WAN and LAN are simple: WAN is conected to the internet and LAN is my network with my devices.
VLAN10 is a network which belongs to a third party company. I am given a static ip on this network (on my example: '192.168.55.1') and I treat comunication to this network diffrently. I `src-nat` with action `masqurade` traffic to it , and I allow devices from this network to access specific services on my network using dst-nat (on port 6080 on my config).
See exported config (with some obfuscation):
Code: Select all
admin@MikroTik] > export
# may/22/2022 08:39:16 by RouterOS 7.1.5
# software id = 0XLH-2FI8
#
# model = RB922UAGS-5HPacD
# serial number = ******
/interface lte
set [ find ] allow-roaming=yes name=lte1
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-XX country="united states" disabled=no installation=outdoor mode=ap-bridge rx-chains=0,1 ssid=nt-main tx-chains=0,1
/interface vlan
add interface=ether1 name=VLAN10 vlan-id=10
add interface=ether1 name=VLAN20 vlan-id=20
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] apn=wbdata use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=guest supplicant-identity=MikroTik
/interface wireless
add mac-address=4A:8F:5A:61:6D:11 master-interface=wlan1 name=wlan2 security-profile=guest ssid=nt-guest-ofir wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp-wlan1 ranges=10.7.0.100-10.7.0.254
add name=dhcp-ether-vlan20 ranges=10.5.0.100-10.5.0.254
add name=dhcp-wlan2 ranges=10.7.11.100-10.7.11.254
/ip dhcp-server
add address-pool=dhcp-wlan1 interface=wlan1 name=dhcp2
add address-pool=dhcp-ether-vlan20 interface=VLAN20 name=dhcp1
add address-pool=dhcp-wlan2 interface=wlan2 name=dhcp3
/port
set 0 baud-rate=auto name=usb1
/interface list member
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
add interface=VLAN20 list=LAN
add interface=lte1 list=WAN
/interface lte settings
set mode=mbim
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=192.168.88.0
add address=10.5.0.1/24 interface=VLAN20 network=10.5.0.0
add address=10.7.0.1/24 interface=wlan1 network=10.7.0.0
add address=10.7.11.1/24 interface=wlan2 network=10.7.11.0
add address=192.168.55.1/24 interface=VLAN10 network=192.168.55.0
/ip dhcp-server network
add address=10.5.0.0/24 gateway=10.5.0.1 netmask=24
add address=10.7.0.0/24 gateway=10.7.0.1 netmask=24
add address=10.7.11.0/24 gateway=10.7.11.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
# wlan2 not ready
add action=drop chain=forward comment="drop all from guest network not going to WAN" in-interface=wlan2 out-interface-list=!WAN
# wlan2 not ready
add action=drop chain=input comment="drop input from guest network" in-interface=wlan2
add action=drop chain=input in-interface=VLAN10
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=VLAN10
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=VLAN10
add action=dst-nat chain=dstnat comment="intersection manager UI" dst-port=6080 in-interface=VLAN10 protocol=tcp to-addresses=10.5.0.222 to-ports=6080
add action=dst-nat chain=dstnat comment="intersection manager BE API" dst-port=6081 in-interface=VLAN10 protocol=tcp to-addresses=10.5.0.222 to-ports=6081
/ip route
add disabled=no dst-address=10.40.40.40 gateway=192.168.55.22 routing-table=main suppress-hw-offload=no
add dst-address=10.41.41.41/32 gateway=192.168.55.22
/system clock
set time-zone-name=Europe/London
/system logging
add topics=lte
/system package update
set channel=long-term
Now if the third party device is in cidr 192.168.55.0/24 everything is working as expected (the device can ping and have access to my sevice on port 6080), but if the third party device is in another cidr e.g: 10.41.41.41/32 it won't have access to my service on port 6080 or even ping my router.
Adding a route to this address solves the issue. But, I would like to somehow configure my router to have the ability to serve incoming traffic from VLAN10 even if the ip isn't in cidr 192.168.55.0/24.
If for example I will put a simple router before VLAN10 which will src-nat with action masqurade the incoming traffic from the third party network to VLAN10 I won't have this problem, so I guess I want to do something similar without installing another router.
Is there a way to do this special type of masqurading, or a way to achieve access to my router regardless of the source ip on VLAN10 some other way?
Maybe I have used some wrong terminology, my apologies
Thanks in advance