MikroTik

Posted: **Wed Jul 07, 2021 1:08 am**

Hi,

I have two (in fact 5) VLAN, and in both there are Mikrotiks and other devices, some of them I like to see in the other VLAN.
VLAN100: vlan100_Mitarbeiter, Network: 192.168.96.0/20 - There is my PC and the most Mikrotiks, like this one, I call it MainRouter here.
VLAN200: vlan200_Technik, Network: 192.168.112.0/20 - There are two devices I like to access from my PC: a "Mischpult" and another Mikrotik, I call it "AP-Router" here.

The device "Mischpult" in VLAN200 with IP 192.168.120.100 is accessable from the VLAN100 via IP 192.168.100.200
I thought I could made this for "AP-Router" in VLAN200 with IP 192.168.120.205 via IP 192.168.100.14 in VLAN100.
Why does the device "Mischpult" works, the device "AP-Router" not?!? You see me after hours of tries... now only remote connected, the afternoon direcly sitting in VLAN100...

First, a ping from the Mikrotik MainRouter, which does the masquerading, works: ping to 192.168.120.205 is ok, the connection is up and running.
If I change my PC to VLAN200, I can access the "AP-Router". But why am I not able to masquerade like the "Mischpult"?!?

The roules that works:

/ip firewall nat
add action=dst-nat chain=dstnat comment=Fritz-Box dst-address=192.168.100.2 \
    log-prefix=Fritz-Box to-addresses=192.168.64.1
add action=dst-nat chain=dstnat comment="Mischer im Hauptnetz" dst-address=\
    192.168.100.200 to-addresses=192.168.120.100

first try:

/ip firewall nat
add action=dst-nat chain=dstnat comment="Mischer im Hauptnetz" dst-address=\
    192.168.100.14 to-addresses=192.168.120.205

and here my last try:

/ip firewall nat
add action=dst-nat chain=dstnat comment="Router Mischpult" dst-address=\
    192.168.100.14 log=yes log-prefix=DestNat to-addresses=192.168.120.205
add action=src-nat chain=srcnat comment="Router Mischpult" dst-address=\
    192.168.120.205 dst-port=8291 log=yes log-prefix=MasqWinbox protocol=tcp \
    src-address=192.168.200.0/24 to-addresses=192.168.120.1
add action=src-nat chain=srcnat comment="Router Mischpult" dst-address=\
    192.168.120.205 dst-port=8291 log=yes log-prefix=MasqWinbox protocol=tcp \
    src-address=192.168.96.0/20 to-addresses=192.168.120.1
add action=src-nat chain=srcnat comment="Router Mischpult" out-interface=\
    ovpn-DirksLT src-address=192.168.120.205 to-addresses=192.168.201.1

I can see the packets, but it doesn't work:

22:44:43 firewall,info Test OldIP prerouting: in:ovpn-DirksLT out:(unknown 0), src-mac 00:ff:8b:58:a1:ed, proto ICMP (type 8, code 0), 192.168.201.1->192.168.100.14, NAT (192.168.201.1->192.168.100.3)->(192.168.100.14->192.168.120.205), len 60 
22:44:43 firewall,info Test OldIP prerouting: in:ovpn-DirksLT out:(unknown 0), src-mac 00:ff:8b:58:a1:ed, proto ICMP (type 8, code 0), 192.168.201.1->192.168.100.14, NAT (192.168.201.1->192.168.100.3)->(192.168.100.14->192.168.120.205), len 60 
22:44:43 firewall,info Test DestIP postrouting: in:(unknown 0) out:vlan200_Technik, src-mac 00:ff:8b:58:a1:ed, proto ICMP (type 8, code 0), 192.168.201.1->192.168.120.205, NAT (192.168.201.1->192.168.100.3)->(192.168.100.14->192.168.120.205), len 60 
22:44:43 firewall,info Test DestIP postrouting: in:(unknown 0) out:vlan200_Technik, src-mac 00:ff:8b:58:a1:ed, proto ICMP (type 8, code 0), 192.168.201.1->192.168.120.205, NAT (192.168.201.1->192.168.100.3)->(192.168.100.14->192.168.120.205), len 60

Thanks for your help, here is the whole configuration:

