Acess to a device with a different IP adress than main router through VPN

So, i’m having a situation that i try to solve remotely for a friend. They have a vacation house with Mikrotik router, that is connecting to the internet through mobile network using Huawei 4G modem on eth1. On eth2 there are two sxtsq5 AC in bridge mode to another Mikrotik at the neighbour. Almost everything work’s fine except for the fact that antennas in bridge mode have IP adresses set in 192.168.95.1 and 192.168.96.1 and the main network is on 192.168.80.0/24. I would like to put everything on the same network. This Mikrotik from vacation house connects remotely to his home Mikrotik so they can acess home and vacation local networks from both sides as needed.

I tried to add adress 192.168.95.0/24 and 192.168.96.0/24 to eth2 on remote device and set route to those adresses through VPN on home router. Whatever i do, i cannot acess devices on 192.168.95.1 or 96.1 through VPN. IP/Neighbous on 192.168.80.1 can see the device on 192.168.95.1 and i can also ping both antennas from that Mikrotik. Whatever i tried to do from this side of the VPN, like ping 192.168.95.1 doesn’t work.

Any ideas how to reach those antennas remotely or what am i doing wrong?

# model = RB962UiGS-5HacT2HnT
# serial number = 
/interface bridge
add admin-mac=08:55:31:28:7A:5B auto-mac=no comment=defconf name=bridge
/interface l2tp-client
add connect-to=*sn.mynetname.net disabled=no name=* use-ipsec=\
    yes user=*
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=slovenia disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=Mikro2G station-roaming=enabled \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    country=slovenia disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=Mikro5G station-roaming=enabled \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.80.10-192.168.80.100
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=23m59s name=defconf
/ppp profile
add name=L2TP_DOMA_profil
add name=Dani
/interface l2tp-client
add connect-to=*.sn.mynetname.net disabled=no name=L2TP_DOMA \
    profile=L2TP_DOMA_profil use-ipsec=yes user=*
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=tv
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=L2TP_DOMA list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.80.1/24 comment=defconf interface=bridge network=\
    192.168.80.0
add address=192.168.95.253/24 interface=ether2 network=192.168.95.0
add address=192.168.96.253/24 interface=ether2 network=192.168.96.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.80.251 client-id=1:b0:2:47:f1:ad:8b comment=\
    "Fixing IP for TVBox " mac-address=B0:02:47:F1:AD:8B server=defconf
add address=192.168.80.249 comment="Fixing IP for neighbour TVBox" \
    mac-address=B0:02:47:F2:82:03 server=defconf
add address=192.168.80.101 comment="Mikrotik" disabled=yes mac-address=\
    08:55:31:28:7C:C6
/ip dhcp-server network
add address=192.168.80.0/24 comment=defconf gateway=192.168.80.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.80.1 comment=defconf name=router.lan
/ip firewall address-list
add address=* list=tv
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=Accept_Winbox dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=tv new-routing-mark=\
    tv src-address=192.168.80.251 src-address-list=""
add action=mark-routing chain=prerouting dst-address-list=tv new-routing-mark=\
    tv src-address=192.168.80.249 src-address-list=""
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=all-ppp
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=L2TP_DOMA pref-src=\
    0.0.0.0 routing-table=tv scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.88.1/32 gateway=L2TP_DOMA routing-table=\
    main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=MikroTik_MainApt
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Take a shortcut, don’t do anything with routing and just use NAT. For example, if target device has web administration on standard port 80, do:

/ip firewall nat
add chain=dstnat dst-address=x.x.x.x protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.95.1
add chain=srcnat dst-address=192.168.95.1 action=masquerade

Where x.x.x.x is whatever address is accessible via VPN, either some 192.168.80.x, or whatever VPN clients gets. And then instead of connecting to 192.168.95.1, connect to x.x.x.x.

Ok, i tried with this on Mikrotik, that has antenna connected to ether2

/ip firewall nat
add chain=dstnat dst-address=192.168.80.1 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.95.1
add chain=srcnat dst-address=192.168.95.1 action=masquerade

but nothing changes. Only difference is, that masquarade makes ping work, but if i do port scan i get nothing on 95.1.

