MikroTik

Hi,

We have two subnets on our local network and a third separate subnet (172.28.4.0/24) for VPN server (on Mikrotik router). Also we have set up a site-to site VPN connection to our client. The client allowed access for those two subnets in his firewall, but won't allow us access from the third subnet (people working from home). Is there a possibility to route or NAT that subnet to subnets which are currently allowed access?

Do this:
... where x.x.x.x = the IP block of the customer side of the VPN, and y.y.y.y/24 = one of your two blocks of IP addresses which the customer's router WILL allow through the VPN.

When doing a bulk range prefix translation like this, make sure that the prefix sizes match - i.e. if the "allowed" prefix (y.y.y.y) is something other than /24, then change your VPN pool 172.28.4.0/24 to use the same size IP block as y.y.y.y

x.x.x.x can (and must) be whatever size range the customer is using - it's in the rule to specify WHEN the NAT rule should apply.
Make sure these rules come before any other NAT rules you may be using so that they take precedence over your usual NAT policy.

That worked like a charm. Thanks a lot man!

Hello, I have problem to connect my pc to my server in different subnet.

0 10.10.10.67/24 10.10.10.0 ether1_WAN
1 192.168.1.1/24 192.168.1.0 ether3_server
2 192.168.2.1/24 192.168.2.0 ether4_client1
3 192.168.3.1/24 192.168.3.0 ether5_client2

How can I ping from PC in client1 to PC in server and client2 and vice versa.
Thank you.

Would you like to show us your configuration?

Routing should done the job. If you setup gateways properly on your PCs and your server, it should work.

Would you like to show us your configuration?

ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 XI ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough log=no log-prefix=""

1 ;;; WAN1
chain=srcnat action=masquerade src-address-list=client1 out-interface=ether1_WAN1 log=no log-prefix=""

2 ;;; WAN2
chain=srcnat action=masquerade src-address-list=client2 out-interface=ether2_WAN2 log=no log-prefix=""

ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=WAN1-route passthrough=yes src-address-list=client1 log=no log-prefix=""

1 chain=prerouting action=mark-routing new-routing-mark=WAN2-route passthrough=yes src-address-list=client2 log=no log-prefix=""

ip route print

# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 10.10.10.64 1
1 S 0.0.0.0/0 10.10.10.64 2
2 A S 0.0.0.0/0 10.20.20.1 1
3 S 0.0.0.0/0 10.20.20.1 2
4 A S 0.0.0.0/0 10.10.10.64 1
5 S 0.0.0.0/0 10.20.20.1 2
6 ADC 192.168.1.0/24 192.168.1.1 ether3_server 0
7 ADC 192.168.2.0/24 192.168.2.1 ether4_client1 0
8 DC 192.168.3.0/24 192.168.3.1 ether5_client2 0
9 ADC 10.20.20.0/24 10.20.20.20 ether2_WAN2 0
10 ADC 10.10.10.0/24 10.10.10.67 ether1_WAN1 0

I use 2 WAN. WAN1 for client1 and WAN2 for client2 and for failover if WAN1 or WAN2 troble (disconnect)

i angrry with czolo. Routing should done the job, you can allow to ping.

i angrry with czolo. Routing should done the job, you can allow to ping.

Can you give me an example?

There is no example for that You have a router in the middle, so if you have gateways setup on your clients and your server, router should know a destination.
Show us your

will be help full

http://wiki.mikrotik.com/wiki/Manual:Si ... ic_Routing

Hey
I have X86 mikrotik
WAN = 192.168.1.1
LAN = 10.20.20.1/22
so, users IP's in subnet ( 10.20.20.2-10.20.23.254 )
My problem is :
How to make user ( 10.20.20.20 ) to see and ping user ( 10.20.22.22 )
although all of them on the same interface

Hey
I have X86 mikrotik
WAN = 192.168.1.1
LAN = 10.20.20.1/22
so, users IP's in subnet ( 10.20.20.2-10.20.23.254 )
My problem is :
How to make user ( 10.20.20.20 ) to see and ping user ( 10.20.22.22 )
although all of them on the same interface