# jul/06/2021 22:43:50 by RouterOS 6.47.8
# software id = DYRD-6AIN
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D43B0C0FC073
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412,2432,2452,2472 name=2Gch1-5-9-13 save-selected=yes \
    tx-power=-7
add band=5ghz-n/ac extension-channel=disabled frequency=\
    5180,5200,5220,5240,5260,5280,5300,5320,5500,5520,5540,5560 name=5G \
    save-selected=yes
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=VLAN100 \
    vlan-id=100 vlan-mode=use-tag
add client-to-client-forwarding=no local-forwarding=yes name=VLAN200 vlan-id=\
    200 vlan-mode=use-tag
add client-to-client-forwarding=no local-forwarding=yes name=VLAN500 vlan-id=\
    500 vlan-mode=use-tag
/interface bridge
add fast-forward=no frame-types=admit-only-vlan-tagged name=bridge_LAN \
    vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(-10dBm), SSID: WLAN_Mitarbeiter, local forwarding
set [ find default-name=wlan2 ] disabled=no name=wlan2G ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20/ac/P(20dBm), SSID: WLAN_Mitarbeiter, local forwarding
set [ find default-name=wlan1 ] disabled=no name=wlan5G ssid=MikroTik
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=E0-sfp_Uplink
set [ find default-name=ether1 ] name=E1_Internet
set [ find default-name=ether2 ] name=E2_BUp_Room1
set [ find default-name=ether3 ] name=E3_BUp_Room1
set [ find default-name=ether4 ] name=E4_BUp_Switch
set [ find default-name=ether5 ] name=E5_BUp_Switch
set [ find default-name=ether6 ] name=E6_Room3
set [ find default-name=ether7 ] name=E7_Room3
set [ find default-name=ether8 ] name=E8_BUp_Kinder
set [ find default-name=ether9 ] name=E9_BUp_Kinder
set [ find default-name=ether10 ] name="E10_AP Gr Saal" poe-out=forced-on
/interface ovpn-server
add name=ovpn-DirksLT user=DirkLT
add name=ovpn-DirksPC user=DirkPC
add name=ovpn-Florian user=Florian
add name=ovpn-Ralf user=Ralf
/interface vlan
add interface=bridge_LAN name=vlan100_Mitarbeiter vlan-id=100
add interface=bridge_LAN name=vlan200_Technik vlan-id=200
add interface=bridge_LAN name=vlan500_Gast vlan-id=500
add interface=bridge_LAN name=vlan800_KlWg vlan-id=800
add interface=bridge_LAN name=vlan900_GrWg vlan-id=900
/interface bonding
add link-monitoring=none mode=802.3ad name=bond_Room1 slaves=\
    E2_BUp_Room1,E3_BUp_Room1 transmit-hash-policy=layer-2-and-3
add link-monitoring=none mode=802.3ad name=bond_Kinder slaves=\
    E8_BUp_Kinder,E9_BUp_Kinder transmit-hash-policy=layer-2-and-3
add link-monitoring=none mode=802.3ad name=bond_Room3 slaves=\
    E6_Room3,E7_Room3 transmit-hash-policy=layer-2-and-3
add link-monitoring=none mode=802.3ad name=bond_Switch slaves=\
    E4_BUp_Switch,E5_BUp_Switch transmit-hash-policy=layer-2-and-3
/caps-man rates
add basic=12Mbps name=rate2G supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm \
    group-encryption=aes-ccm group-key-update=5m name=Mitarbeiter
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=5m name=Gast
add name=Free
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm \
    group-encryption=aes-ccm group-key-update=5m name=Technik
/caps-man configuration
add channel=2Gch1-5-9-13 country=germany datapath=VLAN200 mode=ap \
    multicast-helper=full name=Technik_2G rates=rate2G security=Technik ssid=\
    WLAN-Technik-2G
add channel=5G country=germany datapath=VLAN200 mode=ap multicast-helper=full \
    name=Technik_5G security=Technik ssid=WLAN-Technik-5G
add channel=2Gch1-5-9-13 country=germany datapath=VLAN100 mode=ap \
    multicast-helper=full name="Mitarbeiter 2G" rates=rate2G security=\
    Mitarbeiter ssid=WLAN_Mitarbeiter
add channel=5G country=germany datapath=VLAN100 mode=ap multicast-helper=full \
    name="Mitarbeiter 5G" security=Mitarbeiter ssid=WLAN_Mitarbeiter
add channel=2Gch1-5-9-13 country=germany datapath=VLAN500 mode=ap \
    multicast-helper=full name="Gast 2G" rates=rate2G security=Gast ssid=\
    EFG_Gast
add channel=5G country=germany datapath=VLAN500 mode=ap multicast-helper=full \
    name="Gast 5G" security=Gast ssid=EFG_Gast
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool100 ranges=192.168.102.1-192.168.110.253
add name=pool500 ranges=192.168.130.1-192.168.149.253
add name=pool800 ranges=192.168.181.1-192.168.183.253
add name=pool900 ranges=192.168.184.1-192.168.189.254
add name=pool201.64ovpnMaster ranges=192.168.201.253-192.168.201.254
add name=pool201.63ovpnMaster next-pool=pool201.64ovpnMaster ranges=\
    192.168.201.249-192.168.201.250
add name=pool201.62ovpnMaster next-pool=pool201.63ovpnMaster ranges=\
    192.168.201.245-192.168.201.246
add name=pool201.61ovpnMaster next-pool=pool201.62ovpnMaster ranges=\
    192.168.201.241-192.168.201.242
add name=pool201.60ovpnMaster next-pool=pool201.61ovpnMaster ranges=\
    192.168.201.237-192.168.201.238
add name=pool201.59ovpnMaster next-pool=pool201.60ovpnMaster ranges=\
    192.168.201.233-192.168.201.234
add name=pool201.58ovpnMaster next-pool=pool201.59ovpnMaster ranges=\
    192.168.201.229-192.168.201.230
add name=pool201.57ovpnMaster next-pool=pool201.58ovpnMaster ranges=\
    192.168.201.225-192.168.201.226
add name=pool201.56ovpnMaster next-pool=pool201.57ovpnMaster ranges=\
    192.168.201.221-192.168.201.222
add name=pool201.55ovpnMaster next-pool=pool201.56ovpnMaster ranges=\
    192.168.201.217-192.168.201.218
add name=pool201.54ovpnMaster next-pool=pool201.55ovpnMaster ranges=\
    192.168.201.213-192.168.201.214
add name=pool201.53ovpnMaster next-pool=pool201.54ovpnMaster ranges=\
    192.168.201.209-192.168.201.210
add name=pool201.52ovpnMaster next-pool=pool201.53ovpnMaster ranges=\
    192.168.201.205-192.168.201.206
add name=pool201.51ovpnMaster next-pool=pool201.52ovpnMaster ranges=\
    192.168.201.201-192.168.201.202
add name=pool201.50ovpnMaster next-pool=pool201.51ovpnMaster ranges=\
    192.168.201.197-192.168.201.198
add name=pool201.49ovpnMaster next-pool=pool201.50ovpnMaster ranges=\
