Community discussions

MikroTik App
 
JYEB
just joined
Topic Author
Posts: 7
Joined: Mon Oct 04, 2021 11:43 pm

Network Routing

Tue Oct 05, 2021 12:08 am

Hi,

I am new to RouterOS and come from pfSense.
I am trying to route 1 network to the other.
The situation is main office network 192.168.10.0/24 (Mikrotik Router- 192.168.10.254) to Secondary user network 192.168.0.0/24 (Netgear router/not configurable- 192.168.0.1)
The Main office network needs to access a couple of devices on the secondary network but not vice versa.
The secondary network is simply patched into the main office via a "dumb" switch.

Any help would be greatly appreciated.
 
JYEB
just joined
Topic Author
Posts: 7
Joined: Mon Oct 04, 2021 11:43 pm

Re: Network Routing

Mon Oct 11, 2021 9:00 am

Hi,

I am new to RouterOS and come from pfSense.
I am trying to route 1 network to the other.
The situation is main office network 192.168.10.0/24 (Mikrotik Router- 192.168.10.254) to Secondary user network 192.168.0.0/24 (Netgear router/not configurable- 192.168.0.1)
The Main office network needs to access a couple of devices on the secondary network but not vice versa.
The secondary network is simply patched into the main office via a "dumb" switch.

Any help would be greatly appreciated.
I have managed to ping the 192.168.0.0 network from the Mikrotik router by adding an address of 192.168.0.254 into the config. However I still can not get the 192.168.10.0 subnet to talk to 192.168.0.0.
 
RhoAius
just joined
Posts: 9
Joined: Fri Jul 12, 2019 10:47 pm

Re: Network Routing

Mon Oct 11, 2021 9:26 am

If the Netgear router (Secondary user network) has a ip from the office network subnet(as a example 192.168.10.250 on WAN port)
You need to add a static route on the mikrotik router(main office network)
ip route add dst-address=192.168.0.0/24 gateway=192.168.10.250
ip firewall filter add chain=forward action=drop connection-state=new src-address=192.168.0.0/24 dst-address=192.168.10.0/24
In order for the secondary network to not have access to the office network you need to add a firewall filter on mikrotik router (move rule in the list as needed)
 
JYEB
just joined
Topic Author
Posts: 7
Joined: Mon Oct 04, 2021 11:43 pm

Re: Network Routing

Mon Oct 11, 2021 9:35 am

If the Netgear router (Secondary user network) has a ip from the office network subnet(as a example 192.168.10.250 on WAN port)
You need to add a static route on the mikrotik router(main office network)
ip route add dst-address=192.168.0.0/24 gateway=192.168.10.250
ip firewall filter add chain=forward action=drop connection-state=new src-address=192.168.0.0/24 dst-address=192.168.10.0/24
In order for the secondary network to not have access to the office network you need to add a firewall filter on mikrotik router (move rule in the list as needed)
Unfortunatly not the case.
The only address the secondary router has is 192.168.0.1/24
We only need to access one server (192.168.0.10) on this network, is there a way to map to the IP of this machine on the secondary network?
 
RhoAius
just joined
Posts: 9
Joined: Fri Jul 12, 2019 10:47 pm

Re: Network Routing

Mon Oct 11, 2021 11:01 am

The secondary network is simply patched into the main office via a "dumb" switch
Then a lan port from the netgear router is going to a "dumb" switch and then to the mikrotik router?
If there is a direct connection on L2 then on the mikrotik router add a ip from the secondary router class (example 192.168.0.2/24)

A network diagram would help.
 
JYEB
just joined
Topic Author
Posts: 7
Joined: Mon Oct 04, 2021 11:43 pm

Re: Network Routing

Mon Oct 11, 2021 11:30 am

A network diagram would help.
Attached is a basic drawing of the current network.
I added an IP address of 192.168.0.254 to the Mikrotik and can ping from the mikrotik to the Secondary network however i can not ping from the 192.168.10.0/24 network.
You do not have the required permissions to view the files attached to this post.
 
RhoAius
just joined
Posts: 9
Joined: Fri Jul 12, 2019 10:47 pm

Re: Network Routing  [SOLVED]

Mon Oct 11, 2021 11:54 am

So direct L2 connection.
Then we need to srcnat traffic because the netgear router does not know who 192.168.10.0/24 network is and we cannot change that(No Admin Ability)
So we can do:
ip firewall nat add chain=srcnat src-address=192.168.10.0/24 dst-address=192.168.0.0/24 out-interface=etherx action=masquerade

Where "etherx" is the interface connected to "Dumb Switch 1"
P.S. In this network topology you should be mindful of double DHCP and the fact that someone in the 192.168.0.0/24 network could "hop" on the 192.168.10.0/24 network and viceversa
 
JYEB
just joined
Topic Author
Posts: 7
Joined: Mon Oct 04, 2021 11:43 pm

Re: Network Routing

Mon Oct 11, 2021 12:20 pm

So direct L2 connection.
Then we need to srcnat traffic because the netgear router does not know who 192.168.10.0/24 network is and we cannot change that(No Admin Ability)
So we can do:
ip firewall nat add chain=srcnat src-address=192.168.10.0/24 dst-address=192.168.0.0/24 out-interface=etherx action=masquerade

Where "etherx" is the interface connected to "Dumb Switch 1"
P.S. In this network topology you should be mindful of double DHCP and the fact that someone in the 192.168.0.0/24 network could "hop" on the 192.168.10.0/24 network and viceversa
That Worked.
Knew there was a way, just was way off getting to such a solution.
Thanks a million, saved me hours for sure :D
 
JYEB
just joined
Topic Author
Posts: 7
Joined: Mon Oct 04, 2021 11:43 pm

Re: Network Routing

Mon Oct 11, 2021 12:42 pm

The next question, which maybe i need to start a new post for not sure, is.
Is it possible to reach the secondary network through a Site-Site VPN?
 
RhoAius
just joined
Posts: 9
Joined: Fri Jul 12, 2019 10:47 pm

Re: Network Routing

Mon Oct 11, 2021 1:05 pm

The next question, which maybe i need to start a new post for not sure, is.
Is it possible to reach the secondary network through a Site-Site VPN?
If the Site-to-Site connection is between the mikrotik router(main office) and another router then yes.
If the remote site will use different subnet, then another srcnat rule will be needed at the main office or the existing rule changed to fit the new requirements.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Network Routing

Mon Oct 11, 2021 2:49 pm

@RhoAius
edit: I am out in left field LOL
Last edited by anav on Mon Oct 11, 2021 4:36 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
RhoAius
just joined
Posts: 9
Joined: Fri Jul 12, 2019 10:47 pm

Re: Network Routing

Mon Oct 11, 2021 4:07 pm

@anav
According to his posts the main office network is a mikrotik router that he has access to.
I do see now that the whole thing could be interpreted the other way around.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Network Routing

Mon Oct 11, 2021 4:36 pm

You are quite right, I was looking at the netgear as the router attached to the internet.
Silly me. Glad I was wrong, ignore my misplaced concerns.....
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
JYEB
just joined
Topic Author
Posts: 7
Joined: Mon Oct 04, 2021 11:43 pm

Re: Network Routing

Tue Oct 12, 2021 10:16 pm

Thanks for your help guys, has saved me a long and painful trial and error period.
Both of those worked re the VPN and the Local access.
Appreciate your help :)

Who is online

Users browsing this forum: Ahrefs [Bot], mgavrila2007 and 25 guests