Hi, I need help to solve an issue with a traffic routing.
I have in Point A, an external (other company) network with the next range; 192.168.242.0/29
I have in Point B, a LAN network with the next range; 192.168.1.0/24
I Have the Point A (another router) in the interface 1 of the Mikrotik, and the Point B (Other Switch) in the interface 2.
I need that the computers in the Point B get mapped to the range; 172.16.0./24 (I had this done), what is the network that the Point A accept traffic from (the firewall drop other traffic from another Ip). But I don't know what route I need to create for say the Mikrotik that route the request to 192.168.141.0 through the interface1
Thanks for your help.
Help with traffic routing
Last edited by roso on Thu Jan 24, 2019 10:36 am, edited 1 time in total.
Re: Help with traffic routing
A labelled diagram would help sort out the puzzle post. 
Re: Help with traffic routing
Hi anav,
Tell me if this is helpful.
0
I need that the computers in LAN (192.168.1.20 for example) see and connect to servers in the network 192.168.242.X (192.168.242.232 for example)
The VPN tunnel is established and works perfect (I Can ping from the router in our network with IP "172.16.0.10" to the servers in the other network), but the problem is with Mikrotik. If I ping to one IP of the 192.168.242.X network I get a timeout (From Mikrotik and obviously from the computers in the local network). I think the problem is with the routing from 172.16.0.0/24 to 192.168.242.0/29.
Tell me if this is helpful.
0I need that the computers in LAN (192.168.1.20 for example) see and connect to servers in the network 192.168.242.X (192.168.242.232 for example)
The VPN tunnel is established and works perfect (I Can ping from the router in our network with IP "172.16.0.10" to the servers in the other network), but the problem is with Mikrotik. If I ping to one IP of the 192.168.242.X network I get a timeout (From Mikrotik and obviously from the computers in the local network). I think the problem is with the routing from 172.16.0.0/24 to 192.168.242.0/29.
A labelled diagram would help sort out the puzzle post.
Re: Help with traffic routing [SOLVED]
I don't see a reason for netmapping here.
You just need to add routes:
FW1:
dst-address=192.168.1.0/24 via VPN endpoint on Router1.
Router1:
dst-address=192.168.242.0/29 via VPN endpoint on FW1
dst-address=192.168.1.0/24 via 172.16.0.3 (MikroTik router)
MikroTik:
dst-address=192.168.242.0/29 via 172.16.0.10 (Router1)
And you should be ready to go.
-Chris
You just need to add routes:
FW1:
dst-address=192.168.1.0/24 via VPN endpoint on Router1.
Router1:
dst-address=192.168.242.0/29 via VPN endpoint on FW1
dst-address=192.168.1.0/24 via 172.16.0.3 (MikroTik router)
MikroTik:
dst-address=192.168.242.0/29 via 172.16.0.10 (Router1)
And you should be ready to go.
-Chris
Re: Help with traffic routing
Hi Chris,I don't see a reason for netmapping here.
You just need to add routes:
FW1:
dst-address=192.168.1.0/24 via VPN endpoint on Router1.
Router1:
dst-address=192.168.242.0/29 via VPN endpoint on FW1
dst-address=192.168.1.0/24 via 172.16.0.3 (MikroTik router)
MikroTik:
dst-address=192.168.242.0/29 via 172.16.0.10 (Router1)
And you should be ready to go.
-Chris
First of all, thanks for your answer.
I use the netmapping for security reasons because I don't want to use my local network (192.168.1.0/24) through the VPN tunnel and the only way I found for change de original network is using netmapping for changing the addresses of the computers. If I'm wrong, tell to me, please.
I try using the route you say in the Mikrotik side and still not working.
Thanks for your help.
Re: Help with traffic routing
Setting the route only to one side of the network is not enough. Now your MTik machine knows it, but the two others still don't so nothing will happen.
I don't understand your concerns about security - you established a vpn already, isn't this a sign for trust?
And be aware that netmapping still preserves the original source address - it is just a lump-sum dst-nat unless you added the corresponding src-nat rules as well.
Edit update:
In case you have the src-nat rule in place already, FW1 needs the route for 172.16.0.0/24 via tunnel endpoint on Router1 of course. Router01 should see the network as a connected route already.
And I'm almost certain that your MkroTik router has to have all the netmapped addresses from 172.16.0.0/24 on its interface 1 as well as all 192.168.1.0/24 addresses to be netmapped on its interface 2.
-Chris
I don't understand your concerns about security - you established a vpn already, isn't this a sign for trust?
And be aware that netmapping still preserves the original source address - it is just a lump-sum dst-nat unless you added the corresponding src-nat rules as well.
Edit update:
In case you have the src-nat rule in place already, FW1 needs the route for 172.16.0.0/24 via tunnel endpoint on Router1 of course. Router01 should see the network as a connected route already.
And I'm almost certain that your MkroTik router has to have all the netmapped addresses from 172.16.0.0/24 on its interface 1 as well as all 192.168.1.0/24 addresses to be netmapped on its interface 2.
-Chris
Re: Help with traffic routing
Hi Chris,Setting the route only to one side of the network is not enough. Now your MTik machine knows it, but the two others still don't so nothing will happen.
I don't understand your concerns about security - you established a vpn already, isn't this a sign for trust?
And be aware that netmapping still preserves the original source address - it is just a lump-sum dst-nat unless you added the corresponding src-nat rules as well.
Edit update:
In case you have the src-nat rule in place already, FW1 needs the route for 172.16.0.0/24 via tunnel endpoint on Router1 of course. Router01 should see the network as a connected route already.
And I'm almost certain that your MkroTik router has to have all the netmapped addresses from 172.16.0.0/24 on its interface 1 as well as all 192.168.1.0/24 addresses to be netmapped on its interface 2.
-Chris
Thanks again for your quick response.
I'm going to test it tomorrow morning with the other company and will post any updates here.
They say that all the routes are correct in the FW. I have netmapped both addresses as you say, but maybe I can send to you tomorrow if not work for verifying.
Talk to you tomorrow morning !!
Re: Help with traffic routing
Hi Chris,Setting the route only to one side of the network is not enough. Now your MTik machine knows it, but the two others still don't so nothing will happen.
I don't understand your concerns about security - you established a vpn already, isn't this a sign for trust?
And be aware that netmapping still preserves the original source address - it is just a lump-sum dst-nat unless you added the corresponding src-nat rules as well.
Edit update:
In case you have the src-nat rule in place already, FW1 needs the route for 172.16.0.0/24 via tunnel endpoint on Router1 of course. Router01 should see the network as a connected route already.
And I'm almost certain that your MkroTik router has to have all the netmapped addresses from 172.16.0.0/24 on its interface 1 as well as all 192.168.1.0/24 addresses to be netmapped on its interface 2.
-Chris
Is working today!
I configure the route like you say in the Mkt and configure a static route in the Windows computers (I miss to do this) and now the computers can connect to the Servers in the other side.
Thanks a lot for your help !!