Access Mikrotik subnet from modem subnet

medooooooz · Sun May 05, 2024 4:38 am

I have modem with IP 192.168.1.2, to it connected my home devices with IPs like 192.168.1.2 and 192.168.1.3, etc..
I have a hAP ax Lite connected to the modem with IP 192.168.1.200 via Interface WAN1 which hosts another network, the Mikrotik Network has IPs like 10.0.0.2, 10.0.0.100, etc...

Mikrotik clients with IPs 10.0.0.XXX can access 192.168.1.XXX devices easily, the problem is I want modem clients with IPs 192.168.1.XXX to access Mikrotik subnet IPs 10.0.0.XXX without having to do port forwarding for each Mikrotik client and each port.

For example if there's a client on Mikrotik Network hosting a LAN game on IP 10.0.0.100, I want 192.168.1.2 to be able to connect to the game via example "connect 10.0.0.100" without the need to port forwarding, because sometimes I cannot find what are the required ports to be open, and sometimes games are hosted on different 10.0.0.XXX addresses

On my modem, I've created a static route with
IP 10.0.0.0
Subnet 255.255.255.0
Gateway 192.168.1.200

rplant · Sun May 05, 2024 11:02 am

You could try the following:

1. Backup your current mikrotik config, because this may not work...

Change the Mikrotik's wan1 interface to be a Lan interface.
(Default config would involve removing from WAN interface list, and adding to LAN interface list)

Change the IP address on the Lan interface to be static 192.168.1.200/32 with a network IP of 192.168.1.1 (The Modem IP ??)
Set default gateway to be 192.168.1.1.

(So Mikrotik now has to go via Modem to connect to rest of 192.168.1.x IP addresses)

With luck this might (mostly) work.

All traffic from the 10.0.x.x side for 192.168.1.x will go via the Modem which will (hopefully) forward it onto the 192.168.1.x network.
And visa versa.

You may not be able to reliably access 192.168.1.200 from the 192.168.1.x network, (but you can probably access its 10.0.x.x ip address)

If this works, Add firewall rules to block access as required.

TheCat12 · Sun May 05, 2024 12:23 pm

Wouldn't it be easier to add a forward rule that accepts traffic from the modem addresses to the LAN ones before the "drop all not coming from LAN"?

/ip firewall filter add action=accept chain=forward src-address=192.168.1.0/x dst-address=10.0.0.0/y

where x and y are the respective subnet masks of the subnets

LdB · Sun May 05, 2024 2:18 pm

Perhaps lets make you understand the issue the miktoik is the gateway to the 10.0.0.0/24 network
Any traffic in that network ends up at the mikrotik it also happens to have a 192.168.1.200 address
So anything in the 10.0.0.0/24 network can reach 192.168.1.xxx via 192.168.1.200

Now consider a device on 192.168.1.xxx it only knows the 192.168.1.xxx network anything else will forward to the gateway of 192.168.1.xxx likely
192.168.1.1 which will be another router.
That second router will know nothing of 10.0.0.0/24 so will try to jam it out the default route probably to the internet

The generic solution is simple put a static route on the second router (192.168.1.1) so 10.0.0.0/24 traffic is routed to 192.168.1.200 AKA the mikrotik

static route 10.0.0.0/24 next-hop 192.168.1.200

The only other choice is on each individual machine o the 192.168.1.xxx add the static route.

You can't fix the problem on the mikrotik because the traffic will never go to it there is no route to it in the 192.168.1.xxx network,

jaclaz · Sun May 05, 2024 3:34 pm

@LdB
The OP did already add the static router to the modem (second router) for addresses 10.0.0.0/24 to 192.168.1.200 (the Mikrotik router).

The issue here seems to me that the 192.168.1.200 is the IP of a WAN inteface, so, almost surely there is a firewall rule preventing connection from the WAN side, which - as The Cat12 stated - could be "anticipated" by an accept rule for traffic originated from 192.168.1.0/24 and with destination 10.0.0.0/24 placed before the generic !LAN drop rule.

rplant · Mon May 06, 2024 2:50 am

I trialled this at home, and it looks like theCat12's solution is likely the correct one.

I connected to a device behind the Mikrotik, and the first couple of packets went via the main gateway,
then the main gateway set an icmp redirect for host, giving the ip address of the Mikrotik, and after that
my PC sent packets directly to the Mikrotik.