Also, interesting thing is, that i can ping adresses i created on ether2 interface (the one that has antenna on 95.1) on remote Mikrotik from my home router via VPN. So adress 192.168.95.253 responds to ping normally if i initiate ping from my home Mikrotik or computer. But still no response from 95.1. ,

If i do IP scan on remote Mikrotik i can see IP and MAC adress of antennas without problem.

Rely strange problem. Could antennas block all requests if they ware not set up as they should be?

Ip scan shows this:

[daniel@MikroTik_MainApt] /tool> ip-scan
Columns: ADDRESS, MAC-ADDRESS, TIME, DNS
ADDRESS         MAC-ADDRESS        TIME   DNS               
192.168.80.89   E8:DB:84:B9:DA:42  1ms                      
192.168.80.87   8C:AA:B5:FD:62:E9  4ms                      
192.168.80.88   E8:DB:84:BA:0F:02  9ms                      
192.168.8.144   8C:AA:B5:FD:23:8C         ESP_FD238C.       
192.168.8.1     E0:40:07:7F:2B:A1  2ms    homerouter.cpe.   
192.168.8.102                      2ms    MikroTik_MainApt. 
192.168.80.1                       0ms    router.lan.       
192.168.80.101  08:55:31:28:7C:C7  1ms                      
192.168.8.121   84:7A:B6:11:44:55  102ms  84-7A-B6-11-44-55.
192.168.8.152   10:D5:61:D5:A3:E9  200ms  wlan0.            
192.168.8.162   84:E3:42:18:F1:55  98ms   wlan0.            

[daniel@MikroTik_MainApt] /tool> ip-scan address-range=192.168.95.0/24
Columns: ADDRESS, MAC-ADDRESS, TIME
ADDRESS         MAC-ADDRESS        TIME
192.168.95.1    08:55:31:D1:8C:3D  0ms 
192.168.95.253                     4ms 

[daniel@MikroTik_MainApt] /tool> ip-scan address-range=192.168.96.0/24
Columns: ADDRESS, MAC-ADDRESS, TIME
ADDRESS         MAC-ADDRESS        TIME
192.168.96.1    08:55:31:D1:8A:72  1ms 
192.168.96.253                     0ms

If you did this and it made the ping from you to .95.1 work (which didn’t before), it suggests that .95.1 has some other gateway than 192.168.95.253, or no gateway at all. It also shows that routing over VPN is fine (most likely) and you should be able to access .95.1 directly, without any dstnat (you need to keep srcnat for now). If it doesn’t work, you can try to connect from router. Open Terminal and use either telnet, SSH or MAC telnet to get in.

Yes, as soon as i enable masquarade, ping to the adress 192.168.95.1 works. But i still cannot connect to that ip, not from computer, not from Mikrotik’s internal Telnet, Mac Telnet, SSH,nothing works. At the end of the week, friend will go there and check this directly on site, maybe he can connect there directly. Otherwise reset will be needed, which is a bit problematic, since he doesn’t realy know how to set this up and i don’t think i can configure this remotely.

I have few VPN connections from my router, many routes set and everything work’s completly without any problem. This one is realy giving me a hard time

If i do a port scan on 192.168.95.1 using advanced port scanner i only get this:

Port 20188 (TCP)
Tunnel is ssl: unknown service

and Nmap doesn’t find anything.

And was anyone able to access SXTs at all before, even when connected locally? Because if it doesn’t work from router, which is local for them, it can’t be better if you try anything remotely. But I’d think that whoever configured them would leave something open, to be able to access them. You can try if that one port could be WinBox, SSH, telnet or HTTP(s) web interface.

No, nothing worked. Friend went down there on vacation now and reset both antennas. Then we started from no configuration, added bridge, ports and dhcp client on bridge, set Wireless bridge and everything works now without any problem, also from remote. Thank you for all help.