Cell modem on separate subnet

Hey guys,
I have a cell modem that uses a sim card to provide a WAN connection for remote locations. The modems have a web client that can be reached by going to the device’s IP and adding a port.

I am trying to get onto this web client using my desktop computer, but I can’t seem to get it to go through.

Our office runs on a 192.168.30.0/24
My computer 192.168.30.220
Mikrotik ac lite @ 192.168.30.221

Cell router runs on a 192.168.0.0/24
webclient is found @ 192.168.0.1:10000

I am able to connect to the cell modem directly, change my desktop’s IP to 192.168.0.4 and then am able to connect to the web client. But I would like to have the cell router plugged into my mikrotik that sits at my desk and have that route the traffic to my computer’s subnet.

I am not able to ping the cell modem from my PC.
When I try to ping from Mikrotek, it looks like it is pinging ether1? I don’t know. I am lost.

I have looked through these forums and cannot for the life of me figure this out. I need to be able to access that web client. Any Advice?

This is my current configuration. It does not work.
[admin@Logan’s Router] > /export

feb/28/2018 14:55:39 by RouterOS 6.33.5

software id = MFE1-LJ0X

/interface bridge
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=LAN interface=ether1
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
/ip address
add address=192.168.30.221/24 interface=LAN network=192.168.30.0
add address=192.168.0.1/24 interface=LAN network=192.168.0.0
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.30.1 src-address=
192.168.0.1
add action=masquerade chain=srcnat dst-address=192.168.0.1 src-address=
192.168.30.1
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=LAN
add distance=1 dst-address=192.168.30.0/24 gateway=LAN
/system clock
set time-zone-name=America/Denver
/system identity
set name=“Logan’s Router”
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled

I was able to ping the device off of RouterOS but I am still not able to reach it from my PC.
My firewall is completely off in all zones.

Someone in the office mentioned that I just need to create a NAT rule, but I have tried creating masquerade rules from the one subnet to the other but with no luck.

As far as gateways, my PC and Mikrotik have a default gateway of 192.168.30.1, which is where our main router is.
The cell modem has a gateway of 192.168.0.1

Is there anything I can provide to help get an answer?

You added 192.168.0.1 (you wrote it’s the cell modem’s address) also to RB as its own address. That’s wrong, you need to assign RB another address from the same address change.

The way you do it (giving RB addresses from both IP segments and adding appropriate routes) you shouldn’t need any NAT to access cell modem from your office PC. After you fix the addressing that is.

By this do you mean that I need to change the RouterBoard’s IP address? Like where do I have a duplicate IP?

It seems that RB has two IP addresses assigned: 192.168.30.221 and 192.168.0.1 … and for the later you wrote that should be the cell modem’s address. Check the RB’s addresses and if it really is that way, change the later to some other, unused, address from range 192.168.0.x

192.168.0.1/24 interface=LAN network=192.168.0.0
webclient is found @ 192.168.0.1:10000

I changed the 192.168.0.1 in the address list to 192.168.0.221. This didn’t change anything.
Is that what you meant? I can still ping the cell modem from RouterOS as well as ping my desktop, but I can’t ping from my desktop to the cell modem

I’m such a beginner at this, so I’m sorry. Thank you for your help.

The whole LAN architecture is not clear to me … is your RB used as default GW for your office PCs, while cell modem knows nothing about it? If that’s the case, you need the second srcnat rule… so that your wole office lan will appear to the cell modem as if originating from your RB’s address 192.168.0.x . In this case connecting to cell modem from office LAN should work unless you have some special FW rules on RB.

Actually your masquerade config is not right either. You need to masq whole subnet, not only RB’s own address:

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.30.0/24 dst-address=192.168.0.221

Sorry, here is a picture of my setup. I hope this helps. I am trying to go from my desktop to the cellular modem through the routerboard, which is separate from our main router.

