Hi,
We have two subnets on our local network and a third separate subnet (172.28.4.0/24) for VPN server (on Mikrotik router). Also we have set up a site-to site VPN connection to our client. The client allowed access for those two subnets in his firewall, but won’t allow us access from the third subnet (people working from home). Is there a possibility to route or NAT that subnet to subnets which are currently allowed access?
Do this:
/ip firewall nat
add chain=srcnat src-address=172.28.4.0/24 dst-address=x.x.x.x action=netmap to-address=y.y.y.y/24
add chain=dstnat dst-address=y.y.y.y/24 src-address=x.x.x.x action=netmap to-address=172.28.4.0/24
… where x.x.x.x = the IP block of the customer side of the VPN, and y.y.y.y/24 = one of your two blocks of IP addresses which the customer’s router WILL allow through the VPN.
When doing a bulk range prefix translation like this, make sure that the prefix sizes match - i.e. if the “allowed” prefix (y.y.y.y) is something other than /24, then change your VPN pool 172.28.4.0/24 to use the same size IP block as y.y.y.y
x.x.x.x can (and must) be whatever size range the customer is using - it’s in the rule to specify WHEN the NAT rule should apply.
Make sure these rules come before any other NAT rules you may be using so that they take precedence over your usual NAT policy.
That worked like a charm. Thanks a lot man!
Hello, I have problem to connect my pc to my server in different subnet.
0 10.10.10.67/24 10.10.10.0 ether1_WAN
1 192.168.1.1/24 192.168.1.0 ether3_server
2 192.168.2.1/24 192.168.2.0 ether4_client1
3 192.168.3.1/24 192.168.3.0 ether5_client2
How can I ping from PC in client1 to PC in server and client2 and vice versa.
Thank you.
Would you like to show us your configuration?
Routing should done the job. If you setup gateways properly on your PCs and your server, it should work.
ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 XI ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough log=no log-prefix=""
1 ;;; WAN1
chain=srcnat action=masquerade src-address-list=client1 out-interface=ether1_WAN1 log=no log-prefix=""
2 ;;; WAN2
chain=srcnat action=masquerade src-address-list=client2 out-interface=ether2_WAN2 log=no log-prefix=""
ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=WAN1-route passthrough=yes src-address-list=client1 log=no log-prefix=""
1 chain=prerouting action=mark-routing new-routing-mark=WAN2-route passthrough=yes src-address-list=client2 log=no log-prefix=""
ip route print
0 A S 0.0.0.0/0 10.10.10.64 1
1 S 0.0.0.0/0 10.10.10.64 2
2 A S 0.0.0.0/0 10.20.20.1 1
3 S 0.0.0.0/0 10.20.20.1 2
4 A S 0.0.0.0/0 10.10.10.64 1
5 S 0.0.0.0/0 10.20.20.1 2
6 ADC 192.168.1.0/24 192.168.1.1 ether3_server 0
7 ADC 192.168.2.0/24 192.168.2.1 ether4_client1 0
8 DC 192.168.3.0/24 192.168.3.1 ether5_client2 0
9 ADC 10.20.20.0/24 10.20.20.20 ether2_WAN2 0
10 ADC 10.10.10.0/24 10.10.10.67 ether1_WAN1 0
I use 2 WAN. WAN1 for client1 and WAN2 for client2 and for failover if WAN1 or WAN2 troble (disconnect)
i angrry with czolo. Routing should done the job, you can allow to ping.
Can you give me an example?
There is no example for that 
You have a router in the middle, so if you have gateways setup on your clients and your server, router should know a destination.
Show us your
/ip dhcp-ser ex
will be help full
Hey
I have X86 mikrotik
WAN = 192.168.1.1
LAN = 10.20.20.1/22
so, users IP’s in subnet ( 10.20.20.2-10.20.23.254 )
My problem is :
How to make user ( 10.20.20.20 ) to see and ping user ( 10.20.22.22 )
although all of them on the same interface
Hey
I have X86 mikrotik
WAN = 192.168.1.1
LAN = 10.20.20.1/22
so, users IP’s in subnet ( 10.20.20.2-10.20.23.254 )
My problem is :
How to make user ( 10.20.20.20 ) to see and ping user ( 10.20.22.22 )
although all of them on the same interface