I have two sites:
-site A with LAN 192.168.5.0
-Site B with 10.50.0.0
on site B there is mikrotik and here is also other LAN with address 192.168.1.0 for wifi clients.
Now beetwen site A and B there is ipsec tunnel (192.168.5.0-10.50.0.0) I don’t have access to site A router, how configure mikrotik to enable wifi clients to have access to site A LAN, but block access to site B lan?
Create a masquerade rule for src-address=192.168.1.0/24 dst-address=192.168.5.0/24
If Masquerade can’t figure out what source address to use for this, then you can use
action=src-nat to-address=10.50.0.1 (or whatever site B’s 10.50.0.x address might be)
Then make a rule in the forward chain that allows src-address=192.168.1.0/24 dst-address=192.168.5.0/24
As long as there’s also a rule that allows established,related connection state, then you should be good to go.