Access network behind other router from wifi network

Hi,

I love the possibilities RouterOS offers me. Its flexibility is unparalleled, but unfortunately that also makes some things for new users complicated. I have the following setup:

Internet → Mikrotik → Fritz → Office
0.0.0.0 → 192.168.88.0/24 → 192.168.88.216 → 192.168.188.0/24

When I am connected through WiFi, and have an IP address from the 192.168.88.0/24 block assigned to me by DHCP, I want to access my computers on the 192.168.188.0/24 network. However, packages do not seem to make it past the Mikrotik router. I have tried many things, but can’t find the right combination of networks, addresses, gateways and routes to make this work. Can someone assist? What is the minimum I need to make this work?

Many thanks in advance!

From Winbox open “New Terminal” and type export.
Copy and paste it here to show us your config of RouterOS

I see there’s a Frittzbox in the game, most likely handling the .192.168.188.0/24 network.
I assume you connected the Fritz via its WAN port to the MikroTik router.
This is normal behaviour of a “home” router like a Fritzbox - they drop traffic coming into the WAN port destined to their LAN.

You’ll have to explicitly allow that.
-Chris

It’s a bit long, but here goes:

# sep/09/2015 18:33:44 by RouterOS 6.27
# software id = TCZM-D364
#
/interface bridge
add name=bridge-iptv
add admin-mac=4C:5E:0C:48:12:8E auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-glasvezel
set [ find default-name=ether5 ] name=ether5-dmz
set [ find default-name=ether7 ] master-port=ether6 name=ether7-slave-local
set [ find default-name=ether8 ] name=ether8-iptv
set [ find default-name=ether9 ] name=ether9-iptv
set [ find default-name=ether10 ] master-port=ether6 name=ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=netherlands disabled=no distance=indoors frequency=auto l2mtu=2290 mode=ap-bridge ssid=NWC wireless-protocol=\
    802.11
/ip neighbor discovery
set ether1-glasvezel discover=no
/interface vlan
add interface=ether1-glasvezel l2mtu=1594 name=vlan-xs4all-inet vlan-id=6
add interface=ether1-glasvezel l2mtu=1594 name=vlan1.4 vlan-id=4
/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 disabled=no interface=vlan-xs4all-inet keepalive-timeout=disabled max-mru=1492 max-mtu=1492 name=pppoe-xs4all-inet use-peer-dns=yes user=fb7360@xs4all.nl
/ip neighbor discovery
set vlan-xs4all-inet discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa-pre-shared-key=*DELETED* wpa2-pre-shared-key=*DELETED*
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5-dmz
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
add bridge=bridge-iptv interface=vlan1.4
add bridge=bridge-iptv interface=ether9-iptv
add bridge=bridge-iptv interface=ether8-iptv
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-glasvezel
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" gateway=192.168.88.1
add address=192.168.188.0/24 gateway=192.168.88.216
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
add address=192.168.188.21 name=silvertown
add address=192.168.188.21 name=silvertown.webconquest.com
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" disabled=yes in-interface=ether1-glasvezel
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-glasvezel
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input disabled=yes in-interface=pppoe-xs4all-inet
add action=drop chain=input disabled=yes in-interface=vlan-xs4all-inet
add action=drop chain=input disabled=yes in-interface=ether1-glasvezel
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-glasvezel
add action=masquerade chain=srcnat out-interface=pppoe-xs4all-inet
add action=masquerade chain=srcnat out-interface=ether1-glasvezel
add action=dst-nat chain=dstnat dst-address=83.162.247.54 in-interface=pppoe-xs4all-inet to-addresses=192.168.88.216
/ip route
add distance=1 dst-address=192.168.188.0/24 gateway=192.168.88.216
/lcd interface pages
set 0 interfaces=sfp1,ether1-glasvezel,ether2,ether3,ether4,ether5-dmz,ether6,ether7-slave-local,ether8-iptv,ether9-iptv,ether10-slave-local
/system clock
set time-zone-name=Europe/Amsterdam
/system ntp client
set enabled=yes primary-ntp=194.109.22.18
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5-dmz
add interface=ether6
add interface=ether7-slave-local
add interface=ether8-iptv
add interface=ether9-iptv
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5-dmz
add interface=ether6
add interface=ether7-slave-local
add interface=ether8-iptv
add interface=ether9-iptv
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local

My internet connection comes in on ether1, the fritz box is on ether5, and I use ether8 and ether9 for IPTV.

Thanks, I’ll have to look into that. My Fritzbox is a 7490, but I seem unable to find such a setting. The Fritz does note the following on the internet connection setting:

Internet service provider: [Existing connection over LAN]

You can use the FRITZ!Box at an already existing Internet access. For this the FRITZ!Box is not connected to the DSL line, but to the router or network.
Attention:

[] Connect the “LAN 1” port on the FRITZ!Box with the router or network using the network cable.
[] The FRITZ!Box now functions as a router itself and provides a network with its own network address range.

This seems ok to me.

Furthermore, Fritz is aware of its situation:

Note:

The IPv4 address assigned by the Internet service provider is not a publicly accessible IP address. This means that settings to permit access to the IPv4 services of the FRITZ!Box and to your IPv4 home network will probably not work. See the Help for more information.

This is about all I can find on it. Would my situation be easier with a 2nd RouterOS box instead of the Fritz? I use the Fritz for its internet telephony options.

As alternative, would it work to stop the DHCP server on the Fritz, and instead have the Mikrotik router assign IP’s in the same 192.168.88.0 range? If yes, is any change in settings on the Mikrotik router needed?

Hi,

If your fritz is NATing traffic, you should disable nat. Then you should create routes between networks, so IP of fritz would be your gateway for 192.168.188.0 network. Default route on fritz should point to IP of Mikrotik’s IP and you should be good to go( assuming you configured access on fritz for hosts from 192.168.88.0 network).
Additional note:
Like Chris said, if your fritz is connected via WAN port, its expected behavior. All traffic from MT’s net is treated as WAN/public traffic, and firewall does not allow that straight to your private network ( LAN ports on fritz). You can do it like i said above( if you need separate network), or you can configure fritz in bridge mode, so all your devices will be in same network, MT will handle all, and fritz will be pretty much hub.