CGGXANNX · Mon May 06, 2024 9:50 am

In addition to the static route on the modem that OP already created, and the firewall exception rule from @TheCat12 post, it might be a good idea to also change the current src-nat or masquerade (the one for NAT) rule on the MikroTik router to exclude the 192.168.1.0/24 range (by adding dst-address=!192.168.1.0/24 to the rule). That way NAT will no longer be involved when going from 10.0.0.0/24 to 192.168.1.0/24 because it's no longer needed.

medooooooz · Mon May 06, 2024 5:46 pm

Wouldn't it be easier to add a forward rule that accepts traffic from the modem addresses to the LAN ones before the "drop all not coming from LAN"?
Code: Select all
/ip firewall filter add action=accept chain=forward src-address=192.168.1.0/x dst-address=10.0.0.0/y
where x and y are the respective subnet masks of the subnets

I've already did this which really makes sense, I even checked with ChatGPT if it's correct before making this thread.

This is what I really want to do if it helps or makes sense

Untitled Diagram.png

medooooooz · Mon May 06, 2024 5:49 pm

You could try the following:

1. Backup your current mikrotik config, because this may not work...

Change the Mikrotik's wan1 interface to be a Lan interface.
(Default config would involve removing from WAN interface list, and adding to LAN interface list)

Change the IP address on the Lan interface to be static 192.168.1.200/32 with a network IP of 192.168.1.1 (The Modem IP ??)
Set default gateway to be 192.168.1.1.

(So Mikrotik now has to go via Modem to connect to rest of 192.168.1.x IP addresses)

With luck this might (mostly) work.

All traffic from the 10.0.x.x side for 192.168.1.x will go via the Modem which will (hopefully) forward it onto the 192.168.1.x network.
And visa versa.

You may not be able to reliably access 192.168.1.200 from the 192.168.1.x network, (but you can probably access its 10.0.x.x ip address)

If this works, Add firewall rules to block access as required.

I think this will definitely break other things I've configured prior, the static route and firewall filter rule makes a lot more sense but I've no idea why it doesn't work

TheCat12 · Mon May 06, 2024 5:55 pm

In that case an exported config would be needed because there could be something else blocking the connection:

/export file=anynameyouwish (minus sensitive information)

medooooooz · Mon May 06, 2024 6:12 pm

In that case an exported config would be needed because there could be something else blocking the connection:

/export file=anynameyouwish (minus sensitive information)

here you go, thank you a lot in advance

CGGXANNX · Mon May 06, 2024 9:06 pm

Can you try to put, as @TheCat12 mentioned,

/ip firewall filter 
add action=accept chain=forward src-address=192.168.1.0/24 dst-address=10.0.0.0/24 in-interface=WAN1

before the rule

/ip firewall filter
add action=drop chain=forward comment="Drop all other forward"

And then change the rule

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1

into

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1 dst-address=!192.168.0.0/24

medooooooz · Tue May 07, 2024 2:51 am

Can you try to put, as @TheCat12 mentioned,

/ip firewall filter 
add action=accept chain=forward src-address=192.168.1.0/24 dst-address=10.0.0.0/24 in-interface=WAN1

before the rule

/ip firewall filter
add action=drop chain=forward comment="Drop all other forward"

And then change the rule

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1

into

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1 dst-address=!192.168.0.0/24

Did that but still no luck
I tried changing the NAT rule to exclude 192.168.1.0/24 instead of 192.168.0.0 as you typed too

1.png

2.png

medooooooz · Tue May 07, 2024 2:54 am

This is my static route from my modem from my ISP "Huawei EchoLife DN8245V-56 Home Gateway" too to confirm
Interface br0 is the bridged interface for all LAN ports in my modem by the way

static-route.png

LdB · Tue May 07, 2024 4:55 am

My guess is the machine you are trying to ping in 10.0.0.xxx has a firewall
Open a terminal on the tick and try ping the machine you are trying to access 10.0.0.???

ping 10.0.0.??? src-address=192.168.1.200

Also do a traceroute from a machine in the 192.168.1.xxx range wherever it stops is where the problem is.

medooooooz · Wed May 08, 2024 5:10 am

My guess is the machine you are trying to ping in 10.0.0.xxx has a firewall
Open a terminal on the tick and try ping the machine you are trying to access 10.0.0.???
Code: Select all
ping 10.0.0.??? src-address=192.168.1.200
Also do a traceroute from a machine in the 192.168.1.xxx range wherever it stops is where the problem is.

This makes more sense for now and I didn't even know why didn't I do a tracert before!
For some reason it hops over to ISP directly, so the static route in my modem must not be working right?

tracert.png

CGGXANNX · Wed May 08, 2024 7:06 am

If setting route on the Huawei device is ineffective, you can still manually add the specific route on your PC devices (route add or ip route add command depending on the OS).