    192.168.201.193-192.168.201.194
add name=pool201.48ovpnMaster next-pool=pool201.49ovpnMaster ranges=\
    192.168.201.189-192.168.201.190
add name=pool201.47ovpnMaster next-pool=pool201.48ovpnMaster ranges=\
    192.168.201.185-192.168.201.186
add name=pool201.46ovpnMaster next-pool=pool201.47ovpnMaster ranges=\
    192.168.201.181-192.168.201.182
add name=pool201.45ovpnMaster next-pool=pool201.46ovpnMaster ranges=\
    192.168.201.177-192.168.201.178
add name=pool201.44ovpnMaster next-pool=pool201.45ovpnMaster ranges=\
    192.168.201.173-192.168.201.174
add name=pool201.43ovpnMaster next-pool=pool201.44ovpnMaster ranges=\
    192.168.201.169-192.168.201.170
add name=pool201.42ovpnMaster next-pool=pool201.43ovpnMaster ranges=\
    192.168.201.165-192.168.201.166
add name=pool201.41ovpnMaster next-pool=pool201.42ovpnMaster ranges=\
    192.168.201.161-192.168.201.162
add name=pool201.40ovpnMaster next-pool=pool201.41ovpnMaster ranges=\
    192.168.201.157-192.168.201.158
add name=pool201.39ovpnMaster next-pool=pool201.40ovpnMaster ranges=\
    192.168.201.153-192.168.201.154
add name=pool201.38ovpnMaster next-pool=pool201.39ovpnMaster ranges=\
    192.168.201.149-192.168.201.150
add name=pool201.37ovpnMaster next-pool=pool201.38ovpnMaster ranges=\
    192.168.201.145-192.168.201.146
add name=pool201.36ovpnMaster next-pool=pool201.37ovpnMaster ranges=\
    192.168.201.141-192.168.201.142
add name=pool201.35ovpnMaster next-pool=pool201.36ovpnMaster ranges=\
    192.168.201.137-192.168.201.138
add name=pool201.34ovpnMaster next-pool=pool201.35ovpnMaster ranges=\
    192.168.201.133-192.168.201.134
add name=pool201.33ovpnMaster next-pool=pool201.34ovpnMaster ranges=\
    192.168.201.129-192.168.201.130
add name=pool201.32ovpnMaster next-pool=pool201.33ovpnMaster ranges=\
    192.168.201.125-192.168.201.126
add name=pool201.31ovpnMaster next-pool=pool201.32ovpnMaster ranges=\
    192.168.201.121-192.168.201.122
add name=pool201.30ovpnMaster next-pool=pool201.31ovpnMaster ranges=\
    192.168.201.117-192.168.201.118
add name=pool201.29ovpnMaster next-pool=pool201.30ovpnMaster ranges=\
    192.168.201.113-192.168.201.114
add name=pool201.28ovpnMaster next-pool=pool201.29ovpnMaster ranges=\
    192.168.201.109-192.168.201.110
add name=pool201.27ovpnMaster next-pool=pool201.28ovpnMaster ranges=\
    192.168.201.105-192.168.201.106
add name=pool201.26ovpnMaster next-pool=pool201.27ovpnMaster ranges=\
    192.168.201.101-192.168.201.102
add name=pool201.25ovpnMaster next-pool=pool201.26ovpnMaster ranges=\
    192.168.201.97-192.168.201.98
add name=pool201.24ovpnMaster next-pool=pool201.25ovpnMaster ranges=\
    192.168.201.93-192.168.201.94
add name=pool201.23ovpnMaster next-pool=pool201.24ovpnMaster ranges=\
    192.168.201.89-192.168.201.90
add name=pool201.22ovpnMaster next-pool=pool201.23ovpnMaster ranges=\
    192.168.201.85-192.168.201.86
add name=pool201.21ovpnMaster next-pool=pool201.22ovpnMaster ranges=\
    192.168.201.81-192.168.201.82
add name=pool201.20ovpnMaster next-pool=pool201.21ovpnMaster ranges=\
    192.168.201.77-192.168.201.78
add name=pool201.19ovpnMaster next-pool=pool201.20ovpnMaster ranges=\
    192.168.201.73-192.168.201.74
add name=pool201.18ovpnMaster next-pool=pool201.19ovpnMaster ranges=\
    192.168.201.69-192.168.201.70
add name=pool201.17ovpnMaster next-pool=pool201.18ovpnMaster ranges=\
    192.168.201.65-192.168.201.66
add name=pool201.16ovpnMaster next-pool=pool201.17ovpnMaster ranges=\
    192.168.201.61-192.168.201.62
add name=pool201.15ovpnMaster next-pool=pool201.16ovpnMaster ranges=\
    192.168.201.57-192.168.201.58
add name=pool201.14ovpnMaster next-pool=pool201.15ovpnMaster ranges=\
    192.168.201.53-192.168.201.54
add name=pool201.13ovpnMaster next-pool=pool201.14ovpnMaster ranges=\
    192.168.201.49-192.168.201.50
add name=pool201.12ovpnMaster next-pool=pool201.13ovpnMaster ranges=\
    192.168.201.45-192.168.201.46
add name=pool201.11ovpnMaster next-pool=pool201.12ovpnMaster ranges=\
    192.168.201.41-192.168.201.42
add name=pool201.10ovpnMaster next-pool=pool201.11ovpnMaster ranges=\
    192.168.201.37-192.168.201.38
add name=pool201.09ovpnMaster next-pool=pool201.10ovpnMaster ranges=\
    192.168.201.33-192.168.201.34
add name=pool201.08ovpnMaster next-pool=pool201.09ovpnMaster ranges=\
    192.168.201.29-192.168.201.30
add name=pool201.07ovpnMaster next-pool=pool201.08ovpnMaster ranges=\
    192.168.201.25-192.168.201.26
add name=pool201.06ovpnMaster next-pool=pool201.07ovpnMaster ranges=\
    192.168.201.21-192.168.201.22
add name=pool201.05ovpnMaster next-pool=pool201.06ovpnMaster ranges=\
    192.168.201.17-192.168.201.18
add name=pool201.04ovpnMaster next-pool=pool201.05ovpnMaster ranges=\
    192.168.201.13-192.168.201.14
add name=pool201.03ovpnMaster next-pool=pool201.04ovpnMaster ranges=\
    192.168.201.9-192.168.201.10
add name=pool201.02ovpnMaster next-pool=pool201.03ovpnMaster ranges=\
    192.168.201.5-192.168.201.6
add comment=Master-OpenVPN-Port name=pool201.01ovpnMaster next-pool=\
    pool201.02ovpnMaster ranges=192.168.201.1-192.168.201.2
add name=pool202.64ovpnTechnik ranges=192.168.202.253-192.168.202.254
add name=pool202.63ovpnTechnik next-pool=pool202.64ovpnTechnik ranges=\
    192.168.202.249-192.168.202.250
add name=pool202.62ovpnTechnik next-pool=pool202.63ovpnTechnik ranges=\
    192.168.202.245-192.168.202.246
add name=pool202.61ovpnTechnik next-pool=pool202.62ovpnTechnik ranges=\
    192.168.202.241-192.168.202.242
add name=pool202.60ovpnTechnik next-pool=pool202.61ovpnTechnik ranges=\
    192.168.202.237-192.168.202.238
add name=pool202.59ovpnTechnik next-pool=pool202.60ovpnTechnik ranges=\
    192.168.202.233-192.168.202.234
add name=pool202.58ovpnTechnik next-pool=pool202.59ovpnTechnik ranges=\
    192.168.202.229-192.168.202.230
add name=pool202.57ovpnTechnik next-pool=pool202.58ovpnTechnik ranges=\
    192.168.202.225-192.168.202.226
