Complex network configuration.

RouterOS General
1

Network diagram.png
I have the next setup as shown in the image above.

PC4 - has an static IP address

192.168.0.80

Router #2 (Mikrotik) has networks

192.168.2.0/24

and

192.168.3.0/24

for PC2 and PC3 respectively.
What I need to do:

  • PC1 should be able to access PC4 by domain name (Worth to mention that I don’t have access to the Router #1)


  • PC1 going to the out world through Router #1


  • PC2 going to the internet through Router #2


  • PC3 going to the internet through Router #1


  • PC2 and PC3 also should be able to access PC4 by a domain name


  • PC2 and PC3 also should be able to access PC4 by a domain name

What I have for now:

  • PC2 and PC3 have access to PC4


  • PC1 has access to PC4 too (through the nat)

I am using a DHCP client for Router #1, it should be fixed to a static IP

I am missing a domain name for PC4.
My current config is below:

/ip pool
add name=dhcp_pool0 ranges=192.168.2.10-192.168.2.254
add name=dhcp_pool1 ranges=192.168.3.10-192.168.3.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether3-IT-2 lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=ether4-IT-10 lease-time=1d name=dhcp2
/ip address
add address=192.168.2.1/24 interface=ether3-IT-2 network=192.168.2.0
add address=192.168.3.1/24 interface=ether4-IT-10 network=192.168.3.0
add address=192.168.0.1/24 interface=ether5-Gitlab network=192.168.0.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1-h
add add-default-route=no disabled=no interface=ether2-IT-30
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,1.1.1.1,192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=8.8.8.8,1.1.1.1,192.168.3.1 gateway=192.168.3.1
/ip dns
set servers=192.168.2.1,192.168.3.1
/ip dns static
add address=192.168.0.80 name=some.domain.com
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface=!ether3-IT-2
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1-h
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether2-IT-30
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.0.0/24 in-interface=ether4-IT-10
add action=accept chain=prerouting dst-address=192.168.0.0/24 in-interface=ether3-IT-2
add action=mark-routing chain=prerouting in-interface=ether4-IT-10 new-routing-mark=WAN-H passthrough=yes
add action=mark-routing chain=prerouting in-interface=ether3-IT-2 new-routing-mark=WAN-S passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=out,ipsec
add action=masquerade chain=srcnat out-interface=ether2-IT-30
add action=masquerade chain=srcnat out-interface=ether1-h
add action=dst-nat chain=dstnat dst-address=192.168.1.0/24 to-addresses=192.168.0.80
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=192.168.8.1 routing-mark=WAN-H
add distance=1 gateway=192.168.1.1 routing-mark=WAN-S
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

Also, it would be great if you could suggest a more secure firewall, instead of what I have for now