MikroTik

Hello
I have two microtik routers connected to municipality MAN

The MT1 is a CCR1009 router with configuration:

Ip address print
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.1.1/24 192.168.1.0 ether2-LAN
1 D 192.168.50.12/24 192.168.50.0 ether1-WAN

Ip route print
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.50.1 1
1 ADC 192.168.1.0/24 192.168.1.1 ether2-LAN 0
2 A S 192.168.2.0/24 192.168.50.15 1
3 ADC 192.168.50.0/24 192.168.50.12 ether1-WAN 0

ip firewall nat print
0 chain=srcnat action=masquerade out-interface=ether1-WAN
1 ;;; masq. vpn traffic
chain=srcnat action=masquerade src-address=192.168.89.0/24

The MT2 is a RB1100x4 router with configuration:

ip address print
# ADDRESS NETWORK INTERFACE
0 192.168.2.1/24 192.168.2.0 ether2_LAN
1 D 192.168.50.15/24 192.168.50.0 ether1_WAN

ip route print
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.50.1 1
1 A S 192.168.1.0/24 192.168.50.12 1
2 ADC 192.168.2.0/24 192.168.2.1 bridge1_LAN 0
3 ADC 192.168.50.0/24 192.168.50.15 ether1_WAN 0

ip firewall nat print
0 chain=srcnat action=masquerade out-interface=ether1_WAN log=no
log-prefix=""

Both of the subnetworks are connected to internet by 192.168.50.1 GATEWAY
The dynamic 192.168.50.12 and 192.168.50.15 wan address from both routers are reserved in 192.168.50.1 GATEWAY (wont change)

With the above configuration i can only ping from hosts from 192.168.2.0/24 network to 192.168.1.1 ip address (MT1 rourer) but i cant ping to hosts inside 192.168.1.0/24 network (example 192.168.1.200 which is my server)

I want to be able to use file sharing (shared folders) and web services located in Win 2008 server (with ip addres 192.168.1.200) which is inside 192.168.1.0/24 network from hosts inside 192.168.2.0/24 network
Do you have any idea how to manage this?

Thanks

You may not want to masquerade traffic form your connected subnets. In order to do that best approach is to add an accept rule between your connected subnets above the main masquerade rule in firewall nat like:

MT1 MT2

It has two aspects - how to make it work at all and security.

Your existing masquerade rules change the source address of every connection that gets out the WAN interface to that WAN interface's IP address, and your existing firewall rules probably cause anything what comes in via the WAN interface to be dropped, except pings.

To make it work at all, you can place an action=accept rule to the srcnat chain in nat before the action=masquerade ones, with appropriate src-address and dst-address conditions, to prevent connections between 192.168.1.0/24 and 192.168.2.0/24 from being NATed, as suggested by @vasilaos. But you also have to place similar rules to forward chain in filter (but not to the very top as it would be a pointless waste of CPU power, they should be placed where the other accept rules with detailed conditions are) in order to permit incoming connections via the WAN interfaces if they come from permitted source (i.e. from the other site's LAN subnet)

For security, you may want to set up an encrypted connection between the two routers, so that the data between the two sites do not travel over the MAN in plaintext.

Thanks for your answer vasilaos and sindy
I tried what vasilaos proposed but i still cant access hosts inside 192.168.1.0/24 network from hosts hosts inside 192.168.2.0/24 network.
sindy:
Can you give me more details how to make rules to forward chain in filter in order to permit incoming connections via the WAN interfaces if they come from permitted source.

If you want full transparency (i.e. no restrictions by protocol an port), the rule itself would look like
action=accept chain=forward in-interface=ether1_WAN src-address=192.168.2.0/24 dst-address=192.168.1.0/24

But it is important where in the forward chain you place it, and as you haven't shown your current firewall rules, I can only say that it will definitely work if you place it to the very top of that chain but it would be a waste of CPU to keep it there. You may want to have a look at this supercharged introduction to the firewall.

Also, if you say that you cannot access 192.168.1.0 from 192.168.2.0 but you don't complain about the other direction, does it mean that the other direction works? If yes, the firewall at 192.168.2.0 may be too permissive at the moment.

If you want to be able to access also the remote router itself, not just the devices in its LAN, from the network of the local router, you must place a similar rule to the input chain:
action=accept chain=input in-interface=ether1_WAN src-address=192.168.2.0/24. Again, this rule gives you full transparency, which is not the best idea given that attackers may be in your internal network. A malware which resides on a PC and without the user even knowing it tries to infect other devices in the LAN is nothing unusual these days.

Hello again. This time i folowed the instructions from page https://systemzone.net/mikrotik-site-to ... 2tp-ipsec/ and everything works ok and secure.
Thanks for the help.