add name=pool202.56ovpnTechnik next-pool=pool202.57ovpnTechnik ranges=\
    192.168.202.221-192.168.202.222
add name=pool202.55ovpnTechnik next-pool=pool202.56ovpnTechnik ranges=\
    192.168.202.217-192.168.202.218
add name=pool202.54ovpnTechnik next-pool=pool202.55ovpnTechnik ranges=\
    192.168.202.213-192.168.202.214
add name=pool202.53ovpnTechnik next-pool=pool202.54ovpnTechnik ranges=\
    192.168.202.209-192.168.202.210
add name=pool202.52ovpnTechnik next-pool=pool202.53ovpnTechnik ranges=\
    192.168.202.205-192.168.202.206
add name=pool202.51ovpnTechnik next-pool=pool202.52ovpnTechnik ranges=\
    192.168.202.201-192.168.202.202
add name=pool202.50ovpnTechnik next-pool=pool202.51ovpnTechnik ranges=\
    192.168.202.197-192.168.202.198
add name=pool202.49ovpnTechnik next-pool=pool202.50ovpnTechnik ranges=\
    192.168.202.193-192.168.202.194
add name=pool202.48ovpnTechnik next-pool=pool202.49ovpnTechnik ranges=\
    192.168.202.189-192.168.202.190
add name=pool202.47ovpnTechnik next-pool=pool202.48ovpnTechnik ranges=\
    192.168.202.185-192.168.202.186
add name=pool202.46ovpnTechnik next-pool=pool202.47ovpnTechnik ranges=\
    192.168.202.181-192.168.202.182
add name=pool202.45ovpnTechnik next-pool=pool202.46ovpnTechnik ranges=\
    192.168.202.177-192.168.202.178
add name=pool202.44ovpnTechnik next-pool=pool202.45ovpnTechnik ranges=\
    192.168.202.173-192.168.202.174
add name=pool202.43ovpnTechnik next-pool=pool202.44ovpnTechnik ranges=\
    192.168.202.169-192.168.202.170
add name=pool202.42ovpnTechnik next-pool=pool202.43ovpnTechnik ranges=\
    192.168.202.165-192.168.202.166
add name=pool202.41ovpnTechnik next-pool=pool202.42ovpnTechnik ranges=\
    192.168.202.161-192.168.202.162
add name=pool202.40ovpnTechnik next-pool=pool202.41ovpnTechnik ranges=\
    192.168.202.157-192.168.202.158
add name=pool202.39ovpnTechnik next-pool=pool202.40ovpnTechnik ranges=\
    192.168.202.153-192.168.202.154
add name=pool202.38ovpnTechnik next-pool=pool202.39ovpnTechnik ranges=\
    192.168.202.149-192.168.202.150
add name=pool202.37ovpnTechnik next-pool=pool202.38ovpnTechnik ranges=\
    192.168.202.145-192.168.202.146
add name=pool202.36ovpnTechnik next-pool=pool202.37ovpnTechnik ranges=\
    192.168.202.141-192.168.202.142
add name=pool202.35ovpnTechnik next-pool=pool202.36ovpnTechnik ranges=\
    192.168.202.137-192.168.202.138
add name=pool202.34ovpnTechnik next-pool=pool202.35ovpnTechnik ranges=\
    192.168.202.133-192.168.202.134
add name=pool202.33ovpnTechnik next-pool=pool202.34ovpnTechnik ranges=\
    192.168.202.129-192.168.202.130
add name=pool202.32ovpnTechnik next-pool=pool202.33ovpnTechnik ranges=\
    192.168.202.125-192.168.202.126
add name=pool202.31ovpnTechnik next-pool=pool202.32ovpnTechnik ranges=\
    192.168.202.121-192.168.202.122
add name=pool202.30ovpnTechnik next-pool=pool202.31ovpnTechnik ranges=\
    192.168.202.117-192.168.202.118
add name=pool202.29ovpnTechnik next-pool=pool202.30ovpnTechnik ranges=\
    192.168.202.113-192.168.202.114
add name=pool202.28ovpnTechnik next-pool=pool202.29ovpnTechnik ranges=\
    192.168.202.109-192.168.202.110
add name=pool202.27ovpnTechnik next-pool=pool202.28ovpnTechnik ranges=\
    192.168.202.105-192.168.202.106
add name=pool202.26ovpnTechnik next-pool=pool202.27ovpnTechnik ranges=\
    192.168.202.101-192.168.202.102
add name=pool202.25ovpnTechnik next-pool=pool202.26ovpnTechnik ranges=\
    192.168.202.97-192.168.202.98
add name=pool202.24ovpnTechnik next-pool=pool202.25ovpnTechnik ranges=\
    192.168.202.93-192.168.202.94
add name=pool202.23ovpnTechnik next-pool=pool202.24ovpnTechnik ranges=\
    192.168.202.89-192.168.202.90
add name=pool202.22ovpnTechnik next-pool=pool202.23ovpnTechnik ranges=\
    192.168.202.85-192.168.202.86
add name=pool202.21ovpnTechnik next-pool=pool202.22ovpnTechnik ranges=\
    192.168.202.81-192.168.202.82
add name=pool202.20ovpnTechnik next-pool=pool202.21ovpnTechnik ranges=\
    192.168.202.77-192.168.202.78
add name=pool202.19ovpnTechnik next-pool=pool202.20ovpnTechnik ranges=\
    192.168.202.73-192.168.202.74
add name=pool202.18ovpnTechnik next-pool=pool202.19ovpnTechnik ranges=\
    192.168.202.69-192.168.202.70
add name=pool202.17ovpnTechnik next-pool=pool202.18ovpnTechnik ranges=\
    192.168.202.65-192.168.202.66
add name=pool202.16ovpnTechnik next-pool=pool202.17ovpnTechnik ranges=\
    192.168.202.61-192.168.202.62
add name=pool202.15ovpnTechnik next-pool=pool202.16ovpnTechnik ranges=\
    192.168.202.57-192.168.202.58
add name=pool202.14ovpnTechnik next-pool=pool202.15ovpnTechnik ranges=\
    192.168.202.53-192.168.202.54
add name=pool202.13ovpnTechnik next-pool=pool202.14ovpnTechnik ranges=\
    192.168.202.49-192.168.202.50
add name=pool202.12ovpnTechnik next-pool=pool202.13ovpnTechnik ranges=\
    192.168.202.45-192.168.202.46
add name=pool202.11ovpnTechnik next-pool=pool202.12ovpnTechnik ranges=\
    192.168.202.41-192.168.202.42
add name=pool202.10ovpnTechnik next-pool=pool202.11ovpnTechnik ranges=\
    192.168.202.37-192.168.202.38
add name=pool202.09ovpnTechnik next-pool=pool202.10ovpnTechnik ranges=\
    192.168.202.33-192.168.202.34
add name=pool202.08ovpnTechnik next-pool=pool202.09ovpnTechnik ranges=\
    192.168.202.29-192.168.202.30
add name=pool202.07ovpnTechnik next-pool=pool202.08ovpnTechnik ranges=\
    192.168.202.25-192.168.202.26
add name=pool202.06ovpnTechnik next-pool=pool202.07ovpnTechnik ranges=\
    192.168.202.21-192.168.202.22
add name=pool202.05ovpnTechnik next-pool=pool202.06ovpnTechnik ranges=\
    192.168.202.17-192.168.202.18
add name=pool202.04ovpnTechnik next-pool=pool202.05ovpnTechnik ranges=\
    192.168.202.13-192.168.202.14
add name=pool202.03ovpnTechnik next-pool=pool202.04ovpnTechnik ranges=\
    192.168.202.9-192.168.202.10
add name=pool202.02ovpnTechnik next-pool=pool202.03ovpnTechnik ranges=\
    192.168.202.5-192.168.202.6
