Hey
I have two MikroTik routers with different networks and subnets. My first MikroTik router is on the 192.168.18.0/23 network, and my second MikroTik router is on the 192.168.16.0/24 network, which is solely for Wi-Fi. I have printers connected to my first MikroTik router with the following IP addresses: 192.168.18.5, 192.168.18.10, and 192.168.18.15.
I want to connect these three printers to my second MikroTik router so that I can access them over Wi-Fi. I've applied NAT rules and firewall rules, but I haven't had any luck. I need help with this setup.
Pictures of 2nd Mikrotik is attached
any suggestions please.......
Access Printer from another Mikrotik Router
You do not have the required permissions to view the files attached to this post.
Re: Access Printer from another Mikrotik Router
No need for the last two NAT rules, most probably you're missing a route:
Code: Select all
/ip route
add dst-address=192.168.18.0/23 gateway=192.168.18.1Re: Access Printer from another Mikrotik Router
I did this, but I had no luck and how can I grant access only to the printer IP?
Re: Access Printer from another Mikrotik Router
May we then have a look at the exported config of the router?I did this, but I had no luck and how can I grant access only to the printer IP?
export file=anynameyouwish (minus sensitive info like passwords, etc.)
Re: Access Printer from another Mikrotik Router
# oct/03/2024 13:40:11 by RouterOS 6.48.6
# model = RB750Gr3
/interface ethernet
set [ find default-name=ether5 ] arp=reply-only name=LAN-ETH5
set [ find default-name=ether1 ] name=WAN-ETH1
set [ find default-name=ether2 ] name=WAN-ETH2
set [ find default-name=ether3 ] name=WAN-ETH3
set [ find default-name=ether4 ] name=WAN-ETH4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool ranges=192.168.16.2-192.168.16.252
/ip dhcp-server
add address-pool=dhcp_pool disabled=no interface=LAN-ETH5 lease-time=1h name=\
dhcpPool
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=129.119.87.98/29 comment=NAYATEL interface=WAN-ETH4 network=\
129.119.87.96
add address=192.168.0.10/24 comment=PTCL-C1 interface=WAN-ETH2 network=\
192.168.0.0
add address=192.168.3.4/24 comment=PTCL-F1 interface=WAN-ETH1 network=\
192.168.3.0
add address=192.168.7.10/24 comment=PTCL-C2 interface=WAN-ETH3 network=\
192.168.7.0
add address=192.168.16.1/24 comment=LAN interface=LAN-ETH5 network=\
192.168.16.0
add address=192.168.18.22/23 comment="LAN NEWORK FOR PRINTER" disabled=yes \
interface=WAN-ETH4 network=192.168.18.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.16.215 list=192.168.18.15
add address=192.168.16.228 list=192.168.18.15
add address=192.168.16.57 list=192.168.18.15
add address=192.168.16.242 list=192.168.18.15
/ip firewall filter
add action=accept chain=forward disabled=yes dst-address=192.168.18.15 \
in-interface=LAN-ETH5
add action=accept chain=forward disabled=yes dst-address=192.168.16.0/24 \
in-interface=WAN-ETH4
add action=accept chain=forward disabled=yes protocol=tcp
/ip firewall mangle
add action=accept chain=prerouting in-interface=WAN-ETH1
add action=accept chain=prerouting in-interface=WAN-ETH2
add action=accept chain=prerouting in-interface=WAN-ETH3
add action=accept chain=prerouting in-interface=WAN-ETH4
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=LAN-ETH5 new-connection-mark=WAN-ETH1-CONN passthrough=yes \
per-connection-classifier=both-addresses-and-ports:4/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=LAN-ETH5 new-connection-mark=WAN-ETH2-CONN passthrough=yes \
per-connection-classifier=both-addresses-and-ports:4/1
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=LAN-ETH5 new-connection-mark=WAN-ETH3-CONN passthrough=yes \
per-connection-classifier=both-addresses-and-ports:4/2
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=LAN-ETH5 new-connection-mark=WAN-ETH4-CONN passthrough=yes \
per-connection-classifier=both-addresses-and-ports:4/3
add action=mark-routing chain=prerouting connection-mark=WAN-ETH1-CONN \
in-interface=LAN-ETH5 new-routing-mark=TO-WAN-ETH1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN-ETH2-CONN \
in-interface=LAN-ETH5 new-routing-mark=TO-WAN-ETH2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN-ETH3-CONN \
in-interface=LAN-ETH5 new-routing-mark=TO-WAN-ETH3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN-ETH4-CONN \
in-interface=LAN-ETH5 new-routing-mark=TO-WAN-ETH4 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN-ETH1
