I have a setup with four routers as below. Routes A, B and C are Mikrotik and under my control. Router D is unknown and not under my control (this is a setup I have recently “inherited”). Sorry for the crude schema…
From subnet A I can reach subnet B or C but not D. I can reach D from C and C from D but not A or B from D.
The link between C and D is an L2TP VPN. There are no static routes listed for D in C (I understand they are dynamically added for tunnels ?) but I can definitely reach D from C.
What should I do to achieve my goal of packet going from A to D (and back ) ?
Obviously, you need some routes. Both A and B must know where to find D’s subnet (behind C is the answer). And then it depends if you need to be able to connect (initiate new connections) also from D to A and B, or if from A and B to D is enough. In first case, D needs to have routes to B and C. If that’s a problem, you can use srcnat on C, which would allow at least connections from A and B to D (and D would see them as from C).
Thanks
When you say “Both A and B must know where to find D’s subnet (behind C is the answer)” you mean that I have to define a route to subnet D via GW C ?
Just for my understanding: does the VPN tunnel “auto-create” a route for each subnet on the other side?
Short aswer is no. Long answer is that it depends on config, some VPNs can push routes to clients (so clients can reach subnets behind server), and some may have configuration for multiple subnets behind client. You have to ask whoever is in control of D, what exactly is there.
I have defined a route to router C GW (which is 192.168.199.247) - yet my traffic goes to 192.168.199.3 (If I understand this correctly) and does not go further ?
Back on the VPN question: if there is no “automatic” route added how does the router “know” to send the packets for the remote subnet via the tunnel ? Because it appears as a local adapter when the VPN is up ?
Last (somewhat unrelated) question: I see this between on C (connected to D) - is that to be expected ? I don’t see any functional issue (packets are going through both ways) but why 4 connections ?
Is is possible that same router has both 192.168.199.247 and 192.168.199.3? Further hops depend on following routers, either they must have route to source address (I guess they don’t), or you must use srcnat on the last one that does have it.
VPN client and server can see each other. Then client can use VPN as default route, and server can have static routes to client. It all depends on configuration. Look in “/ip route” what’s there.
I’m not sure about multiple connections. In fact, I still don’t know which one of C and D is client and server.
Is is possible that same router has both 192.168.199.247 and 192.168.199.3? Further hops depend on following routers, either they must have route to source address (I guess they don’t), or you must use srcnat on the last one that does have it.
You are correct: router C has both 192.168.199.247 and 192.168.199.3,
And srcnat is indeed used (again, I am discovering this setup and as you can see I am not up to speed with the whole thing…). Will have to get acquainted to that feature which I have never used. Any idea why it is used here ?
VPN client and server can see each other. Then client can use VPN as default route, and server can have static routes to client. It all depends on configuration. Look in “/ip route” what’s there.
Have done that but don’t see an obvious route for the VPN subnet…
I’m not sure about multiple connections. In fact, I still don’t know which one of C and D is client and server.
94.230.xxx - local - is router C and server - remember that I don’t have access to D
The rule inside the NAT you re asking about has an accept, so it will not be NATed or anything..
Now since there is no access to D all the packets coming from A B must be source Nated on C so that they leave with C address…
Otherwise router D will not reply to anything coming from A or B because it does not know how to reach them ..
Sorry I muss be a little thick… What do you propose I do ?
There is no direct link A to C - everything comes either from B or through B. So I make a srcnat from 172.16.100.0/24 (B subnet) to 192.168.28.1 (D gateway) ?
You said that C and D can communicate…
So we are left with A and B.
For router B to reach router D you need a route so that when router B has as destination address the D, the Gateway be Router C.
For router A to reach router D you need a route so that when router A has as destination address the D, the Gateway be Router B.
Now what ever leaved router C with Destination the router D should be source Nated…
) ?
