Hi mates, I have a particular situation,
let's call the local subnet A, the internet subnet (ethernet1) B, and another local network (ethernet5) C.
The network C is the network of videosurveillance, which has another internet gateway, instead of reaching it passing through internet providers I've decided to connect it to my Mikrotik and NAT any request from A to C with the C Mikrotik IP address as source, when I try to reach directly a C address. Works good, there is no need of routing specifications because the subnet C is directly connected to Mikrotik and it knows what to do.

Now there is another network D connected by another MIkrotik to network C, the C IP source can reach D and D is able to reply to directly C without NAT.
I tried to create a static route to tell MIkrotik that D is reachable outputting to the bridge (I created for) network C (I've tried also to choose directly ethernet 5 as output), I've also added another source NAT that differs from the "A to C" only about the destination address, it is "A to D" (I guess is better to specify the source subnets, to avoid any problems, but probably not necessary because router already knows by route tables that aren't packets to send to internet).
Doesnt't work, I tried then to sniff packets, I started a vnc session from A to D (used directly D as destination), it doesn't log anything.
I think it happens because that I have metric 1 to the internet gateway (ethernet 1) with subnet 0.0.0.0, and metric 1 for the D subnet in the route tables. Teorically Mikrotik should consider smaller subnets more priority, but "D route" is the last of the list, maybe it gives priority to the first of the list. I can't change the metric of internet to 2 for example, it is gray out, and I can't move the order of entries, I'm afraid that Mikrotik will output the D destinaton address packets to the internet instead of ethernet5, how can I solve this?
Thank you

Hopefull somebody may help, thank you

Make a drawing and post it. One picture tells sometime more than thousends of words.

Measure the gate in imperial, then convert the numbers to metric and build a new gate based on the metric figures, voila

Just joking, add a diagram, will make understanding what you want better

""I've also added another source NAT that differs from the "A to C" only about the destination address, it is "A to D" "

I hope you only added an IP route to the D network not a source NAT to a D network address. The source NAT should still translate to a C network address to reach the D network adress.

source = A network address - NAT - C network address - router - C network address
destination = D network address - NAT - D-network address - router - D network address (unchanged over the whole path!)

I can't change the metric of internet to 2 for example, it is gray out

How come it is greyed out. Is it a default route from DHCP ? You probably cannot change that value in the routing table, but at the spot where that default route is created. (e.g. DHCP client) / default route distance). Never seen greyed out routing paths, not even with DHCP client.

More specific routes have priority over more general. Try Traceroute to follow the path

Thank you all mates for your kind replies
I attach the scheme

I hope you only added an IP route to the D network not a source NAT to a D network address. The source NAT should still translate to a C network address to reach the D network adress.

source = A network address - NAT - C network address - router - C network address
destination = D network address - NAT - D-network address - router - D network address (unchanged over the whole path!)

I've added both, the route because the router should know that D network .88 is reachable through Eth5 (I tried set output interface Eth5 or the bridge name I created for Eth5 ( I excluced eth5 from the default bridge where are all eth ports) with no success), and the NAT because the other router doesn't know where to route the return packets to network A .1, and unfortunately I can't change its configuration.

So yes, the NAT Ive created it should work like this:
source = A network address - NAT - C network address - router - C network address
destination = D network address - NAT - D-network address - router - D network address
I've used srcnat, so the destination shouldn't be touched.

The problem I think is that the first mikrotik doesn't output the packet to Eth5, but according the first line of router table it will output to Eth1 0.0.0.0/0 with metric 1. In the end of route table there is the line for 88.0 to Eth5 (or the bridge of eth5) and it has the same metric1, and of course I can't change it to 0. Do you guarantee me that even if it is the last line it will have priority comparing to the default gateway in first line just because it is smaller subnet?

I'm afraid I can't test it with traceroute because it generates ICMP packets (if I remember correct) and thise packets will not be NATed out, the only way I have is sniff network on one host on network D and see if any SYN packet is coming. If yes then the problem is on return path.

How come it is greyed out. Is it a default route from DHCP ? You probably cannot change that value in the routing table, but at the spot where that default route is created. (e.g. DHCP client) / default route distance). Never seen greyed out routing paths, not even with DHCP client.

I'm afraid I don't understand this, I don't think dhcp can influence here, I mean the host on subnet A is sending a packet for an unknow (not directed connected) network to the MAC of gateway, mikrotik router, which should route to eth5.. I don't see problems here.
The "grayed out" parameter is in router table, I can't change the default gateway metric, it's set to 1 and gray. Setting it to 2 would clear my concerns if the router is forwarding my packet on gateway eth1 too..

As you can ping 8.8.8.8 which is Google on Internet, ICMP is scr-natted just like TCP or UDP or it wouldn't work.