add action=masquerade chain=srcnat out-interface=WAN-ETH2
add action=masquerade chain=srcnat out-interface=WAN-ETH3
add action=masquerade chain=srcnat out-interface=WAN-ETH4
add action=dst-nat chain=dstnat disabled=yes in-interface=LAN-ETH5 protocol=\
tcp src-address=192.168.16.0/24 src-port=0-65535 to-addresses=\
192.168.18.15 to-ports=0-65535
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.16.0/24 \
protocol=tcp src-port=0-65535 to-addresses=192.168.18.15 to-ports=0-65535
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.16.0/24 \
protocol=tcp to-addresses=192.168.18.5
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=\
TO-WAN-ETH1
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=\
TO-WAN-ETH2
add check-gateway=ping distance=1 gateway=192.168.7.3 routing-mark=\
TO-WAN-ETH3
add check-gateway=ping distance=1 gateway=129.119.87.97 routing-mark=\
TO-WAN-ETH4
add check-gateway=ping distance=1 gateway=192.168.3.1
add check-gateway=ping distance=2 gateway=192.168.0.1
add check-gateway=ping distance=3 gateway=192.168.7.3
add check-gateway=ping distance=4 gateway=129.119.87.97
add check-gateway=ping disabled=yes distance=1 gateway=192.168.18.17
add disabled=yes distance=1 dst-address=192.168.18.0/23 gateway=192.168.18.17
/system clock
set time-zone-name=Asia/Karachi
/system identity
set name=RouterOS
# model = RB750Gr3
/interface ethernet
set [ find default-name=ether5 ] arp=reply-only name=LAN-ETH5
set [ find default-name=ether1 ] name=WAN-ETH1
set [ find default-name=ether2 ] name=WAN-ETH2
set [ find default-name=ether3 ] name=WAN-ETH3
set [ find default-name=ether4 ] name=WAN-ETH4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool ranges=192.168.16.2-192.168.16.252
/ip dhcp-server
add address-pool=dhcp_pool disabled=no interface=LAN-ETH5 lease-time=1h name=\
dhcpPool
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=129.119.87.98/29 comment=NAYATEL interface=WAN-ETH4 network=\
129.119.87.96
add address=192.168.0.10/24 comment=PTCL-C1 interface=WAN-ETH2 network=\
192.168.0.0
add address=192.168.3.4/24 comment=PTCL-F1 interface=WAN-ETH1 network=\
192.168.3.0
add address=192.168.7.10/24 comment=PTCL-C2 interface=WAN-ETH3 network=\
192.168.7.0
add address=192.168.16.1/24 comment=LAN interface=LAN-ETH5 network=\
192.168.16.0
add address=192.168.18.22/23 comment="LAN NEWORK FOR PRINTER" disabled=yes \
interface=WAN-ETH4 network=192.168.18.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.16.215 list=192.168.18.15
add address=192.168.16.228 list=192.168.18.15
add address=192.168.16.57 list=192.168.18.15
add address=192.168.16.242 list=192.168.18.15
/ip firewall filter
add action=accept chain=forward disabled=yes dst-address=192.168.18.15 \
in-interface=LAN-ETH5
add action=accept chain=forward disabled=yes dst-address=192.168.16.0/24 \
in-interface=WAN-ETH4
add action=accept chain=forward disabled=yes protocol=tcp
/ip firewall mangle
add action=accept chain=prerouting in-interface=WAN-ETH1
add action=accept chain=prerouting in-interface=WAN-ETH2
add action=accept chain=prerouting in-interface=WAN-ETH3
add action=accept chain=prerouting in-interface=WAN-ETH4
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=LAN-ETH5 new-connection-mark=WAN-ETH1-CONN passthrough=yes \
per-connection-classifier=both-addresses-and-ports:4/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=LAN-ETH5 new-connection-mark=WAN-ETH2-CONN passthrough=yes \
per-connection-classifier=both-addresses-and-ports:4/1
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=LAN-ETH5 new-connection-mark=WAN-ETH3-CONN passthrough=yes \
per-connection-classifier=both-addresses-and-ports:4/2
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=LAN-ETH5 new-connection-mark=WAN-ETH4-CONN passthrough=yes \
per-connection-classifier=both-addresses-and-ports:4/3
add action=mark-routing chain=prerouting connection-mark=WAN-ETH1-CONN \
in-interface=LAN-ETH5 new-routing-mark=TO-WAN-ETH1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN-ETH2-CONN \
in-interface=LAN-ETH5 new-routing-mark=TO-WAN-ETH2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN-ETH3-CONN \
in-interface=LAN-ETH5 new-routing-mark=TO-WAN-ETH3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN-ETH4-CONN \
in-interface=LAN-ETH5 new-routing-mark=TO-WAN-ETH4 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN-ETH1
add action=masquerade chain=srcnat out-interface=WAN-ETH2
