Hi,

My network has 2 MikroTik roof mounted 4G routers as the WAN with a PFSense firewall handling the internal traffic. I'm trying to get the syslogs from the MikroTik routers back to the Splunk server inside my network. I can see how to configure Splunk and tell the MikroTiks to send the data but I cannot work out how to route the internal address on the MikroTik routers. When ever I do a traceroute the traffic is sent out of the LTE network not routed internally.

MikroTik Vodafone - 192.168.88.1 - connects to PFSense on 192.168.88.252 (MikroTik DHCP)
MikroTik Three - 192.168.2.1 - connects to PFSense on 192.168.2.252 (MikroTik DHCP)

PFSense
WANVODAFONE - 192.168.88.252
WANTHREE - 192.168.2.252
LAN - 192.168.111.1
Splunk server - 192.168.111.108 (DHCP from PFSense)

Very much a newbie question. Can someone point me at the documentation for how to route the syslog traffic from the MikroTiks back to the Splunk server? I have done extensive searching but am obviously failing at Google

Well I guess this is more difficult than I thought it would be. Does anyone know how to do this? Am I going about it in the wrong way?

Presumably you just need to set a static route on each of the MikroTiks to tell them to send traffic for 192.168.111.0/24 (I presume, seeing as you haven't given any details of the subnet masks) to the PFSense device. At the moment the default route on them is sending out on the LTE because they have no knowledge of where else to send the traffic.

There are two threads in the "Useful User articles" section of the forum on using Splunk.
viewtopic.php?t=179960
And the older one
viewtopic.php?t=137338

Problem is not the Splunk. Its the communication.

Make a map and show all devices involved and if the nat or do routing.

If you do NAT several times, then you need NAT rules, not routing rules
Why do you need PFSense when you have Mikrotik with firewall?

Presumably you just need to set a static route on each of the MikroTiks to tell them to send traffic for 192.168.111.0/24 (I presume, seeing as you haven't given any details of the subnet masks) to the PFSense device. At the moment the default route on them is sending out on the LTE because they have no knowledge of where else to send the traffic.

This is the correct solution, and if you want to do this simply, you could try the following:
On the Vodafone Mikrotik, and assuming your LAN subnet is a /24:
On the Three Mikrotik:
You may also have to add a firewall rule (ip/firewall/filter) on the output chain to allow traffic to that Splunk IP through whatever interface is connected to your pfsense box, and allow the traffic through the pfsense box by altering it's firewall forwarding chain if required.