[NEWBIE ] Sharing Files between two subnet.

Hello ,
Very newbie on Mikrotik.
In France Internet is provide thru a BOX named freebox 4k ( 192.168.1.254 )
Associated to this box an android box 192.168.1.24 where kodi is running.

Behind this freebox i have an hap ac2 ,in 192.168.1.20 lan network 192.168.88.0/24
I have a media server 192.168.88.150 where photos, film are stocked . As it’s a linux box, i can share the media on nfs, smb for example.

I activate the mikrotik smb share to test . I can see from the android box, and from the server

What i would like :
On the android box, access to my media who are on the linux serveur.
I can ping from mikrotik the android box
unfortunately i can’t connect directly the androd box with the mikrotik.

Any idea ? thanks.

Hmm well so the android is on the same LAN network as the Mikrotik router but not on the MT LAN.
I suppose one could consider the android as being a fixed source address wanting to access the linux server.

Thus you need on the hapac

1. sourcenat rule
2. dsntat rule
3. firewall rule.

Source nat
add action=src-nat action=srcnat to-address=192.168.1.254 ( dont think you need out-inteface=wan at all but not sure try it both ways maybe.)

Destination nat
add action=dst-nat action=dstnat dst-port=(of linux server) protocol=tcp? source-address=192.168.1.24 dst-address=192.168.1.254 to-addresses=192.168.88.250

Thanks for yr reply.
Following your recommendation :
To be more easier , i choose ssh on my server on port 22

nat> add chain=srcnat action=src-nat to-addresses=192.168.1.254

when i try to add the out interface it says that :

add chain=dstnat action=dst-nat dst-port=22 protocol=tcp src-address=192.168.1.24 dst-address=192.168.1.254 to-addresses=192.168.88.150

I add a firewall rule for port 22:

;;; allow 22
      chain=input action=accept protocol=tcp dst-port=22 log=yes log-prefix="FIREWALL 22"

i check that android box can ping my serveur :
[*]

airvb@airvb-serveur:~$ ping -S 192.168.1.24 192.168.88.150
PING 192.168.88.150 (192.168.88.150) 56(84) bytes of data.
64 bytes from 192.168.88.150: icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from 192.168.88.150: icmp_seq=2 ttl=64 time=0.041 ms
64 bytes from 192.168.88.150: icmp_seq=3 ttl=64 time=0.042 ms

route from server :

airvb-serveur:~$ traceroute 192.168.1.24
traceroute to 192.168.1.24 (192.168.1.24), 30 hops max, 60 byte packets
 1  mikrotik (192.168.88.1)  0.384 ms  0.359 ms  0.324 ms
 2  192.168.1.24 (192.168.1.24)  0.651 ms  0.681 ms  0.634 ms

But nothing well append.
the answer is : NO ROUTE TO HOST .
Suspecting the router FREEBOX doesn’t do the link.

I will try with a real pc in place of android box.

Any idea ?

I am unable to give advice without seeing the full config on the MT device.
/export hide-sensitive file=anynameyouwish

hello,
first thanks to take the time :
found attached the config.
thankyou.rsc (13.3 KB)

(1) Common error…
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-LAN network=
192.168.88.0
should be
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0

(2) No idea the purpose of this rule ??
/ip firewall filter
add action=accept chain=input comment=“allow 22 TEST FREEBOX” dst-port=22
log=yes log-prefix=“FIREWALL 22” protocol=tcp

(3) These do not look like standard VPN rules for the router and thus I cannot speak to them but do NOT think they are safe to put on the router. Especially opening up the winbox port to the router in this manner (at least its disabled). (I do see the standard vpn input chain rules later in the config which is fine but this stuff. not so much)
add chain=input comment=“Allow OpenVPN” dst-port=1194 protocol=tcp
add action=accept chain=input comment=“Allow modesmixer” dst-port=8083
protocol=tcp
add action=accept chain=input comment=“Allow VRS” dst-port=8080 log=yes
log-prefix=VRS- protocol=tcp
add action=accept chain=input comment=“Allow API ROUTER OS” disabled=yes
dst-port=8728 log=yes log-prefix=API_ROUTEROS protocol=tcp
add action=accept chain=input comment=“acces winbox exterieur via VPN”
disabled=yes dst-port=8291 protocol=tcp

(4) Order of firewall rules is important, I dont think your rules are in the right order for example the above input chain rules are all before the common first default rule of
add action=accept chain**=input** comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
Also in terms of presentation and reading/understanding configs its common practice to put all the input chain rules first then the forward chain rules.

(5) NAT rule SourceNat - Masquerade (assumes dynamic wanip) needs a tweak - get rid of source address.
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN src-address=192.168.88.0/24

(6) NAT Rules for VPN
Not sure why you need separate masquerade rules for your VPNs but its not my area of expertise so will assume they are needed.

