Hi!
I need to communicate between two different subnets, the configuration is as per the attached diagram. At the moment if from a device connected to the Fritz network in class 1 I try to ping a device connected to the hap ac2 in class 2 I get “host unreachable”. Can I set a firewall rule on hap ac2 to make class 2 connected devices accessible?
Thank you.
The problem is that you need to define a route on Fritz to reach subnet 192.168.2.0 through connection to the hAP (to 192.168.1.200).
So you need to check on Fritz how to set a static route to hAP.
Thanks for your reply.
I’ve followed this guide to configure a static route on Fritz to reach the subnet 192.168.2.0 ( https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-3490/581_Configuring-a-static-IP-route-in-the-FRITZ-Box/ ).
However, I still can’t ping the devices on subnetwork 2 from 1. I don’t understand point 2 of the linked guide, how can I set the mikrotik? Am I missing a NAT rule perhaps? The mikrotik is configured with a route 0.0.0.0/0 pointing to the gateway 192.168.1.1 and with a NAT rule on the srcnat with src address 192.168.2.0 out interface ether1 with action=masquerade
I’m italian too, if you want we can PM so i can write in italian, my english is quite limited 
From Mikrotik side if you used default config you should be ok, because RouterOS creates automatically routes for connected networks.
So from Mikrotik can you reach internet through Fritz ? I guess you should be able to, already.
From Fritz you need to make sure that you send the route for destination 192.168.2.0 using as gateway the value 192.168.1.200, the IP that you have assigned to Mikrotik on ETH1.
I’m not sure that this forum allows PM anymore, but if you still have issues you can provide some contact info.
And don’t forget, some OSes (Windows is most prominent) include firewalls which by default block any connectikn attempt (pings included) from non-native LAN … essentially everything that requires using router.
The other problem might be firewall on Mikrotik. Default config considers ether1 to be WAN (untrusted) and blocks everything not explicitly allowed. Also uses SRC-NAT for traffic from LAN to WAN. If you want to use MT as “internal router”, you’ll have to change quite a few settings there. Which ones depends on how exactly you want it to work …
Ok, i’ve setup fritz like accarda suggest, but there still be no communication (ping) from sub 1 to sub 2
I believ the problem is this:
But i don’t know how to set it up like you suggested…In particular, I would like the ports 80 and 8888 of the device 192.168.2.10 to be reachable from a device connected to sub 1
The last sentence doesn’t come even close to what I meant with “how exactly you want it to work”.
For this particular aspect you need to set a DST NAT rule on your MikroTik to forward traffic from WAN to specific LAN host:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.1.200 dst-port=80,8888 protocol=tcp to-addresses=192.168.2.10
However, as @mkx already told you, there are other aspects to make sure they have been taken care of; most of this discussion is based on assumptions of what you have, on the drawing sketch and that you are using the hAP with default config.