Mikrotik Hap Ac2 and accessing all devices on LAN

Community Support
#1

Hello!

I have been trying to get my Mikrotik router to provide LAN access but I seem to be missing some steps and can’t get working what I’ve read so far…
I would like to do the following two scenarios:
1.
Port 1 of Mikrotik (HAP AC2) connected to 192.168.1.0/24 network that has internet connection.
Zerotier set up on Mikrotik and provides member devices (zerotier) access to ping/access all devices on 192.168.1.0/24 network.
Remaining ports 2-5 not important.

  1. Port 1 of Mikrotik (HAP AC2) connected to 192.168.1.0/24 network that has internet connection.
    Zerotier set up on Mikrotik and provides member devices (zerotier) access to ping/access all devices on 192.168.1.0/24 network.
    Port 2 should be giving out DHCP from the 192.168.1.0/24 network, able to be accessed from member zerotier devices and access the 192.168.1.0/24 network devices.
    Port 3 of Mikrotik (HAP AC2) connected to 192.168.2.0/24 network (no internet).
    Alternate Zerotier 2 network set up on Mikrotik and provides member devices (zerotier 2) access to ping/access all devices on 192.168.2.0/24 network.
    Port 4 should be giving out DHCP from the 192.168.2.0/24 network, able to be accessed from member zerotier 2 devices and access the 192.168.2.0/24 network devices.

Zerotier
Zerotier1771×756 19.3 KB

Are these possible to do?
Ultimately the goal is to have a device that I can remote into networks and work on devices as if I was there…

Thanks,

–Phil

#2

Ok, I figured this out…will post details shortly.

#3

Here are my steps to achieve both scenarios:
—GO TO TERMINAL —
zerotier/enable zt1
zerotier/interface/add network=<network id 1> instance=zt1
----AUTHORIZE AND ENABLE BRIDGING ON ZEROTIER -------
—GO TO BRIDGE/BRIDGE —
ADD BRIDGE (bridge1)
—GO TO TERMINAL —
/ip firewall filter
add action=accept chain=forward in-interface=bridge1 place-before=0
add action=accept chain=input in-interface=bridge1 place-before=0
—GO TO BRIDGE/PORTS —
ADD PORT (interface:zerotier1, bridge: bridge1, trusted:checked)
ADD PORT (interface:WAN, bridge: bridge1, trusted:checked)

Make an additional port part of the 1st network
—GO TO BRIDGE/PORTS—
—SELECT INTERFACE ETHER2 (OR WHATEVER)—
CHANGE BRIDGE (bridge:bridge1)
—GO TO IP/DHCP RELAY—
ADD RELAY (name:relay1, interface:bridge1, DHCP Server:local server address (192.168.1.1 example))

Add 2nd Zerotier network
–GO TO ZEROTIER–
ADD ZEROTIER NETWORK (name:zerotier2, network:<network id 2>)
----AUTHORIZE AND ENABLE BRIDGING ON ZEROTIER -------
—GO TO BRIDGE/BRIDGE —
ADD BRIDGE (bridge2)
—GO TO TERMINAL —
/ip firewall filter
add action=accept chain=forward in-interface=bridge2 place-before=0
add action=accept chain=input in-interface=bridge2 place-before=0
—GO TO BRIDGE/PORTS —
ADD PORT (interface:zerotier2, bridge: bridge2, trusted:checked)
—SELECT INTERFACE ETHER3 (OR WHATEVER)—
CHANGE BRIDGE (bridge:bridge1)
—GO TO IP/DHCP RELAY—
ADD RELAY (name:relay2, interface:bridge2, DHCP Server:local server address (192.168.2.1 example))

#5

Here is an updated terminal only version including a deployment of a zerotier ID that is just for router access (drop the router and go mode, then you can setup the rest off-site).
If you have a site with two LANS you want access to you can patch port 1 into the first, port 3 into the second. In ZT you setup your addresses to match those ranges and you can jump into them with your laptop.

=======ADD ZEROTIER TO MANAGE ROUTER=======
zerotier/enable zt1 ← Enables Zerotier
zerotier/interface/add network= instance=zt1 allow-managed=yes ← Adds Zerotier1 interface
[GO TO ZT AND AUTHORIZE - NOT BRIDGE MODE]
/ip firewall filter add action=accept chain=forward in-interface=zerotier1 place-before=0 ← Firewall in Zerotier1
/ip firewall filter add action=accept chain=input in-interface=zerotier1 place-before=0 ← Firewall in Zerotier1

=======ADD SECOND ZEROTIER TO BRIDGE LAN (EXPOSE FULL)=======

zerotier/interface/add network=<ZT network ID 2> instance=zt1 allow-managed=yes ← Adds Zerotier2 interface
[GO TO ZT AND ZT AUTHORIZE AND BRIDGE MODE]
interface/bridge add ← Adds Bridge1
/interface bridge port add bridge=bridge1 interface=zerotier2 ← Adds zerotier2 to bridge1
/interface bridge port add bridge=bridge1 interface=WAN ← Adds WAN/Eth1 to bridge1
/ip firewall filter add action=accept chain=forward in-interface=bridge1 place-before=0 ← Firewall in bridge1
/ip firewall filter add action=accept chain=input in-interface=bridge1 place-before=0 ← Firewall in bridge1
/ip dhcp-relay add interface=bridge1 dhcp-server=<DHCP SERVER #1> disabled=no ← DHCP Relay bridge1 <DHCP SERVER #1>

/interface bridge port set [find interface=ether2] bridge=bridge1 <----MOVE ETHERNET PORT 2 INTO BRIDGE 1

=======ADD THIRD ZEROTIER TO BRIDGE LAN 2 (EXPOSE FULL)=======

zerotier/interface/add network=<ZT network ID 3> instance=zt1 allow-managed=yes ← Adds Zerotier3 interface
[GO TO ZT AND AUTHORIZE AND BRIDGE MODE]
interface/bridge add ← Adds Bridge2
/interface bridge port add bridge=bridge2 interface=zerotier3 ← Adds zerotier2 to bridge2
/ip firewall filter add action=accept chain=forward in-interface=bridge2 place-before=0 ← Firewall in bridge2
/ip firewall filter add action=accept chain=input in-interface=bridge2 place-before=0 ← Firewall in bridge2
/ip dhcp-relay add interface=bridge2 dhcp-server=<DHCP SERVER #2> disabled=no ← DHCP Relay bridge2 <DHCP SERVER #2>

/interface bridge port set [find interface=ether3] bridge=bridge2 <----MOVE ETHERNET PORT 3 INTO BRIDGE 2
/interface bridge port set [find interface=ether4] bridge=bridge2 <----MOVE ETHERNET PORT 4 INTO BRIDGE 2