(7) Freebox sourcenat rule is the correct type of rule for a static Fixed WANIP, the masquerade one currently above is the correct format for a dynamic WANIP. Just not sure why you have them both
or at least both active at the same time if doing testing.
add action=src-nat chain=srcnat comment=“TEST FREEBOX” log=yes log-prefix=
fb-mini-src-nat to-addresses=192.168.1.254

(8) The last rule I do not understand at all, the others seem fine, they assume fixed static wanip of 192.168.1.20 If the dest port is the same as the to-ports (no translation), then you can drop the to-ports as they are implied. If you had a dynamic wanip the rules would be different (drop the dest-address and replace with in-interface-list=WAN)
/ip firewall nat
add action=dst-nat chain=dstnat comment=“serveur WEB 443” dst-address=
192.168.1.20 dst-port=443 protocol=tcp to-addresses=192.168.88.150
to-ports=443
add action=dst-nat chain=dstnat comment=“serveur WEB 80” dst-address=
192.168.1.20 dst-port=80 protocol=tcp to-addresses=192.168.88.150
to-ports=80
add action=dst-nat chain=dstnat comment=“TEST freebox” dst-address=
192.168.1.254 dst-port=22 log=yes log-prefix=“dst-nat fb mini” protocol=
tcp src-address=192.168.1.24 to-addresses=192.168.88.150

Hello, lot of information, thanks again.

Ok this one i’ve got it

(2) No idea the purpose of this rule ??
/ip firewall filter
add action=accept chain=input comment=“allow 22 TEST FREEBOX” dst-port=22
log=yes log-prefix=“FIREWALL 22” protocol=tcp

It was to ‘open’ SSH between the lan behind mikrotik and android box

(3) These do not look like standard VPN rules for the router and thus I cannot speak to them but do NOT think they are safe to put on the router. Especially opening up the winbox port to the router in this manner (at least its disabled). (I do see the standard vpn input chain rules later in the config which is fine but this stuff. not so much)
add chain=input comment=“Allow OpenVPN” dst-port=1194 protocol=tcp
add action=accept chain=input comment=“Allow modesmixer” dst-port=8083
protocol=tcp
add action=accept chain=input comment=“Allow VRS” dst-port=8080 log=yes
log-prefix=VRS- protocol=tcp
add action=accept chain=input comment=“Allow API ROUTER OS” disabled=yes
dst-port=8728 log=yes log-prefix=API_ROUTEROS protocol=tcp
add action=accept chain=input comment=“acces winbox exterieur via VPN”
disabled=yes dst-port=8291 protocol=tcp

For the VPN : If i disable this line it doesn’t work anymore.
3 other removed

(4) Order of firewall rules is important, I dont think your rules are in the right order for example the above input chain rules are all before the common first default rule of
add action=accept chain> =input > comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
Also in terms of presentation and reading/understanding configs its common practice to put all the input chain rules first then the forward chain rules.

Done , it seems logic.

(5) NAT rule SourceNat - Masquerade (assumes dynamic wanip) needs a tweak - get rid of source address.
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN > src-address=192.168.88.0/24

The internet arrive true FREEBOX,it likes a router. I have a static internet ip . The WAN ip of Mikrotik doesn’t change.

(6) NAT Rules for VPN
Not sure why you need separate masquerade rules for your VPNs but its not my area of expertise so will assume they are needed.

When i installed the VPN, i would like to acces in my LAN and Internet and it 's working like this.

(7) Freebox sourcenat rule is the correct type of rule for a static Fixed WANIP, the masquerade one currently above is the correct format for a dynamic WANIP. Just not sure why you have them both
or at least both active at the same time if doing testing.
add action=src-nat chain=srcnat comment=“TEST FREEBOX” log=yes log-prefix=
fb-mini-src-nat to-addresses=192.168.1.254

As I understand it, this is a duplication of effort.
I put the sourcenat in to test the link between the android box and the LAN.

(8) The last rule I do not understand at all, the others seem fine, they assume fixed static wanip of 192.168.1.20 If the dest port is the same as the to-ports (no translation), then you can drop the to-ports as they are implied. If you had a dynamic wanip the rules would be different (drop the dest-address and replace with in-interface-list=WAN)

The ip of MT is static. (192.168.1.20 WAN, LAN 88.1)

/ip firewall nat
add action=dst-nat chain=dstnat comment=“serveur WEB 443” dst-address= 192.168.1.20 dst-port=443 protocol=tcp to-addresses=192.168.88.150
to-ports=443
add action=dst-nat chain=dstnat comment=“serveur WEB 80” dst-address= 192.168.1.20 dst-port=80 protocol=tcp to-addresses=192.168.88.150
to-ports=80
add action=dst-nat chain=dstnat comment=“TEST freebox” dst-address= 192.168.1.254 dst-port=22 log=yes log-prefix=“dst-nat fb mini” protocol=
tcp src-address=192.168.1.24 to-addresses=192.168.88.150

I have to perform a test with a pc instead of android box.
Again, thank you so much for your help. It allows me to better understand the richness of the product.

Repost your config after some cleanup and I will have another look/review, now that I understand your setup a bit better.