Also, here is what I updated

[admin@Logan's Router] > /export
# mar/01/2018 13:20:54 by RouterOS 6.33.5
# software id = MFE1-LJ0X
#
/interface bridge
add name="DORSETT LAN"
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/queue simple
add max-limit=500M/500M name=Local packet-marks=Local target=192.168.0.0/16
/interface bridge port
add bridge="DORSETT LAN" interface=ether1
add bridge="DORSETT LAN" interface=ether2
add bridge="DORSETT LAN" interface=ether3
add bridge="DORSETT LAN" interface=ether4
add bridge="DORSETT LAN" interface=ether5
/ip settings
set accept-redirects=yes accept-source-route=yes
/ip address
add address=192.168.30.221/24 comment="Dorsett LAN" interface="DORSETT LAN" \
    network=192.168.30.0
add address=192.168.0.221/24 interface="DORSETT LAN" network=192.168.0.0
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat dst-address=192.168.30.1 src-address=\
    192.168.0.1
add action=masquerade chain=srcnat dst-address=192.168.0.1 src-address=\
    192.168.30.1
add action=masquerade chain=srcnat dst-address=192.168.0.221 src-address=\
    192.168.30.0/24
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway="DORSETT LAN"
add distance=1 dst-address=192.168.30.0/24 gateway="DORSETT LAN"
/system clock
set time-zone-name=America/Denver
/system identity
set name="Logan's Router"
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled

Thanks for the drawing, it’s clear to me now.

As I suggested earlier: the AC lite RB needs two IP addresses, e.g. 192.168.30.221 and 192.168.0.221. Then it needs to do srcnat as I wrote in my previous post. That’s the third rule in your export while the first two just create mess. Ah, it’s the fourth (the last), the first one is an empty rule…
If you don’t want to allow the whole 192.168.30.x to access the cell router through this RB, then you can either adapt the srcnat src-address to something more stringent or you can add some firewall rule which would prevent routing packets from not allowed src addresses.

If you don’t have anything about 192.168.0.0/24 configured on main router (indicating your AC lite being gateway between the two IP segments), then you need to add specific route also on your desktop PC. Normally PCs will have set-up two routes: one atomatic to own IP segment (e.g. 192.168.30.0/24 via NIC) and one default route (e.g. 0.0.0.0/0 via gw 192.168.30.1). To make connection between PC and cell router, either main router or PC itself needs to have set-up explicit route to 192.168.0.0/24 via gw 192.168.30.221.

You’ve been a lifesaver.
I now currently have one masq rule of
src-192.168.30.0/24
dst-192.168.0.221

I added a route to my desktop using the command
route add 192.168.0.0/24 MASK 255.255.255.255 192.168.0.221

but I still can’t ping. I can still ping from the RB though.

I think it’s now just setting up routing? I have the following routes on the RB

/ip route
add distance=1 dst-address=192.168.0.0/24 gateway="DORSETT LAN"
add distance=1 dst-address=192.168.30.0/24 gateway="DORSETT LAN"

But I have a sneaking feeling that those are not right at all.

Once again, my updated export:

[admin@Logan's Router] > /export
# mar/01/2018 14:02:31 by RouterOS 6.33.5
# software id = MFE1-LJ0X

/interface bridge
add name="DORSETT LAN"
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/queue simple
add max-limit=500M/500M name=Local packet-marks=Local target=192.168.0.0/16
/interface bridge port
add bridge="DORSETT LAN" interface=ether1
add bridge="DORSETT LAN" interface=ether2
add bridge="DORSETT LAN" interface=ether3
add bridge="DORSETT LAN" interface=ether4
add bridge="DORSETT LAN" interface=ether5
/ip settings
set accept-redirects=yes accept-source-route=yes
/ip address
add address=192.168.30.221/24 comment="Dorsett LAN" interface="DORSETT LAN" 
    network=192.168.30.0
add address=192.168.0.221/24 comment="Cell LAN" interface="DORSETT LAN" \
    network=192.168.0.0
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.0.221 src-address=\
    192.168.30.0/24
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway="DORSETT LAN"
add distance=1 dst-address=192.168.30.0/24 gateway="DORSETT LAN"
/system clock
set time-zone-name=America/Denver
/system identity
set name="Logan's Router"
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled

I can’t find anything wrong in the router setup. Those two routes seem funny but I guess they are fine though. The funny part comes from the fact that both addresses (and hence routes) are bound to same logical interface (bridge in your case) while more common setup is to have split logical interfaces for different addresses … at least different VLAN interfaces if not even different physical interfaces. Again, I guess this should be fine though.

Regarding route on your desktop PC: the line you showed here doesn’t seem right. Under linux, the command to define the needed route would look something like

route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.30.221

so: netmask has to be correct (24 bits) and gw address needs to be otherwise accessible by the PC and that’s the AC lite’s address from the office LAN side, not the other one.

Awesome. I really appreciate the help.

I couldn’t get it to work in that configuration, so I went and switched over to using two bridges. One for the Cell and one for the office lan. I was able to ping after that, which is awesome.

Because I set it up that way, I won’t be able to plug the cell modem into just any port, which is kind of a bummer, but at least this way I don’t have to go in and change my subnet on my desktop.

So thanks again!