Hello,
I have MT 2.9.7 box with 2 NIC’s.
First NIC (public) is connected to my ISP by LAN and second
NIC is connected to my private network. My ISP give me real
address space xxx.14.7.0/24 and I route them at second NIC (private) .
At second (private) NIC i have one more network with, fake address 192.168.0.0/24.
In this situation I can’t see real address space at second NIC
from fake ip address in this NIC.
From Internet I can see my real space at private network.
My Fake address can access Internet but can’t access real address at secont (private) NIC.
What can I do to resolve this problem?
Thanks in advance.
Try using bridge… Tell more about what do you want to do…
Hm…
Can you eplain this little bit more.
I don’t understand meaning of
"In this situation I can’t see real address space at second NIC
from fake ip address in this NIC.
From Internet I can see my real space at private network.
My Fake address can access Internet but can’t access real address at secont (private) NIC. "
Cheers…
Ok … Sorry for my english … but … ill try to explain 
Ether1:
- xxx.17.16.2/31
Ether2:
- xxx.17.7.1/24
- 192.168.0.1/24
Rule at firewall nat:
/ip firewall nat add chain=srcnat src-address=192.168.0.2 action=masquerade comment=“” disabled=no
I have default gw xxx.17.16.1 trough Ether1.
xxx.17.16.1 is Cisco router and route address space xxx.17.7.0/24 at
xxx.17.16.2. If I use some address from my real address space
(ex. xxx.17.7.2 with gateway xxx.17.7.1 and mask 255.255.255.0)
everything is working good. I have Internet and access to other users that use address from xxx.17.7.0/24 network.
If I take address from 192.168.0.0/24 network (ex. 192.168.0.2 with
gateway 192.168.0.1 and mask 255.255.255.0) I have full access to Internet and other users that use address from 192.168.0.0/24, but have no access to users who use address from xxx.17.7.0/24 except xxx.17.7.1 (because its IP in my MT BOX).
Thanks for answers.
The problem is that you use masquerade.
Which means that all IPs from 192.168.0.0/24 network will use Gateways IP address.
What you need to do is to configure src-nat and dst-nat.
Assume that youre PC address is 192.168.0.5/32 and you want to access it from internet.
Go to ip firewall nat and place following rule on top of masquerade
add chain=srcnat src-address=192.168.0.5/32 action=src-nat to-addresses=xxx.17.7.x/32 to-ports=0-65535
then do dst-nat
add chain=dstnat dst-address=xxx.17.7.x/32 action=dst-nat to-addresses=192.168.0.5/32 to-ports=0-65535
This should be done for each address (PC) that you want to access from internet where x will be one of the addresses asigned to you by ISP.
all other will go through masquerade!
Cheers…
Mmm no. 
This is not what I need.
I want to make connection between users with fake IP address and users
with Real address. I don’t want to access fake IP’s from Internet and this
is the reason that I don’t use dstnat and people use fake IP’s.
But when I make server (ex. web server) with Real IP address to access
him from Internet, I can’t access this server from fake IP address.
Maybe ill try to make my question simple.
Ether2:
- 192.168.0.1/24
- xxx.17.7.1/24
How to make connection from users with IP: 192.168.0.2-254 to server with IP: xxx.17.7.2 .
Well, it seems your ip route configuration needs to be checked. Look in there and you’ll solve the problem…
try specifying output interface, and see wat happens
Good point. I totally forgot that…