Community discussions

MikroTik App
 
alsur
just joined
Topic Author
Posts: 8
Joined: Tue Mar 25, 2014 4:56 pm

2 LAN ranges on the same network

Mon Nov 25, 2024 9:55 pm

Hi, we have a complex installation with load balancing and failover on a RB1100AHx4 (version: 7.16.1 (stable)) with numerous NAT and firewall rules to our LAN 192.168.0.1/24. We use Ethernet ports 1 to 3 for gateways and 4 to 13 for LAN on our bridge-local and some of those have additional switches and certain rooms.

We are now considering moving to a LAN range 10.0.0.1/24 on our local server (PVE) (currently at 192.168.0.21) for compatibility of our production server and as we also have some conflicts with VPN users also having 192.168.0.X on their local lans. We could either only have that server on that range, but we are considering doing it gradually in the whole LAN.

Excuse me if this is a nob question, but I am not sure how to proceed with having two different local ranges on our bridge-local if at all possible. I guessed I could add the additional range to my bridge, but that is not working. We could assign one of the ethernet ports for that range and connect direct to our local server on a second ethernet and limit to that, but that would also require having a second cable reaching it, which is somehow complicated, or change the whole local LAN in one go in which case I guess we would ideally have to export the whole router config, edit/replace all 192.168.0.X references and modify all the connected equipments that might not be using DHCP, but as explained, we were hoping to be able to do this gradually.

I would be most grateful for any assistance on what the easiest configuration would be for a gradual change.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11301
Joined: Mon Dec 04, 2017 9:19 pm

Re: 2 LAN ranges on the same network

Mon Nov 25, 2024 10:37 pm

It is indeed possible to use multiple subnets in the same L2 segment (bridge, VLAN), but there are a few things that complicate this.

The least critical one is that if you need the router itself to initiate any connections to the devices in the two subnets (such as pinging the devices from the router), you have to make sure that the router itself uses the correct own address when initiating a connection to a device in one subnet or the other; since the routes to those subnets are added dynamically, you cannot set pref-src on them, so you would have to use a src-nat rule instead.

A more important one is that if you need the devices in the "old" and "new" subnet to talk to each other, you must make sure that the router will not suggest them to take a shortcut. If Mikrotik finds a route for a packet and the next hop is reachable via the same interface through which the packet came in, it delivers the packet but informs the sender that there is a better route; some IP stacks will respect that and will send further packets from (let's say) 10.0.0.1 to 192.168.0.5 directly although the destination is not in the subnet of the source, some will not. To prevent this, you would have to set send-redirects under /ip settings to no.

Furthermore, if your LAN devices need to talk to each other, their own firewall rules may not allow incoming connections from other-than-own subnets (e.g. Microsoft Windows firewall ignores pings from foreign networks by default). Of course, the firewall rules on Mikrotik itself would have to permit forwarding between the two subnets too.

And most critically, you have mentioned DHCP - you can attach only a single DHCP server to an L2 segment. That single server can assign addresses from both subnets but only for one of them it can choose them from a pool, so I would suggest to change all the existing leases to static ones and edit the IP addresses of these static leases to migrate the devices.

So in summary, I'd say add the new subnet, put just one computer to it, and then use sniffing on the computer itself and on the Mikrotik to find out what works and what does not, addressing the issues as you find them. Once you make it work for that test computer, you can migrate a few other ones, and if everything is OK, migrate all the rest.