Hello,

I need help with the following task. I have 3 routers (see scheme). EdgeRouter X is already configured, IPS of LAN2 and LAN3 are accessible from LAN1. 192.168.1.1 (LAN1) is not accessible from LAN2 and LAN3. How to configure MikroTik routers to access the EdgeRouter's LAN?
Thanks.

Add a route in each mikrotik for the 192.168.1.0/24 and gateway the WAN IP of the Edge rourer...

Add a route in each mikrotik for the 192.168.1.0/24 and gateway the WAN IP of the Edge rourer...

I guess that won't be enough: if it works now (without any additional routes on Mikrotiks) in one direction, then it means NAT is being performed either on UBNT, or on Mikrotiks, or everywhere.
An that means adding the routes alone won't solve the problem.

Edge router does not know where 2.0 and 3.0 are...
So since it communicated with them someone has manually configured it.. Thats why there is a one direction communication...
Ofcorse there might be other reasons too...
But i don't see your suggestions XVO

Edge router does not know where 2.0 and 3.0 are...
So since it communicated with them someone has manually configured it.. Thats why there is a one direction communication...
Ofcorse there might be other reasons too...

Sure. But to get a response back without manually configured routes on mikrotik, there has to be NAT involved.

But i don't see your suggestions XVO

My suggestion was quite clear - keep in mind NAT settings.

You guys are clairvoyant and have far better networking acumen than me (as I have proven many times) because the diagram is not so clear for me.
The way it reads for me is that the ISP traffic comes in on the HAPACS with each having their own LANS, which then feed into ports on the edgerouter (which does not seem to have any ISP provider connections WAN comes from hapacs).

Since the chap mentions all as routers I am assuming that the Edgerouter gets ISP1 traffic through hapac2 on network of hapac and ISP2 traffic through hapac3 on the network of hapac3.........
These are WAN inputs to the edge which has is its own lan. The edge router load balances the two WAN connection (one each from hap acs) for its own network.

So the questions I have are.
a. do the hapacs actually need their own LAN network (is anything actually attached to them (devices/users)??
b. my favourite question, why not use vlans
c. is this not simply a question of how to route the traffic from the ISP through the hapacs to the "wan" inputs on the edgerouter.
d. if c is true then we can dispense with NAT on the hapacs (assuming no need for lans on hapacs?

Just a few thoughts to demonstrate I IS CONFOOSED.

Sure. But to get a response back without manually configured routes on mikrotik, there has to be NAT involved.

You re right on that...

Here is the schematics. I have access from PC1 to any networks (R1, R2 and R3). I need access from PC2 to R1 network.

Hm...
If i catched this correct... all you need to do is add a static route on mikrotik for R1 network.
Remember to configure firewall of edgerouter to accept connections from wan interface

If the missing route was the only change needed, then PC1 wouldn't be able to access PC2 right now because PC2's replies wouldn't get routed back via R1 ... so my guess is that R1 performs SRC-NAT when reaching out to R2 or R3 and PC2 doesn't actually see PC1's address but rather R1_WAN1 address. If that's so, OP would have to reconsider where to actually perform NAT and for which destinations ...

But that's just guessing without actually seeing R1's config.

I think i found the problem...
When PC1 tries to reach PC2 then the trafiic gets src-nated with the routers Wan 1 address.So 192.168.1.11 (PC1) -> src-nat to routers address lets say 192.168.2.1 -> 192.168.2.22 (PC2)
When the packet returns from PC2 it will go to 192.168.2.1 the router wiill remove the src-nat applied before and finally 192.168.1.11 (PC1) gets his answer from 192.168.2.22 (PC2)...

However, the other way around, when PC1 starts a communication with PC2 then 192.168.2.22 (PC2) will reach 192.168.1.11 (PC1) but on the way back PC2 will get an answer because of the masquerade from the router 192.168.2.1 and not from 192.168.1.11 as it expected thus marking the connection invalid and dropping it.

I would still want to ask the user requirements without any talk of config or devices.

a. What are the use cases of users on LAN2 (hap2)
b. What are the use cases of users on LAN3 (hap3)
c. What are the use cases of users on LAN2 (Edgerouter).

In other words what do they need to do their work
- access to any other networks (or other specific network devices such as servers, printers.
- access to the internet??
- access to wifi

ANY Guest users requiring access?

+++++++++++++++++++++++++
On the config side, why bother with the edgerouter as a third router (is their a specific reason for introducing this unit)?
I mean one could use it as a main router accepting both ISPs and simply use the hapacs as smart switches and access points for example.
Or simply use the edgerouter as a smart switch............

a. What are the use cases of users on LAN2 (hap2)
b. What are the use cases of users on LAN3 (hap3)
c. What are the use cases of users on LAN1 (Edgerouter).

EdgeRouter X is connected to 3 ISP (2x Ethernet ISP via routers and 1 Cable ISP) and 2 clients (these clients must have Internet at any cost).

I had D-Link and Asus routers, but they are too old and slow and hangs too often. So I replaced the old routers with MikroTik routers.

hap2 - 10-15 WiFi clients and 3 Ethernet clients
hap3 - 2 Ethernet clients, Backup WiFi
No Guest users.

@overseerua did read me previous post ?
Remove the src-nat for subnets 192.168.2.0/24 and 192.168.3.0/24 when those subnets are the destinations.
You can try this and let us know...

Remove the src-nat for subnets 192.168.2.0/24 and 192.168.3.0/24 when those subnets are the destinations.

Sorry, I didn’t understand how to do this?

Remove the src-nat for subnets 192.168.2.0/24 and 192.168.3.0/24 when those subnets are the destinations.

Sorry, I didn’t understand how to do this?

I can not help you on how to configure an Edge router...

SOLUTION

MT1:
Add route 192.168.1.0/24 192.168.2.87

MT2:
Add route 192.168.1.0/24 192.168.3.55

ERX: Firewall/NAT -> Firewall Policies
WAN_IN drop --> accept
WAN_LOCAL drop --> accept

So you added the routes and what else?

So you added the routes and what else?

Whitelisted WAN_IN and WAN_LOCAL traffic in the ERX Firewall.

Are you sure ? If it was the firewall then when you tried to access Lan 2/3 from Lan 1 you would still get blocked when Lan 2/3 replied and there would be no communication.
But you said you could access Lan 2/3 from Lan 1...!

But you said you could access Lan 2/3 from Lan 1...!

I had access to both MikroTiks, not sure about the whole networks. But now I have access to ERX.