Hi everyone
I have the situation shown in the image.
I have a CHR under vmware with various physical interfaces.
one of the interfaces is connected to a router that has internet with a dhcp server.
I would like a host on interface 2 (subnet .20) to be able to access the internet via interface 1 (subnet .88). It is clear from the drawing.
I can’t create any bridge between interfaces
any advice on how to start understanding?
on internet router add
/ip route add dst-address=192.168.20.0/24 gateway=192.168.88.238
I can’t configure the internet router unfortunately.
but I can move the host to subnet 88, but then?
I am not sure to understand the problem.
From the CHR point of view, ether1 and 192.168.88.0/24 is WAN, ether2 and 192.168.20.0/24 is LAN.
You can (probably you already have) set a 0.0.0.0/0 route with gateway 192.168.88.1 and then add in /ip firewall nat a masquerade rule with out-interface ether1.
If you want to do simple routing, without nat, you need the “return” route as panisk0 suggested.
There may be other tricks, though, if really needed, but if you can keep it simple it would be IMHO better.
You have to do Network Address Translation on the CHR, if you cannot configure the Internet router. The Internet router probably operates on the belief that only 192.168.88.0/24 is on its LAN side and that 192.168.20.0/24 must therefore be be on its WAN side.
I solved it by adding a new routing table:
add disabled=no fib name=gw-sicep
then I added a second route to 0.0.0.0/0 with gateway the “internet router” ipaddress, distance 2, and the new routing table: (because the gateway on network 88 not the only one connected to my CHR)
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.88.1 routing-table=gw-sicep \
scope=30 suppress-hw-offload=no target-scope=10
in the prerouting table I marked the connection via the host’s static IP
add action=mark-connection chain=prerouting comment="mark 20.22 connection" in-interface=\
"rete tvcc" new-connection-mark=gatewaysicep passthrough=yes src-address=192.168.20.22
then I forced the marked ip via the gateway with distance 2
add action=mark-routing chain=prerouting comment="route marked to gw-sicep" connection-mark=\
gatewaysicep in-interface="rete tvcc" new-routing-mark=gw-sicep passthrough=yes
finally I dstnated the static ip of the host on the interface connected to the gateway
add action=masquerade chain=srcnat comment="consent 20.22 to www via sicep - check mangle" \
out-interface="rete sicep" src-address=192.168.20.22
even if it’s not needed, to be safe I made a rule on the firewall that drops everything that is not marked from network 20 to network 88
add action=drop chain=forward comment="DROP ALL FROM 88 NOT DSTnated" connection-mark=!gatewaysicep \
in-interface="rete tvcc" log=yes log-prefix="DROPPED 20 to 88 NOT MARKED" out-interface=\
"rete sicep" routing-mark=!gw-sicep
thanks to all!
As always I may be wrong, but adding firewall rules just because they look cool 
is not a good habit.
I would run the setup with the rule for some time, then check the counter/log for that rule, if it is not hit, it is better to remove it, as it just clutters the firewall.
Since yesterday the counter has been at zero, I’ll leave it for a few days, then I’ll delete it! Thank you
I also eliminated the double mangle rule, instead of marking the packets and then routing the marked packets, I am directly routing the connection from 20.22 on the second gateway
add action=mark-routing chain=prerouting comment="route 20.22 to gw-sicep" in-interface="rete tvcc" \
new-routing-mark=gw-sicep passthrough=yes src-address=192.168.20.22