Your route to network D should have the router of network C as gateway, not just ether5 as interface.
Gateway probably is the "another mikrotik".

"Mikrotik LAN A" just has an IP address in the 192.168.24.0/24 network. It cannot find out by itself what in that network is the gateway.
IP route in "Mikrotik LAN A" should be something like " distance=1 dst-address=192.168.88.0/24 gateway=192.168.24.1"
The "Mikrotik LAN A" will know that the 192.168.24.0/24 network is connected to its ether5 port as it has an IP address there, and so it will find the gateway.

Other IP routes in C and D for A are not needed, as the NAT is masqerading the existence of the A network.
Devices in the C and D network must know their gateway. They probably get this through DHCP. from "another mikrotik" DHCP servers.

Thank you for answer,
when I've made srcnat I chould specify a protocol, the field was in red, and I typed tcp. ICMP wasn't in the list, I don't now why..
Yes I've confirmed you I typed as gateway the Mikrotik IP address I assigned for Eth 5, the one I'm using to NAT to the C subnet, and there it works.

I've done several experiments, using as gateway bridge (eth1),eth1, videosorveglianza (the bridge on rth5), eth5 and with prefered IP address 192.178.24.253 (which is the IP of Mikrotik for subnet C) and 192.168.1.1, and I have no SYN packet received on the target .88.242, and no route when I sniff the packets.
In my opinion the packet output to eth1, because of route 0.0.0.0 metric1

Hi, I'm a bit confused with the complexity of your settings

1. IP routing: The routing to 192.168.88.0/24 is still towards an interface, that is only good for local traffic at that interface, it must be towards the gateway (The IP address of the "other Mikrotik".) to be able to go further than the local subnet. Your sixth route rule is wrong. (Its the only one that is not dynamic/automatic).

2. src NAT to 192.168.24.253. What is this? Please delete.

3. Your source NAT rules are very restricted, and therefore complex and many. Don't specify source and destination addresses, don't specify protocol. Leave it all blanc. Just the outgoing interface (as you did) and the action is "masquerade". Just like the default NAT rule, that uses the WAN interface list as outgoing interface.
That One NAT rule is all that is needed. (put "Videosorveglianza" in the WAN interface list, or replace WAN in the NAT rule by "Videosorveglianza"

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
4. Last routing image. NO ether5 is NOT the Gateway for this route. It will not work with "ether5" or other interface. You need to give the gatway=router to get further than the 192.168.24.0/24 network. It must be like your first routing rule, that one has also a gateway defined (10.95.144.1) not the interface!

This is MY installation, please replace the IP adresses with yours
192.168.0.0/16 -> 192.168.88.0/24
192.168.187.2 -> 192.168.24.xxxx (I do not know the ip address of "other Mikrotik", probably is 192.168.24.1)

Thank you a lot for your patience ) tomorrow I'll try it.
Reading you I understood a stupid mistake I did, to which Mac address should the mikrotik direct the subnet D packet? This is not an answer that ARP table of network C can tell, I forgot to specify the next hop.
I'll post soon )

Thank you, you opened my eyes on the next hop mistake, I've just corrected it and woute worked, suddenly I've got answer from host on network D!
I'll leave the config like I did but I?ll try to answer your questions, inside your quote:

Hi, I'm a bit confused with the complexity of your settings

1. IP routing: The routing to 192.168.88.0/24 is still towards an interface, that is only good for local traffic at that interface, it must be towards the gateway (The IP address of the "other Mikrotik".) to be able to go further than the local subnet. Your sixth route rule is wrong. (Its the only one that is not dynamic/automatic).

Thanks, I put the other MIcrotik IP on the side of network C and it worked.

2. src NAT to 192.168.24.253. What is this? Please delete.
It's the first nat I've created to reach host on network C, I need it

3. Your source NAT rules are very restricted, and therefore complex and many. Don't specify source and destination addresses, don't specify protocol. Leave it all blanc. Just the outgoing interface (as you did) and the action is "masquerade". Just like the default NAT rule, that uses the WAN interface list as outgoing interface.
That One NAT rule is all that is needed. (put "Videosorveglianza" in the WAN interface list, or replace WAN in the NAT rule by "Videosorveglianza"

You probably are right, just need to create a simple rule, anyway I prefer to specify the source addresses and destinations to avoid any possible unwelcome access or lost of packets.

4. Last routing image. NO ether5 is NOT the Gateway for this route. It will not work with "ether5" or other interface. You need to give the gatway=router to get further than the 192.168.24.0/24 network. It must be like your first routing rule, that one has also a gateway defined (10.95.144.1) not the interface!

As the point1, it solved all )))