add comment=Techniker-OpenVPN-Port name=pool202.01ovpnTechnik next-pool=\
    pool202.02ovpnTechnik ranges=192.168.202.1-192.168.202.2
add name=pool200b ranges=192.168.127.0-192.168.127.254
/ip dhcp-server
add address-pool=pool100 disabled=no interface=vlan100_Mitarbeiter name=\
    dhcp100
add address-pool=pool500 disabled=no interface=vlan500_Gast lease-time=30m \
    name=dhcp500
add address-pool=pool800 disabled=no interface=vlan800_KlWg name=dhcp800
add address-pool=pool900 disabled=no interface=vlan900_GrWg name=dhcp900
/ip pool
add name=pool200 next-pool=pool200b ranges=192.168.121.1-192.168.126.255
/ip dhcp-server
add address-pool=pool200 disabled=no interface=vlan200_Technik \
    lease-time=1h name=dhcp200
/ppp profile
add dns-server=192.168.100.1 local-address=pool201.01ovpnMaster name=\
    RoadWarrior remote-address=pool201.01ovpnMaster use-compression=no \
    use-encryption=required wins-server=192.168.100.1
add dns-server=192.168.200.1 local-address=pool202.01ovpnTechnik name=\
    RoadWarriorTechnik remote-address=pool202.01ovpnTechnik use-compression=\
    no use-encryption=required wins-server=192.168.200.1
/queue type
add kind=pcq name=pcq-dwn-Gast pcq-burst-rate=50M pcq-burst-time=30s \
    pcq-classifier=dst-address pcq-limit=1000KiB pcq-rate=10M \
    pcq-total-limit=200000KiB
add kind=pcq name=pcq-upl-Gast pcq-burst-rate=30M pcq-burst-time=30s \
    pcq-classifier=src-address pcq-limit=1000KiB pcq-rate=10M \
    pcq-total-limit=200000KiB
add kind=pcq name=pcq-dwn-Hold pcq-classifier=dst-address pcq-limit=5000KiB \
    pcq-total-limit=200000KiB
add kind=pcq name=pcq-upl-hold pcq-classifier=src-address pcq-limit=5000KiB \
    pcq-total-limit=200000KiB
add kind=pcq name=pcq-dwn-big pcq-classifier=dst-address pcq-limit=10000KiB \
    pcq-total-limit=300000KiB
add kind=pcq name=pcq-upl-big pcq-classifier=src-address pcq-limit=10000KiB \
    pcq-total-limit=300000KiB
/queue simple
add max-limit=53M/115M name=Internet queue=pcq-upl-big/pcq-dwn-big target=\
    192.168.0.0/16 time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add limit-at=20M/20M max-limit=53M/115M name=Technik parent=Internet \
    priority=1/1 queue=pcq-upl-hold/pcq-dwn-Hold target=192.168.112.0/20
add limit-at=10M/10M max-limit=53M/115M name="KlWG" parent=Internet \
    priority=3/3 target=192.168.176.0/21
add limit-at=1M/1M max-limit=30M/60M name=Gast parent=Internet queue=\
    pcq-upl-Gast/pcq-dwn-Gast target=192.168.128.0/19
add limit-at=10M/10M max-limit=53M/115M name=GrosseWG parent=Internet \
    priority=3/3 target=192.168.190.0/23
add limit-at=5M/5M max-limit=53M/115M name=Mitarbeiter parent=Internet \
    priority=2/2 queue=pcq-upl-hold/pcq-dwn-Hold target=192.168.96.0/20
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=UpdatesROS \
    upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    "Mitarbeiter 5G" name-format=prefix-identity name-prefix=cap5G \
    slave-configurations="Technik_5G,Gast 5G"
add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=\
    .*Rest.* master-configuration="Mitarbeiter 2G" name-format=\
    prefix-identity name-prefix=capR2G slave-configurations="Gast 2G"
add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=\
    .*Technik.* master-configuration=Technik_2G name-format=prefix-identity \
    name-prefix=capT2G
add action=create-dynamic-enabled hw-supported-modes=g,gn identity-regexp=\
    .*All.* master-configuration="Mitarbeiter 2G" name-format=prefix-identity \
    name-prefix=cap2G slave-configurations="Technik_2G,Gast 2G"
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn \
    master-configuration="Mitarbeiter 2G" name-format=prefix-identity \
    name-prefix=cap2G slave-configurations="Technik_2G,Gast 2G"
/interface bridge port
add bridge=bridge_LAN frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface="E10_AP Gr Saal" pvid=100
add bridge=bridge_LAN frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=E0-sfp_Uplink
add bridge=bridge_LAN frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=bond_Room1 pvid=100
add bridge=bridge_LAN interface=bond_Room3
add bridge=bridge_LAN interface=bond_Switch
add bridge=bridge_LAN frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=bond_Kinder
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge_LAN tagged="bridge_LAN,bond_Room3,bond_Switch,bond_Kinder\
    ,bond_Room1,E0-sfp_Uplink,E10_AP Gr Saal" vlan-ids=100
add bridge=bridge_LAN tagged="bridge_LAN,E10_AP Gr Saal,bond_Room1,bond_Pastora\
    t,bond_Switch,bond_Kinder,E0-sfp_Uplink" vlan-ids=200
add bridge=bridge_LAN tagged="bridge_LAN,E10_AP Gr Saal,bond_Room1,bond_Pastora\
    t,bond_Switch,bond_Kinder,E0-sfp_Uplink" vlan-ids=500
add bridge=bridge_LAN tagged=\
    bridge_LAN,bond_Room3,bond_Switch,E0-sfp_Uplink vlan-ids=800
add bridge=bridge_LAN tagged=\
    bridge_LAN,bond_Switch,bond_Room3,E0-sfp_Uplink vlan-ids=900
/interface list member
add interface=E1_Internet list=WAN
/interface ovpn-server server
set auth=sha1 certificate=efggoslar_Server.crt_0 cipher=aes256 \
    default-profile=RoadWarrior enabled=yes mode=ethernet netmask=20 \
    require-client-certificate=yes
/interface wireless cap
# 
set bridge=bridge_LAN certificate=request discovery-interfaces=\
    vlan200_Technik enabled=yes interfaces=wlan2G,wlan5G
/ip address
add address=192.168.100.1/20 comment="Router im Hauptnetz: Router selber" \
    interface=vlan100_Mitarbeiter network=192.168.96.0
add address=192.168.120.1/20 comment=Technik interface=\
    vlan200_Technik network=192.168.112.0
add address=192.168.150.1/19 comment="Gastnetz Offen" interface=vlan500_Gast \
    network=192.168.128.0
add address=192.168.180.1/21 comment="Kleine WG" interface=vlan800_KlWg \
    network=192.168.176.0
add address=192.168.190.1/23 comment="Gro\DFe WG" interface=vlan900_GrWg \
    network=192.168.190.0
add address=192.168.100.2/20 comment="Router im Hauptnetz: FritzBox-MASQ" \
    interface=vlan100_Mitarbeiter network=192.168.96.0