If there are too many devices, or mobile devices with no easy way to add routes, you might try this "crazy" idea: Make the MikroTik device the DHCP server of the 192.168.1.0/24 side. The Huawei device still has the 192.168.1.1 address and still is the gateway. And the MikroTik device still has the 192.168.1.200 address. You turn off DHCP server on the Huawei device. Turn off DHCP client on the WAN interface of the MikroTik device. Still on the MikroTik device, configure static address 192.168.1.200/24 for the WAN interface. Add static default route 0.0.0.0/0 gateway 192.168.1.1. Configure DHCP server on the WAN interface, with network 192.168.1.0/24, Gateway 192.168.1.1, DNS server of your choice. On the MikroTik firewall, chain input, allow incoming request to UDP port 67 (because normally the WAN interface of the MikroTik router blocks incoming traffic).

At this moment, the MikroTik router acts as the DHCP server for the 192.168.1.0/24 LAN of the Huawei device. It still provides the default route information with 192.168.1.1 specified as gateway to the DHCP client. But now you have the ability, with DHCP options, to add additional routes for the DHCP clients. Namely an extra route with destination 10.0.0.0/24 gateway 192.168.1.200, using DHCP option 121 (classless static route). Look at the examples here:

https://help.mikrotik.com/docs/display/ ... CP-Example
https://www.jm.technology/post/mikrotik ... tic_final/

You'll need to specify both the default root for 0.0.0.0/0 gateway 192.168.1.1 and 10.0.0.0/24 gateway 192.168.1.200 using the Hex values as described by the links above. Or you can use this page to build the Hex strings for you:

https://www.medo64.com/2018/01/configur ... te-option/

dhcp-option-121.png

medooooooz · Wed May 08, 2024 7:19 am

If setting route on the Huawei device is ineffective, you can still manually add the specific route on your PC devices (route add or ip route add command depending on the OS).

If there are too many devices, or mobile devices with no easy way to add routes, you might try this "crazy" idea: Make the MikroTik device the DHCP server of the 192.168.1.0/24 side. The Huawei device still has the 192.168.1.1 address and still is the gateway. And the MikroTik device still has the 192.168.1.200 address. You turn off DHCP server on the Huawei device. Turn off DHCP client on the WAN interface of the MikroTik device. Still on the MikroTik device, configure static address 192.168.1.200/24 for the WAN interface. Add static default route 0.0.0.0/0 gateway 192.168.1.1. Configure DHCP server on the WAN interface, with network 192.168.1.0/24, Gateway 192.168.1.1, DNS server of your choice. On the MikroTik firewall, chain input, allow incoming request to UDP port 67 (because normally the WAN interface of the MikroTik router blocks incoming traffic).

At this moment, the MikroTik router acts as the DHCP server for the 192.168.1.0/24 LAN of the Huawei device. It still provides the default route information with 192.168.1.1 specified as gateway to the DHCP client. But now you have the ability, with DHCP options, to add additional routes for the DHCP clients. Namely an extra route with destination 10.0.0.0/24 gateway 192.168.1.200, using DHCP option 121 (classless static route). Look at the examples here:

https://help.mikrotik.com/docs/display/ ... CP-Example
https://www.jm.technology/post/mikrotik ... tic_final/

You'll need to specify both the default root for 0.0.0.0/0 gateway 192.168.1.1 and 10.0.0.0/24 gateway 192.168.1.200 using the Hex values as described by the links above. Or you can use this page to build the Hex strings for you:

https://www.medo64.com/2018/01/configur ... te-option/

dhcp-option-121.png

YOU ARE A GODDAMN GENIUS!
Adding the route manually via CMD in Windows was the most I asked for!

route add 10.0.0.0 MASK 255.255.255.0 192.168.1.200

The thing is the routerboard is in my LAN center below my apartment and my personal PC is connected directly to modem outside Mikrotik network, I just wanted to VNC connect to my LAN center PCs or even play some LAN games with my friends and customers from the comfort of my home!

WOW! I cannot thank you enough! I guess it's time to buy a new modem and throw that ISP modem in the trash! They indeed locked the static routing and even if you add any static routes, they don't work and they are just cosmetic!

CGGXANNX · Wed May 08, 2024 7:28 am

Great! but if you use Windows, don't forget the -p switch to make the extra route persistent across reboot!

route-add.png

Access Mikrotik subnet from modem subnet [SOLVED]

Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet [SOLVED]

Re: Access Mikrotik subnet from modem subnet

Re: Access Mikrotik subnet from modem subnet

Who is online