Hi,
I am new to RouterOS and come from pfSense.
I am trying to route 1 network to the other.
The situation is main office network 192.168.10.0/24 (Mikrotik Router- 192.168.10.254) to Secondary user network 192.168.0.0/24 (Netgear router/not configurable- 192.168.0.1)
The Main office network needs to access a couple of devices on the secondary network but not vice versa.
The secondary network is simply patched into the main office via a “dumb” switch.
Any help would be greatly appreciated.
I have managed to ping the 192.168.0.0 network from the Mikrotik router by adding an address of 192.168.0.254 into the config. However I still can not get the 192.168.10.0 subnet to talk to 192.168.0.0.
If the Netgear router (Secondary user network) has a ip from the office network subnet(as a example 192.168.10.250 on WAN port)
You need to add a static route on the mikrotik router(main office network)
ip route add dst-address=192.168.0.0/24 gateway=192.168.10.250
ip firewall filter add chain=forward action=drop connection-state=new src-address=192.168.0.0/24 dst-address=192.168.10.0/24
In order for the secondary network to not have access to the office network you need to add a firewall filter on mikrotik router (move rule in the list as needed)
Unfortunatly not the case.
The only address the secondary router has is 192.168.0.1/24
We only need to access one server (192.168.0.10) on this network, is there a way to map to the IP of this machine on the secondary network?
The secondary network is simply patched into the main office via a “dumb” switch
Then a lan port from the netgear router is going to a “dumb” switch and then to the mikrotik router?
If there is a direct connection on L2 then on the mikrotik router add a ip from the secondary router class (example 192.168.0.2/24)
A network diagram would help.
So direct L2 connection.
Then we need to srcnat traffic because the netgear router does not know who 192.168.10.0/24 network is and we cannot change that(No Admin Ability)
So we can do:
ip firewall nat add chain=srcnat src-address=192.168.10.0/24 dst-address=192.168.0.0/24 out-interface=etherx action=masquerade
Where “etherx” is the interface connected to “Dumb Switch 1”
P.S. In this network topology you should be mindful of double DHCP and the fact that someone in the 192.168.0.0/24 network could “hop” on the 192.168.10.0/24 network and viceversa
That Worked.
Knew there was a way, just was way off getting to such a solution.
Thanks a million, saved me hours for sure 
The next question, which maybe i need to start a new post for not sure, is.
Is it possible to reach the secondary network through a Site-Site VPN?
If the Site-to-Site connection is between the mikrotik router(main office) and another router then yes.
If the remote site will use different subnet, then another srcnat rule will be needed at the main office or the existing rule changed to fit the new requirements.
@RhoAius
edit: I am out in left field LOL
@anav
According to his posts the main office network is a mikrotik router that he has access to.
I do see now that the whole thing could be interpreted the other way around.
You are quite right, I was looking at the netgear as the router attached to the internet.
Silly me. Glad I was wrong, ignore my misplaced concerns…
Thanks for your help guys, has saved me a long and painful trial and error period.
Both of those worked re the VPN and the Local access.
Appreciate your help 