add address=192.168.64.2/24 comment="Router im Fritznetz" interface=\
    E1_Internet network=192.168.64.0
add address=192.168.100.14/20 comment="Router im Hauptnetz: Router Mischpult" \
    interface=vlan100_Mitarbeiter network=192.168.96.0
add address=192.168.120.110/20 interface=vlan200_Technik \
    network=192.168.112.0
add address=192.168.120.111/20 interface=vlan200_Technik \
    network=192.168.112.0
add address=192.168.120.200/20 interface=vlan200_Technik \
    network=192.168.112.0
add address=192.168.100.200/20 comment="Router im Hauptnetz: Mischpult" \
    interface=vlan100_Mitarbeiter network=192.168.96.0
/ip dhcp-server lease
add address=192.168.100.100 client-id=1:5c:f4:ab:e4:c0:8f comment=\
    "Server" mac-address=5C:F4:AB:E4:C0:8F server=dhcp100
add address=192.168.120.101 client-id=1:94:db:56:2a:ae:29 comment=\
    "Tec TV Kl. Saal" mac-address=94:DB:56:2A:AE:29 server=dhcp200
add address=192.168.120.102 client-id=1:94:db:56:9a:cf:c5 comment=\
    "Tec TV Kinder" mac-address=94:DB:56:9A:CF:C5 server=dhcp200
add address=192.168.100.110 client-id=1:ec:9a:74:35:d8:bf comment=\
    "Drucker" mac-address=EC:9A:74:35:D8:BF server=dhcp100
add address=192.168.100.111 client-id=1:0:1b:a9:54:bb:8f mac-address=\
    00:1B:A9:54:BB:8F server=dhcp100
add address=192.168.120.120 client-id=1:dc:a6:32:d8:2b:39 comment=\
    Videomischer mac-address=DC:A6:32:D8:2B:39 server=dhcp200
add address=192.168.120.150 client-id=1:bc:5f:f4:f8:d4:b1 comment="Video PC" \
    mac-address=BC:5F:F4:F8:D4:B1 server=dhcp200
/ip dhcp-server network
add address=192.168.96.0/20 comment=Mitarbeiter dns-server=192.168.100.1 \
    gateway=192.168.100.1
add address=192.168.112.0/20 comment=Technik dns-server=\
    192.168.120.1 gateway=192.168.120.1
add address=192.168.128.0/19 comment=Gast dns-server=192.168.150.1 gateway=\
    192.168.150.1
add address=192.168.176.0/21 comment="Kleine WG" dns-server=\
    192.168.180.1 gateway=192.168.180.1
add address=192.168.190.0/23 comment="Gro\DFe WG" dns-server=\
    192.168.190.1 gateway=192.168.190.1
/ip dns
set allow-remote-requests=yes servers=192.168.100.2,192.168.64.1
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Grund: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "Grund: Acc Forw established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Winbox ist ok" dst-address=\
    224.0.0.0/4 log-prefix=Multicast
add action=drop chain=forward comment="Grund: Drop Forw invalid" \
    connection-state=invalid
add action=accept chain=forward port=8291 protocol=tcp
add action=accept chain=forward comment="Nur eigene Netze im Netz" \
    dst-address=192.168.96.0/20 log=yes log-prefix=MA-Netz src-address=\
    192.168.96.0/20
add action=accept chain=forward dst-address=192.168.112.0/20 log-prefix=\
    Veranst.-Netz src-address=192.168.112.0/20
add action=accept chain=forward dst-address=192.168.176.0/21 log-prefix=\
    Kl.WG-Netz src-address=192.168.176.0/21
add action=accept chain=forward dst-address=192.168.190.0/23 log-prefix=\
    GrWG-Netz src-address=192.168.190.0/23
add action=accept chain=forward dst-address=192.168.120.1 log-prefix=\
    "Gastnetz nur zum Router erlaubt" src-address=192.168.128.0/19
add action=accept chain=forward comment="Eigene Netze ins Internet" \
    in-interface=vlan100_Mitarbeiter log-prefix=MA-Netz out-interface=\
    E1_Internet src-address=192.168.96.0/20
add action=accept chain=forward in-interface=vlan200_Technik \
    log-prefix=Gaeste out-interface=E1_Internet src-address=192.168.112.0/20
add action=accept chain=forward in-interface=vlan500_Gast log-prefix=Gaeste \
    out-interface=E1_Internet src-address=192.168.128.0/19
add action=accept chain=forward in-interface=vlan800_KlWg log-prefix=\
    KlWohnung out-interface=E1_Internet src-address=192.168.176.0/21
add action=accept chain=forward in-interface=vlan900_GrWg log-prefix=\
    GrWohnung out-interface=E1_Internet src-address=192.168.190.0/23
add action=accept chain=forward comment="Router d\FCrfen alles" log-prefix=\
    "Router in alles" src-address=192.168.100.0/24
add action=accept chain=input log-prefix="Technik auf Router" src-address=\
    192.168.112.0/20
add action=accept chain=output dst-address=192.168.112.0/20 log-prefix=\
    "Technik von Router"
add action=accept chain=input comment=\
    "Grund: Acc Input established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Winbox Firewall" dst-port=8291 \
    protocol=tcp
add action=accept chain=output log-prefix=Winbox->DirksLT protocol=tcp \
    src-port=8291
add action=accept chain=input comment=OpenVPNZugang dst-port=1194 log-prefix=\
    "VPN In" protocol=tcp
add action=accept chain=output log-prefix="VPN Out" protocol=tcp src-port=\
    1194
add action=accept chain=forward comment="Mikrotik Discovery" log-prefix=\
    "Mikrotik Discovery erlauben" port=5678 protocol=udp src-address=\
    192.168.96.0/20
add action=accept chain=forward log-prefix="Mikrotik Discovery erlauben" \
    port=5678 protocol=udp src-address=192.168.112.0/20
add action=accept chain=forward dst-address=192.168.96.0/20 log-prefix=\
    "Mikrotik Discovery erlauben" port=5678 protocol=udp
add action=accept chain=forward dst-address=192.168.112.0/20 log-prefix=\
    "Mikrotik Discovery erlauben" port=5678 protocol=udp
add action=accept chain=forward log-prefix="Mikrotik Diskover all" port=5678 \
    protocol=udp
# ovpn-DirksPC not ready
add action=accept chain=forward comment="OVPN darf alles" in-interface=\
    ovpn-DirksPC log-prefix="OVPN Darf alles" src-address=192.168.201.0/24
add action=accept chain=forward in-interface=ovpn-DirksLT log-prefix=\
    "OVPN Darf alles" src-address=192.168.201.0/24
# ovpn-Ralf not ready
add action=accept chain=forward in-interface=ovpn-Ralf log-prefix=\
    "OVPN Darf alles" src-address=192.168.201.0/24
# ovpn-Florian not ready
add action=accept chain=forward in-interface=ovpn-Florian log-prefix=\
