Community discussions

MikroTik App
 
MINnew321
just joined
Topic Author
Posts: 2
Joined: Fri Dec 30, 2022 1:02 pm

Allow access to IP over WAN

Fri Dec 30, 2022 1:26 pm

Hi,
Newbie here.

I have 2 x networks
I get Internet from Network1 for Network2 over the WAN port.
I need access to PC X Network1 from PC Y1 from Network2
Can you please assist with the firewall rule that will be required to make this possible.
Thanks

[Edit]
I've attached the current config.
Note: The IPs used in this test environment in this config is slightly different than the image:

Network 1 - DHCP 192.168.77.0/24
Network 1 PC X - 192.168.77.116

Network 2 WAN - 192.168.77.114
Network 2 - DHCP 192.168.81.0/24
Network 2 PC Y1 - 192.168.81.254

I used the basic configuration setup as described here:
https://help.mikrotik.com/docs/display/ ... figuration
I have not added any Firewall rule, as I tried to avoid accidentally blocking the access Im trying to achieve.

/interface bridge
add name=local
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.81.2-192.168.81.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=local name=dhcp1
/interface bridge port
add bridge=local interface=ether2
add bridge=local interface=ether3
add bridge=local interface=ether4
add bridge=local interface=ether5
/ip address
add address=192.168.81.1/24 interface=local network=192.168.81.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.81.0/24 dns-server=192.168.81.1 gateway=192.168.81.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=Africa/Johannesburg
You do not have the required permissions to view the files attached to this post.
Last edited by MINnew321 on Tue Jan 03, 2023 9:27 am, edited 2 times in total.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Allow access to IP over WAN

Sun Jan 01, 2023 1:55 am

You gave us very little to go with. If you are asking about the Mikrotik, if it is configured with a fairly default config, you need to do nothing more. If you are asking about the other non-specified equipment, we can only guess.
If this is not working, we need more detail to go on. Export the config of the Mikrotik, and tell us what the unspecified equipment in network 1 is, and how it's configured.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section
and right click on the filename you created and select download in order to download the file to your computer.
It will be a text file with whatever name you saved to with an extension of .rsc. Open that file in your favorite
text editor and redact any sensitive information if desired / needed. Then in your message here, click the code
display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks
like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Allow access to IP over WAN

Sun Jan 01, 2023 1:52 pm

hi,
First of all, I think that pc y1 on subnet 192.168.2.0/24 needs to know how to get subnet 192.168.0.0/24.
So, you must set a route rule in IP->Routes in your MK device.
Then you also need to set a firewall rule on the router/firewall which manages subnet 192.168.0.0/24 to enable access for every pc on subnet 192.168.2.0/24, or only for 192.168.2.2/24, your pc y1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow access to IP over WAN

Mon Jan 02, 2023 4:16 am

The fact of the matter is there is nothing you can do to help on the MT.
All traffic is sourcenatted when it leaves the 192.168.2.1 gateway on Network 2 through the wan port/WANIP of the MT router which you inconviently omitted. Lets say its 192.168.0.35

Think of 192.168.0.50 as an external internet IP to reach....................
The request from 192.168.2.2 leaves the MT router with IP address of 192.168.0.35 ( through source natting rules) it then hits the interface gateway of 192.168.0.1 on the unknown router.
If it was an external address it would use rules existing for routes and dns to get your traffic to the WWW, but in this case the router knows that the device
is on a known internal subnet, in fact the same one the router is on and the main router should simply move the traffic directly to .50. The return traffic would be sent back the the MT router which appears to be the source - the MT router in turn would unsourcnat the traffic back to source and sends the return traffic to 192.168.2.2

In other words it should work, so as pointed out, its what you are not telling us that matters. It does not appear there is any issue with the MT in this scenario........
Last edited by anav on Tue Jan 03, 2023 4:26 pm, edited 1 time in total.
 
WinOS
just joined
Posts: 3
Joined: Mon Jan 02, 2023 10:42 am

Re: Allow access to IP over WAN

Mon Jan 02, 2023 12:09 pm

Assuming their is a reason to segment the LAN into Network 1 and Network 2 using a firewall, clients that sit behind the Mikrotik on Network 2 should be able to access Network 1 -if- Network 1 configured correctly. Normally this his done with a VPN or Port Forwarding.
 
MINnew321
just joined
Topic Author
Posts: 2
Joined: Fri Dec 30, 2022 1:02 pm

Re: Allow access to IP over WAN

Tue Jan 03, 2023 8:48 am

You gave us very little to go with. If you are asking about the Mikrotik, if it is configured with a fairly default config, you need to do nothing more. If you are asking about the other non-specified equipment, we can only guess.
If this is not working, we need more detail to go on. Export the config of the Mikrotik, and tell us what the unspecified equipment in network 1 is, and how it's configured.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section
and right click on the filename you created and select download in order to download the file to your computer.
It will be a text file with whatever name you saved to with an extension of .rsc. Open that file in your favorite
text editor and redact any sensitive information if desired / needed. Then in your message here, click the code
display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks
like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
hi k6ccc<
Thanks for the feedback.
I've edited my original post, and added the config.
Please also note that the IP ranges are slightly different from my production drawing, and my test setup.
It is all set out in the post.

I can confirm with the current setup, Im unable to ping from Network2-PC Y1 (192.168.81.254) -> to Network1-PC X (192.168.77.116)

[Edit]
I have found that 2 x of my devices in the test setup was blocking the pings, thus giving false results.
I can confirm that I am able to ping Network1 PC X from Network2 PC Y1.

1. If Network1 PC X had a static IP, and Router 192.168.0.1 was not there. Is it possible to still reach PC X?
2. Is it possible to Ping Network2 PC Y1 -> from Network1 PC X without having access to the router in Network 1?

Who is online

Users browsing this forum: Bing [Bot] and 13 guests