Access Client on another subnet

RouterOS Beginner Basics
1

I have two WAN interfaces and one LAN interface.

A PC on the LAN interface needs to be accessible from PC’s on the WAN. This network on the WAN interface is a complete network of PC’s and not just an internet connection.

The IP that needs to be accessible is 192.168.2.52 and must be accessible from 192.168.1.0/24

Hopefully someone can help.

Here is my export

# mar/13/2014 18:07:59 by RouterOS 6.9
# software id = 8I1D-X0J9
#


/interface bridge
add l2mtu=1598 name=BRIDGE

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
    20/40mhz-ht-above country="south africa" disabled=no distance=indoors \
    l2mtu=2290 mode=ap-bridge ssid=Macaulay wireless-protocol=802.11

/interface ethernet
set [ find default-name=ether1 ] name=ISP1
set [ find default-name=ether2 ] name=ISP2
set [ find default-name=ether3 ] name=LAN
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm \
    wpa-pre-shared-key=****** wpa2-pre-shared-key=*******

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=dhcp_pool1 ranges=192.168.2.100-192.168.2.254

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=BRIDGE name=dhcp1

/interface bridge port
add bridge=BRIDGE interface=LAN
add bridge=BRIDGE interface=wlan1

/ip address
add address=192.168.2.1/24 interface=BRIDGE network=192.168.2.0
add address=192.168.1.21/24 interface=ISP2 network=192.168.1.0
add address=192.168.3.11/24 interface=ISP1 network=192.168.3.0

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8

/ip firewall mangle
add chain=prerouting dst-address=192.168.3.0/24 in-interface=BRIDGE
add chain=prerouting dst-address=192.168.1.0/24 in-interface=BRIDGE
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ISP1 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ISP2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=BRIDGE new-connection-mark=ISP1_conn \
    per-connection-classifier=both-addresses:2/0
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
    in-interface=BRIDGE new-routing-mark=to_ISP1
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
    in-interface=BRIDGE new-routing-mark=to_ISP2
add action=mark-routing chain=output connection-mark=ISP1_conn \
    new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn \
    new-routing-mark=to_ISP2
add chain=prerouting dst-address=192.168.3.0/24 in-interface=BRIDGE
add chain=prerouting dst-address=192.168.1.0/24 in-interface=BRIDGE
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ISP1 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ISP2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=BRIDGE new-connection-mark=ISP1_conn \
    per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=BRIDGE new-connection-mark=ISP2_conn \
    per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
    in-interface=BRIDGE new-routing-mark=to_ISP1
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
    in-interface=BRIDGE new-routing-mark=to_ISP2
add action=mark-routing chain=output connection-mark=ISP1_conn \
    new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn \
    new-routing-mark=to_ISP2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2

/ip route
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=192.168.3.1
add check-gateway=ping distance=1 gateway=192.168.3.1
add check-gateway=ping distance=2 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.1.1

/ip upnp
set allow-disable-external-interface=no

/system clock
set time-zone-name=Africa/Johannesburg

/system leds
set 0 interface=wlan1

/system ntp client
set enabled=yes primary-ntp=159.148.60.2
2

/ip firewall mangle
add chain=prerouting dst-address=192.168.3.0/24 in-interface=BRIDGE
add chain=prerouting dst-address=192.168.1.0/24 in-interface=BRIDGE
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ISP1 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ISP2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=BRIDGE new-connection-mark=ISP1_conn
per-connection-classifier=both-addresses:2/0
add action=mark-routing chain=prerouting connection-mark=ISP1_conn
in-interface=BRIDGE new-routing-mark=to_ISP1
add action=mark-routing chain=prerouting connection-mark=ISP2_conn
in-interface=BRIDGE new-routing-mark=to_ISP2
add action=mark-routing chain=output connection-mark=ISP1_conn
new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn
new-routing-mark=to_ISP2
add chain=prerouting dst-address=192.168.3.0/24 in-interface=BRIDGE
add chain=prerouting dst-address=192.168.1.0/24 in-interface=BRIDGE
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ISP1 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ISP2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=BRIDGE new-connection-mark=ISP1_conn
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=BRIDGE new-connection-mark=ISP2_conn
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn
in-interface=BRIDGE new-routing-mark=to_ISP1
add action=mark-routing chain=prerouting connection-mark=ISP2_conn
in-interface=BRIDGE new-routing-mark=to_ISP2
add action=mark-routing chain=output connection-mark=ISP1_conn
new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn
new-routing-mark=to_ISP2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2

/ip route
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=192.168.3.1
add check-gateway=ping distance=1 gateway=192.168.3.1
add check-gateway=ping distance=2 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.1.1

Why all is duplicated?
Remove all duplicated items in you configuration.

Now I continue to check the script…

3

…The IP that needs to be accessible is 192.168.2.52 and must be accessible from 192.168.1.0/24…

But 192.168.2.52 is Private IP, you must add route inside the various PC
like: 192.168.2.52 reachable via 192.168.1.21
or inside the gateway of 192.168.1.0/24 network.



…The IP that needs to be accessible is 192.168.2.52…
What you want to access exactly?
Remote desktop?
Shares?
Web Server?

4

I have removed the duplicates. Not sure how that happened.

192.168.2.52 is a file server. I would like to add the routes to 192.168.1.1 gateway. That gateway is also a mikrotik router. How would I add those routes so that all pc’s on 192.168.1.0/24 can access it?

Would I also need to add routes from 192.168.2.0/24 back to 192.168.1.0/24?

Thanks for all your help so far. Getting this working would be great!

5

At this point, I do not know why you require NAT, if are all on Private IP…

Simply add (on other Router):
/ip route
add distance=1 dst-address=192.168.2.52/32 gateway=192.168.1.21


or better:
remove all masquerade
and on ISP1 add:
/ip route
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.3.11

and on ISP2 add:
/ip route
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.1.21

The networks are fully browsable without NAT




If you find any useful for you, please add Karma.