    "OVPN Darf alles" src-address=192.168.202.0/24
add action=accept chain=forward comment="Ins OVPN_Netz erlauben" dst-address=\
    192.168.201.0/24 log-prefix="Ins OVPN-Netz"
add action=accept chain=forward comment="Ins OVPN_Netz erlauben" dst-address=\
    192.168.202.0/24 log-prefix="Ins OVPN-Netz"
add action=drop chain=input comment="Grund: Drop Input invalid" \
    connection-state=invalid
add action=accept chain=input comment="Grund: Acc ICMP" protocol=icmp
add action=accept chain=input comment="Grund: Acc loopback (z.B. CAPsMAN)" \
    dst-address=127.0.0.1
add action=drop chain=input comment="Grund: Drop alles nicht im LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="Grund: Acc ipsec-in" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="Grund: Acc ipsec-out" ipsec-policy=\
    out,ipsec
add action=accept chain=forward connection-nat-state=srcnat,dstnat log=yes \
    log-prefix="NAT erlauben"
add action=drop chain=forward comment=\
    "Grund: Drop WAN von aussen ohne Anfrage innen" connection-nat-state=\
    !dstnat connection-state=new in-interface=E1_Internet
add action=drop chain=forward comment=\
    "Alles was nicht erlaubt ist ist verboten" log=yes log-prefix=\
    "Nicht erlaubt"
/ip firewall mangle
add action=log chain=prerouting log-prefix="Test Backroute" protocol=icmp \
    src-address=192.168.120.205
add action=log chain=postrouting log=yes log-prefix="Test Backroute" \
    protocol=icmp src-address=192.168.120.205
add action=log chain=prerouting dst-address=192.168.100.14 log=yes \
    log-prefix="Test OldIP" protocol=icmp
add action=log chain=postrouting dst-address=192.168.100.14 log=yes \
    log-prefix="Test OrgIP" protocol=icmp
add action=log chain=postrouting dst-address=192.168.120.205 log=yes \
    log-prefix="Test DestIP" protocol=icmp
add action=mark-packet chain=prerouting disabled=yes dst-address=\
    192.168.112.0/20 log-prefix=Test new-packet-mark=Technik \
    passthrough=yes
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=\
    Technik passthrough=yes src-address=192.168.112.0/20
add action=mark-packet chain=prerouting disabled=yes dst-address=\
    192.168.128.0/20 new-packet-mark=Gaeste passthrough=yes
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=Gaeste \
    passthrough=yes src-address=192.168.128.0/20
/ip firewall nat
add action=dst-nat chain=dstnat comment="Router Mischpult" dst-address=\
    192.168.100.14 log=yes log-prefix=DestNat to-addresses=192.168.120.205
add action=src-nat chain=srcnat comment="Router Mischpult" dst-address=\
    192.168.120.205 dst-port=8291 log=yes log-prefix=MasqWinbox protocol=tcp \
    src-address=192.168.200.0/24 to-addresses=192.168.120.1
add action=src-nat chain=srcnat comment="Router Mischpult" dst-address=\
    192.168.120.205 dst-port=8291 log=yes log-prefix=MasqWinbox protocol=tcp \
    src-address=192.168.96.0/20 to-addresses=192.168.120.1
add action=src-nat chain=srcnat comment="Router Mischpult" out-interface=\
    ovpn-DirksLT src-address=192.168.120.205 to-addresses=192.168.201.1
add action=masquerade chain=srcnat comment="Masq nach aussen" ipsec-policy=\
    out,none log-prefix=Internet out-interface=E1_Internet
add action=dst-nat chain=dstnat comment=Fritz-Box dst-address=192.168.100.2 \
    log-prefix=Fritz-Box to-addresses=192.168.64.1
add action=dst-nat chain=dstnat comment="Mischer im Hauptnetz" dst-address=\
    192.168.100.200 to-addresses=192.168.120.100
add action=dst-nat chain=dstnat comment=BeamPC dst-address=192.168.100.201 \
    to-addresses=192.168.120.150
add action=dst-nat chain=dstnat comment=\
    "Geraete ins Techniknetz: NAS, Drucker" dst-address=192.168.120.200 \
    to-addresses=192.168.100.100
add action=dst-nat chain=dstnat dst-address=192.168.120.110 to-addresses=\
    192.168.100.110
add action=dst-nat chain=dstnat dst-address=192.168.120.111 to-addresses=\
    192.168.100.111
add action=src-nat chain=srcnat comment="Road Warrior" src-address=\
    192.168.201.0/24 to-addresses=192.168.100.3
add action=src-nat chain=srcnat comment="Road Warrior Technik" src-address=\
    192.168.202.0/24 to-addresses=192.168.200.3
/ip route
add distance=1 gateway=192.168.64.1
add distance=1 dst-address=10.10.1.0/24 gateway=192.168.100.21
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.100.20
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.100.20
/ppp secret
add name=DirkLT profile=RoadWarrior
add name=Florian profile=RoadWarriorTechnik service=ovpn
add name=DirkPC profile=RoadWarrior
add name=Ralf profile=RoadWarrior
add name=David profile=RoadWarriorTechnik service=ovpn
add name=Benjamin profile=RoadWarriorTechnik service=ovpn
/radius
add address=192.168.100.1 service=hotspot,wireless
/radius incoming
set accept=yes
/routing pim bsr-candidates
add disabled=yes interface=vlan200_Technik
/routing pim interface
add alternative-subnets=192.168.112.0/20,192.168.96.0/20,192.168.128.0/19 \
    interface=vlan100_Mitarbeiter
add alternative-subnets=192.168.112.0/20,192.168.96.0/20,192.168.128.0/19 \
    interface=vlan200_Technik
/routing pim rp
add address=192.168.120.1
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router_Serverschrank_All
/system leds
add interface=wlan2G leds="wlan2G_signal1-led,wlan2G_signal2-led,wlan2G_signal\
    3-led,wlan2G_signal4-led,wlan2G_signal5-led" type=\
    wireless-signal-strength
add interface=wlan2G leds=wlan2G_tx-led type=interface-transmit
add interface=wlan2G leds=wlan2G_rx-led type=interface-receive
/system logging
add disabled=yes topics=debug,!ntp
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=192.53.103.104 \
    server-dns-names=192.168.100.1
/tool graphing interface
add allow-address=192.168.96.0/20
add allow-address=192.168.112.0/20
add allow-address=192.168.100.0/24
/tool graphing queue
add allow-address=192.168.112.0/20
add allow-address=192.168.112.0/20
/tool graphing resource
add allow-address=192.168.96.0/20
add allow-address=192.168.112.0/20

