At the moment I am on the 192.168.0.0/24 network, but periodically I need to connect to equipment from another subnet (for example, an IP camera with the address 192.168.123.100) in order to change the IP address of this equipment.
In IP->Addresses, I added the address 192.168.123.1/24 to the bridge interface. Route with dst. address 192.168.123.0/24 was created automatically.
Very probably … because likely the “alien” equipment you need to connect doesn’t use your MT router as its default gateway. Adding that src-nat rule will make “alien” device believe that traffic is coming from router itself and that one has IP address in same IP subnet as “alien” device does.
Yes, on the device 192.168.123.100 does not really use my router as the default gateway.
Do I understand correctly that with the created masquerade rule, the router will replace my address (192.168.0.28) in packets with its own (192.168.123.1)?
That’s the basic idea about SRC NAT. Action can be either src-nat or masquerade, both will replace src-address (and possibly src-port), details about how are slightly different for both action types.
To add to the conversation. One could also solve the problem on the upstream device or the other device if, the other device was capable of static routes.
For example lets assume we have a primary MT device with a LANIP of 192.168.11.55, also its WANIP, as its connected via ether1 to the ‘other router’. Additionally, one has a user on an internal local subnet at 192.168.2.25
The user needs to reach a device on the other Router and this server device has an IP 192.168.11.10
As MKX noted, one ensures the src-nat masquerade rule exists for all traffic leaving the primary device through its WANIP add chain=srcnat action=masquerade out-interface=ether1
The users source address 192.168.2.25 will get changed to 192.168.11.55, before it departs the primary router. The traffic is headed for a local address on the “other router” and as such has no problem getting there. The return traffic will be sent back to 192.168.11.55 as the other router recognized this as a legitimate local address it is aware of. The primary MT router unsourcenats the return traffic and sends it back to the orginator.
The other option is, if possible, to write a static route on the “other router”. Imagine if this ‘other router’ was another mikrotik device. We could simply write the following static route to the same effect. add dst-address=192.168.2.0/24 gwy=192.168.11.55 routing-table=main
In this case even if there was no sourcenat, the return traffic from the serverdevice, is not local and the router doesnt know what to do with it BUT we have provided it a path stating, for any such traffic send it to a known local address… ONce the traffic hits the primary router its recognized as a local address and is sent back to the originator.