SOLVED Printer for 2 subnets

RouterOS General
1

Hello eveybody, i have our main network as 192.168.1.0/24 with default gateway for internet at 192.168.1.1. In this subnet we have a network printer with static IP 192.168.1.20.
Then we have another private subnet for wifi 192.168.39.0/24 routed (no firewall) with router at 192.168.1.249.
The printer needs to have internet access also for remote assistance so it’s default router il set to 192.168.1.1 and it seems i have no chances to add a static route to the printer itself.
How can i have wifi clients with address 192.168.36.x be able to print on this printer? is there any way to let the printer know to send back packets to 192.168.1.249 in case of wifi subnet if i can’t set a static router?

thank you all

2

So let me get this straight
You have one wan ISP.
You have two LANs (presumably not on the same bridge).
One lan is for wifi and one lan is for wired home.
On your lan you have remote access (from external wan) to one device the printer.
You wish to have the wifi lan be able to access the printer to print.

It would be best to see your config prior to making any assumptions
/export hide-sensitive file=yourconfigfeb25

Normally I would make a forward chain rule
source address (wifi subnet) in-interface LANx destination address=printer IP allow
Is all that you should need to do.

3

Anav thanks for the reply.
My border router/firewall is not mikrotik, the internal router is RB2011.

Normally I would make a forward chain rule
source address (wifi subnet) in-interface LANx destination address=printer IP allow
Is all that you should need to do.

could you be more specific on this?

4

Is the internal router the RB2011 acting as a router?
I will assume yes…
So the rule I noted is to allow the traffic to be destination nated to the printer.
You will need a firewall rule allowing dst nat packets in general
You will need in the primary router to forward the necessary ports for the printer to the WANIP of the RB2011 (or more accuratly its LANIP according to the primary routers lan network).

As I stated also provide config and a diagram would be useful.

5

Attached is the config for the internal router.
Edge router is not mikrotik.

I can make other devices work, my only problem is how to tell the printer to route the packet for the internal subnet to 192.168.1.249 instead of 192.168.1.1 since it doesn’t allow routes parameter.

# feb/25/2019 17:46:25 by RouterOS 6.43.12
# software id = LM6Z-KXGY
#
# model = 2011UiAS-2HnD
# serial number = 444A045FFA09
/interface bridge
add admin-mac=4C:5E:0C:22:08:65 auto-mac=no mtu=1500 name=bridge1
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether6-master
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether7-slave
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether8-slave
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether9-slave
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether10-slave
set [ find default-name=sfp1 ] speed=100Mbps
/interface vlan
add comment="WiFi 38 rete aziendale" interface=ether3 name=vlan1 vlan-id=1
add comment="WiFi 38 Ospiti rete per ospiti" interface=ether3 name=vlan20 \
    vlan-id=20
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity=""
add authentication-types=wpa-psk eap-methods="" group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name=profile2 \
    supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=profile3Interno \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    antenna-gain=4 band=2ghz-b/g/n basic-rates-a/g=6Mbps,9Mbps basic-rates-b=\
    1Mbps,2Mbps bridge-mode=disabled country=italy distance=indoors \
    frequency=2437 frequency-mode=regulatory-domain mode=ap-bridge \
    multicast-helper=full rate-set=configured security-profile=profile1 ssid=\
    WIFI38 wireless-protocol=802.11
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=DHCP-pool1 ranges=192.168.39.2-192.168.39.249
add name=pool-vlan20 ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add address-pool=DHCP-pool1 disabled=no interface=vlan1 lease-time=1d name=\
    dhcp-vlan1
add address-pool=pool-vlan20 disabled=no interface=vlan20 name=dhcp-vlan20
/queue interface
set wlan1 queue=only-hardware-queue
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge filter
add chain=input disabled=yes in-bridge=*F limit=1,5 mac-protocol=ip \
    packet-type=multicast
add chain=output disabled=yes limit=1,5 mac-protocol=ip out-bridge=*F \
    packet-type=broadcast
/interface bridge port
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 interface=ether6-master
add bridge=bridge1 interface=ether7-slave
add bridge=bridge1 interface=ether8-slave
add bridge=bridge1 interface=ether9-slave
add bridge=bridge1 interface=ether10-slave
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface ethernet switch vlan
add independent-learning=no ports=ether3 switch=switch1 vlan-id=1
add independent-learning=no ports=ether3 switch=switch1 vlan-id=20
/interface list member
add interface=sfp1 list=discover
add interface=ether1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7-slave list=discover
add interface=ether8-slave list=discover
add interface=ether9-slave list=discover
add interface=ether10-slave list=discover
add interface=bridge1 list=discover
add interface=vlan1 list=discover
add interface=vlan20 list=discover
/interface wireless access-list
add disabled=yes interface=wlan1 mac-address=10:9A:DD:F5:E8:DA
/interface wireless connect-list
add disabled=yes interface=wlan1 mac-address=10:9A:DD:F5:E8:DA \
    security-profile=profile1 wireless-protocol=802.11
/interface wireless sniffer
set streaming-enabled=yes streaming-server=192.168.1.167
/ip address
add address=192.168.1.249/24 interface=ether1 network=192.168.1.0
add address=192.168.39.1/24 interface=vlan1 network=192.168.39.0
add address=192.168.40.1/24 interface=vlan20 network=192.168.40.0
/ip dhcp-server network
add address=192.168.39.0/24 gateway=192.168.39.1
add address=192.168.40.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.40.1
/ip dns
set servers=192.168.1.8,192.168.1.67
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=forward disabled=yes
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes src-address=192.168.1.145 \
    to-addresses=192.168.38.1
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.39.1 \
    to-addresses=192.168.1.145
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1 max-cache-size=none parent-proxy=0.0.0.0
/ip route
add distance=1 gateway=192.168.1.6
6

Use policy routing on the MikroTik. Anything sourced by the printer destined to the wireless subnet is sent to the .249 IP.

https://wiki.mikrotik.com/wiki/Policy_Base_Routing

7

@idlemind
Thank you so much!!!
It worked like a charm!!!
I never thought of NATting just that IP address to have the router reach this device with its external address!!