I can't help myself, maybe I see nothing because I am to close to it,

Good night,

Dirk

Posted: **Wed Jul 07, 2021 6:04 pm**

Can you provide a drawing of how all this is hooked up?

Posted: **Thu Jul 08, 2021 10:29 pm**

Here is my plan, I hope you can see what you wanted - I never learned drawing network-plans...

The point is, I want to see the devices, mainly the Routerboard from my PC when they are connected to the rest of the network.
AND I think, I have one point not understood from masquerading so this behavior happends.

NetworkPlan.jpg

Posted: **Thu Jul 08, 2021 11:30 pm**

Please tell me that all the various routers EXCEPT the RB4011 are only being used as managed switches and not routers.
Unless I am badly missing something, if you are doing ANY routing function in the rest of the routers, you are only making your life more complex.
And I can't help you much on the configuration of routers being used only as a managed switch - as I don't do that anywhere. Routers are used as routers and switches are used as switches.

Posted: **Sat Jul 10, 2021 5:11 pm**

Of course, they are only used as managed switches, no routing on them.
Most of them as WLAN-APs, managed by CAPsMAN in RB4011, and dividing the VLANs for the ports. Mostly just one route:

/ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  192.168.96.0/20    192.168.100.12  vlan100                   0

because of their IP-Address.

And because the RB2011 was not in use, I put it to my place so I can use his display to see what happenings on his ports. Sometimes I change the port my PC uses so I can put him into different VLANs.

But I wonder:
I can Ping the Mobile-Part-Router with IP 192.168.120.205 from RB4011, and I can connect him from my PC if I plug my PC in VLAN200 (RB2011 as managed Switch, just a Port who sends Packets from VLAN200 without VLAN-Tag, and gives incoming Packets the VLAN-Tag of VLAN200).
And I can get a connection to "Mischer" with IP192.168.120.100 via Dst-Nat

;;; Mischer im Hauptnetz
chain=dstnat action=dst-nat to-addresses=192.168.120.100 dst-address=192.168.100.200 log=no log-prefix=""

But I get no connection via Nat-Roules in RB4011, as shown in the first Topic.

Posted: **Mon Jul 19, 2021 1:38 pm**

And I can't help you much on the configuration of routers being used only as a managed switch - as I don't do that anywhere. Routers are used as routers and switches are used as switches.

The problem is, if you want to use CAPsMAN for the APs, you mostly need to buy mikrotik-routers as all wireless solutions of mikrotik are shipped with routerOS, see Mikrotiks product pages (Wireless for home and office or Wireless systems - just the licence level differs (only very rare devices).

The switches with WLAN are more expensive (Switches with WLAN) and on the product page is written: Operating System: RouterOS L5.

I use e.g. RBD52G-5HacD2HnD as an AP and a small switch. Vlan functionality is build within the bridge - all ports are bridged with vlan (tagged/untagged outgoing as needed, incoming all ports tagged), no firewall or anything else on these routers.

MikroTik

Access to Router in LAN2

Access to Router in LAN2

Re: Access to Router in LAN2

Re: Access to Router in LAN2

Re: Access to Router in LAN2

Re: Access to Router in LAN2

Re: Access to Router in LAN2