Hey all.
An interesting one, not sure if what I need is possible but I figured I’d let those of you more experienced than me weigh in. Basically, I have some Backup copies of one of my client’s servers to be situated in my office, with the idea that should their site completely fail I boot up the copies here and they remote in and can carry on with basic functionality while the production machines are replaced. the issue is their system and our systems are on the same 192.168.0.0 range. so I’ve taken a spare RB750 I had and set it with a 192.168.6.0 address on eth1, and the same IP as the client’s router on a bridge containing eth2-eth5, and added the appropriate masquerade rule. This is letting it run like a basic router and the connectivity is fine, I also added a .6 range ip to my router (also a Mikrotik)
But I need to RDP into one of the machines to monitor the nightly restore of the backup to the system, and should the system go live, the client will need to RDP into one of the other machines to use the system. So I had created 2 dst-nats with dst address the 192.168.6.0 range ip, and dst-nat with to address being the internal ip, and one with port 3389 → 3389, and the other with port 3388 → 3389 of the other internal ip.
After struggling with the connection and thinking initially there was an issue with my forwarding rules or the servers firewalls, and confirming both were fine I believe the issue is my connections are going in through the natting, but then the replies are trying to stay in the internal network rather than back through the gateway back to me. IE 192.168.0.25 → 192.168.0.254/192.168.6.254 → 192.168.6.7 → 192.168.0.5 but when it want’s to reply to 0.25 its trying to reply in the local LAN.
Changing my office, or the client’s infrastructure will be a pain, and I’d prefer to not have to. Is there any sort of trick that could be done, like something with connection/packet/routing marks or would it become too convoluted.
Additionally, If I had inbound RDP from my office router natted to this router which in turn nats to the server would that chain of nats work ? Obviously the internet facing router would have an approved ip list to allow RDP and the rule would only be enabled when needed.