Hi, I have two ROS router, and one isp network.

ISP: 192.168.1.1/24 -> 0.0.0.0/0
Can not add static route.

ROS1, CCR1009:
Eth1: 192.168.1.111 # Link ISP Eth1
Eth2: 10.0.1.0/24 DHCP # ip=10.0.1.1
/ip firewall nat:
Firewall 1: action=accept dst-address=10.0.0.0/8
Firewall 2: action=masquerade out-int-list=wan
/ip route:
Route 1: dst=0.0.0.0 gw=192.168.1.1
Route 2: dst=10.0.2.0 gw=192.168.1.222

ROS2, RB4011:
Eth1: 192.168.1.222 # Link ISP Eth2
Eth2: 10.0.2.0/24 DHCP # ip=10.0.2.1
/ip firewall nat:
Firewall 1: action=accept dst-address=10.0.0.0/8
Firewall 2: action=masquerade out-int-list=wan
/ip route:
Route 1: dst=0.0.0.0 gw=192.168.1.1
Route 2: dst=10.0.1.0 gw=192.168.1.111

C:\Users\<UserName>>tracert -d 10.0.2.1 # Computer IP 10.0.1.200
Tracing route to 10.0.2.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.0.1.1
2 * * * Request timed out.
3 * * * Request timed out.

Thanks and waiting answer!

You will have to change the masquerade rules and add: dst.address = !10.0.0.0/8 to them (note the ! which means NOT)

You will have to change the masquerade rules and add: dst.address = !10.0.0.0/8 to them (note the ! which means NOT)

Thanks a lot, I had try this way, have no effect.
I can not link ros1 and ros2's Eth3, over 200m.

1) Is there anything in /ip firewall filter?
2) Where Eth3 comes from? It wasn't mentioned in original post.

1) Is there anything in /ip firewall filter?
2) Where Eth3 comes from? It wasn't mentioned in original post.

Thank you Sob.
1. Filter list is empty.
2. Link two devices Eth3 is fastest way to route, but the distance is over 200 meters, unable to connect wired.

Does it mean that packets need to go through ISP's network? Can you ping between 192.168.1.111 and 192.168.1.222?

Does it mean that packets need to go through ISP's network? Can you ping between 192.168.1.111 and 192.168.1.222?

ISP router can not setting static router and can not modified anything, just internet connect. Under ros1 I can ping 192.168.1.222, under ros1 I can ping 192.168.1.111.

I'll disable nat to test where has problem, nat setting or route. Thanks for your reply.

I'm not sure how exactly it's connected, if ISP's router is just one device or different devices with same address (based on the mentioned distance). In any case, if packets need to go through ISP's router, they can be blocked or redirected somewhere else. You can solve it using some tunnel between routers (IPSec, other VPN, IPIP, ...).

I'm not sure how exactly it's connected, if ISP's router is just one device or different devices with same address (based on the mentioned distance). In any case, if packets need to go through ISP's router, they can be blocked or redirected somewhere else. You can solve it using some tunnel between routers (IPSec, other VPN, IPIP, ...).

Dear Sob, the ISP Router have some limited, and I can not route to another ip address.

ROS1 Eth1: 192.168.1.111 / 10.255.255.1
ROS2 Eth2: 192.168.1.222 / 10.255.255.254

ROS1 ping 10.255.255.254 is timeout, and add a non-manager switch, ping return 1ms.

So, I'm using IPSec now, thanks for your help, have a good day.

I assumed that you would have "switch" functionality between the two ports of the ISP router. So no routes would be required.
When it actually is some software bridge with filters, indeed it will not work without tricks like VPN.
But in that case you may consider adding a switch in front of the ISP router, as it may affect your performance as well.

That's the thing, I don't think there's much to see in configs from these routers.