Hello, I have an ipsec tunnel on the left side of the mikrotik on the right, I don’t know.
Mikrotik<====> some router
10.0.5.0/24 <===> 192.168.2.0/24
I need to set up an additional network on the left side but cannot access config the network on the right side.
From both subnets from left side I must access the right side
10.0.5.0./24
<===>192.168.2.0/24
192.168.4.0/24
how can i hide an extra subnet 192.168.4.0/24 to access 192.168.2.0/24
Set your Subnet Mask to 255.255.252.0. Subnet would be 192.168.0.0
Router would be 192.168.2.0 and all traffic would be able to handle though the one router.
If you cannot change the setup of the right side, and it doesn’t accept additional traffic selectors proposed by the peer at the left, your only chance is to src-nat the traffic from 192.168.4.0/24 to some address(es) from 10.0.5.0/24, as below:
/ip firewall nat
add chain=srcnat place-before=as-appropriate src-address=192.168.4.0/24 dst-address=192.168.2.0/24 action=src-nat to-addresses=10.0.5.1
I think it would be good to mention that they would need to change the src-address in the policy if set as the src-nat rule will change the source address before it can hit the IPsec process as it is in the post routing section:
https://wiki.mikrotik.com/wiki/File:Routing_Diagram.jpg
That’s the very essence of my suggestion - as the only available policy matches on 10.0.5.0/24 at the Mikrotik side, you have to src-nat the traffic from 192.168.4.0/24 to make it match the policy.
Thanks, I did with the netmap option but it didn’t work for me. It turned out to be working, but I had to make a rule before the main masquerade