Access to client without gateway by NAT

Hi everyone…

I have problem with DST-NAT…
I must access to some device by other address ip (192.168.21.215). I must do that becouse I can’t use in my LAN subnet like 192.168.1.X.

Anyone have idea how can I do this?

When I am testing on other device this work when I set GW, but that’s not what I need:

/ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.21.215 dst-port=80 protocol=tcp to-addresses=192.168.1.212 to-ports=80

My configuration:

/ip address
add address=192.168.13.117/24 interface=ether1 network=192.168.13.0
add address=192.168.21.215 interface=bridge-custom-management network=192.168.21.215
add address=192.168.1.2/24 interface=bridge-fake network=192.168.1.0

/interface bridge port
[...]
add bridge=bridge-fake interface=ether5

/ip route
add distance=1 gateway=192.168.13.1
add distance=1 dst-address=192.168.1.212/32 gateway=bridge-fake

You have to use self IP from same subnet that your lan device have. Without it, there is no way to reply the traffic from another subnet without gateway set.

Thanks for reply but I not sure I understand you. What do you mean about use self IP? I added address 192.168.1.2/24 and mikrotik of course can ping 192.168.1.212 device.
But when I open 192.168.21.215 I don’t see website.

Of course you can’t, the web server don’t have a gateway to any other subnet.

I meant your IP address must be from range of 192.168.1.0/24 or something smaller but in same subnet with IP 192.168.1.212, f.e. 192.168.1.0/24, 192.168.1.128/25, 192.168.1.192/26, 192.168.1.208/29.

Just add some srcnat, e.g.:

/ip firewall nat
add chain=srcnat dst-address=192.168.1.212 action=masquerade

And you don’t need the route to 192.168.1.212/32, automatic connected route comes from 192.168.1.2/24.

I don’t know how it work, but it work!
Thanks Sob!

It’s simple NAT, it changes source address, anything coming to device looks like it’s from 192.168.1.2, so it’s reachable and device knows where it can send replies.