=VLAN-150-Wlan1-Riverhawk vlan-id=150
add comment="Wlan2 Albatross" interface=ether3 name=VLAN-175-Wlan2-Albatross vlan-id=175


/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge name=wlan1-Riverhawk \
    security-profile=default ssid=Riverhawk
add disabled=no keepalive-frames=disabled master-interface=wlan1-Riverhawk \
    multicast-buffering=disabled name=wlan2-Albatross security-profile=default ssid=Albatross \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled


/ip pool
add name=LAN ranges=192.168.100.2-192.168.100.254
add name=Wlan1-Riverhawk ranges=192.168.150.2-192.168.150.254
add name=Wlan2-Albatross ranges=192.168.175.2-192.168.175.254


/ip dhcp-server
add address-pool=LAN disabled=no interface=bridge-LAN name=LAN
add address-pool=Wlan1-Riverhawk disabled=no interface=bridge-Riverhawk name=Wlan1-Riverhawk
add address-pool=Wlan2-Albatross disabled=no interface=bridge-Albatross name=Wlan2-Albatross


/interface bridge port
add bridge=bridge-Riverhawk interface=wlan1-Riverhawk
add bridge=bridge-Albatross interface=wlan2-Albatross
add bridge=bridge-Riverhawk interface=VLAN-150-Wlan1-Riverhawk
add bridge=bridge-Albatross interface=VLAN-175-Wlan2-Albatross
add bridge=bridge-LAN interface=VLAN-100-LAN


/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes


/ip address
add address=192.168.100.1/24 comment="LAN Gateway" interface=bridge-LAN network=192.168.100.0
add address=192.168.150.1/24 comment="Wlan1 Riverhawk Gateway" interface=bridge-Riverhawk network=\
    192.168.150.0
add address=192.168.175.1/24 comment="Wlan2 Albatross Gateway" interface=bridge-Albatross network=\
    192.168.175.0


/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether2
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=lte1


/ip dhcp-server network
add address=192.168.100.0/24 comment="LAN Network" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.100.1
add address=192.168.150.0/24 comment="Wlan1 Riverhawk Network" dns-server=8.8.8.8,8.8.4.4 gateway=\
    192.168.150.1
add address=192.168.175.0/24 comment="Wlan2 Albatross Network" dns-server=8.8.8.8,8.8.4.4 gateway=\
    192.168.175.1


/ip firewall mangle
add action=mark-routing chain=prerouting in-bridge-port=wlan2-Albatross new-routing-mark=via-WAN2 \
    passthrough=yes
add action=mark-routing chain=prerouting in-bridge-port=wlan1-Riverhawk new-routing-mark=via-WAN1 \
    passthrough=yes


/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1 src-address=192.168.175.0/24
add action=masquerade chain=srcnat out-interface=ether2 src-address=192.168.150.0/24


/ip route
add distance=1 gateway=lte routing-mark=via-WAN2
add distance=1 gateway=ether2 routing-mark=via-WAN1

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Thu Sep 27, 2018 5:14 pm
by sindy
You're almost there, with a small but significant correction.

At L3 (IP) and also at L2 (MAC addresses), everything must be in the same subnet (L3) and (V)LAN (L2). Only the "physical" topology (although in fact it is also virtual) may be used to distinguish between the two SSIDs.

So you must have a single bridge, a single subnet, and thus a single DHCP server for both groups of your wireless clients if you want broadcast packets from both SSIDs to reach the printers etc.

To do that, you set up two wireless interfaces, one physical with one of the SSIDs (say, wlan1-Riverhawk), and another virtual one running atop the physical one with the other SSID (say, wlan2-Albatross) - this is what you have already done.

But you make both these wireless interfaces member ports of the same bridge (bridge-lan) of which the ethernet interfaces for wired LAN are members, and to which the single IP configuration and a single DHCP server are attached. You don't need bridge-Riverhawk and bridge-Albatross at all, nor any VLANs (or, better to say, you must not use any of these items).

The rest is fine, you use the rules in /ip firewall mangle to assign a routing-mark depending on in-bridge-interface as you do. You may assign a routing-mark only to packets coming from one of the wlan interfaces and let those from the other one use the default routing table, but that's a minor thing.

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Fri Sep 28, 2018 1:58 am
by luddite
Sindy I get in/out matcher not possible on slave interface when trying to match packets coming in on wlan, I cant see a way to classify wlan traffic without the vlans - not that I know how to get the vlans working mind...

Tried to PM you but board doesent allow it - perhaps you could consult for me to achieve this? ludditetechnologies aht gee mail com

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Fri Sep 28, 2018 10:37 am
by sindy
I think it's not time for PM yet :-)

the message in-bridge-port matcher not possible when bridge use-ip-firewall is disabled will disappear if you issue interface bridge settings set use-ip-firewall=yes and the rules will start working.

The interface bridge port configuration must look as follows:
Code: Select all
/interface bridge port
add bridge=bridge-LAN interface=wlan1-Riverhawk
add bridge=bridge-LAN interface=wlan2-Albatross
add bridge=bridge-LAN interface=ether3

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Sun Sep 30, 2018 1:17 pm
by luddite
No cigar Sindy, here is full message.
Code: Select all
/interface bridge
add fast-forward=no name=bridge1

/interface bridge port
add bridge=bridge1 interface=wlan2-Albatross
add bridge=bridge1 interface=wlan1-Riverhawk

/interface bridge settings
set use-ip-firewall=yes

/ip firewall mangle
# in/out-interface matcher not possible when interface (wlan2-Albatross) is slave - use master instead (bridge1

add action=mark-routing chain=prerouting in-interface=wlan2-Albatross new-routing-mark=via-WAN2 passthrough=\
    yes
# in/out-interface matcher not possible when interface (wlan1-Riverhawk) is slave - use master instead (bridge1

add action=mark-routing chain=prerouting in-interface=wlan1-Riverhawk new-routing-mark=via-WAN1 passthrough=\
    yes

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Sun Sep 30, 2018 1:39 pm
by sindy
There is a difference between in-interface and in-bridge-port.

in-interface matches on the interfaces to which IP configurations are attached, and if you make it refer to a name of a slave interface of any kind, you get the error message you've got.
in-bridge-port matches on member (slave) interfaces of a bridge, and only works if use-ip-firewall=yes under /interface bridge settings; if use-ip-firewall=yes, you get the error message I have quoted in red in my post above.

So modify your mangle rules accordingly (replace in-interface by in-bridge-port in them) and tell me the result.

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Sun Sep 30, 2018 2:38 pm
by luddite
Damnation. I tried to check I wasn't bungling before I posted. That worked, now I will move on to rest of config. Thanks.

Re: 1 RB, 1 LAN, 2 WLAN, 2 GW

Posted: Sun Dec 30, 2018 3:53 am
by anav
I like the clean one bridge 3 vlan approach
regular lan
business vlan1
business vlan2
printer/shared devices vlan3

Firewall rules
allow LAN to WAN
allow VLANS1,2 to WAN if appropriate
Allow vlan1,2 to vlan3

Heck this might be a good place for interface list shenanigans.
Create an interface list item
/interface list
add comment=accessprinter name=VLANs2Printer

Then go to the interface list in winbox and add the two business vlans

Then in firewall rule
/ip firewall filter
add action=accept chain=forward comment="AccessToSharedPrinters" \
in-interface-list=VLANs2Printer dst-address=IPofPrinter {or create address list for devices to be shared dst-address-list=).
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/