add action=masquerade chain=srcnat out-interface=WAN-ETH3
add action=masquerade chain=srcnat out-interface=WAN-ETH4
add action=dst-nat chain=dstnat disabled=yes in-interface=LAN-ETH5 protocol=\
tcp src-address=192.168.16.0/24 src-port=0-65535 to-addresses=\
192.168.18.15 to-ports=0-65535
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.16.0/24 \
protocol=tcp src-port=0-65535 to-addresses=192.168.18.15 to-ports=0-65535
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.16.0/24 \
protocol=tcp to-addresses=192.168.18.5
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=\
TO-WAN-ETH1
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=\
TO-WAN-ETH2
add check-gateway=ping distance=1 gateway=192.168.7.3 routing-mark=\
TO-WAN-ETH3
add check-gateway=ping distance=1 gateway=129.119.87.97 routing-mark=\
TO-WAN-ETH4
add check-gateway=ping distance=1 gateway=192.168.3.1
add check-gateway=ping distance=2 gateway=192.168.0.1
add check-gateway=ping distance=3 gateway=192.168.7.3
add check-gateway=ping distance=4 gateway=129.119.87.97
add check-gateway=ping disabled=yes distance=1 gateway=192.168.18.17
add disabled=yes distance=1 dst-address=192.168.18.0/23 gateway=192.168.18.17
/system clock
set time-zone-name=Asia/Karachi
/system identity
set name=RouterOS
Re: Access Printer from another Mikrotik Router
I already have clients added, but the issue is communicating with the printers that are behind another MikroTik router. I want my Wi-Fi users to access only the printers from another network.Quick question. How many wireless clients do you need?
Re: Access Printer from another Mikrotik Router
For me, a detailed network diagram would help illustrate effectively what you are trying to accomplish.
In general if you have a main router and then other sub-set routers connected ( creating double nat ) communication from the main router to the secondary router is easily handled by adding static routes. Assuming that the secondary router is properly configured with masquerade sourcenat, any queries in the opposite direction will appear to come from the secondary router itself so return traffic to the originators behind the second router happens like butta.
So the dfifficult case is your wifi users on the main router trying to get through the secondary router to printers on the secondary routers LAN.
I will assume that the Management Subnet ( trusted ) of which the Secondary WANIP is assigned statically, is NOT the same subnet or vlan used by guest users!!
SO MAIN ROUTER
a. route
add dst-address=IPofPrinter gateway=WANIPofSecondaryRouter routing-table=main. ( or perhaps subnet or perhaps dst-address-list of multiple devices )
The wanip of the secondary router ( also its lanip on the main router subnet ) is where the main router will send all queries with the NON LOCAL ip address ( the main router doesnt know about this subnet so we inform it by the static route ).
b. firewall rule
add chain=forward action=accept in-interface=VLANXY src-address=WIFI-GUEST-SUBNET dst-address=IPofPrinter ( Or possibly a dst-address-list of devices to be accessible )
ON SECONDARY ROUTER
add chain=forward action=accept src-address=WifiSubnet dst-address=IPofPrinter out-interface=VLANAB ( Or possibly a dst-address-list of devices to be accessible )
add dst-address=wifisubnet gateway=LAN-GATEWAYOFMAINROUTER routing-table=main
In general if you have a main router and then other sub-set routers connected ( creating double nat ) communication from the main router to the secondary router is easily handled by adding static routes. Assuming that the secondary router is properly configured with masquerade sourcenat, any queries in the opposite direction will appear to come from the secondary router itself so return traffic to the originators behind the second router happens like butta.
So the dfifficult case is your wifi users on the main router trying to get through the secondary router to printers on the secondary routers LAN.
I will assume that the Management Subnet ( trusted ) of which the Secondary WANIP is assigned statically, is NOT the same subnet or vlan used by guest users!!
SO MAIN ROUTER
a. route
add dst-address=IPofPrinter gateway=WANIPofSecondaryRouter routing-table=main. ( or perhaps subnet or perhaps dst-address-list of multiple devices )
The wanip of the secondary router ( also its lanip on the main router subnet ) is where the main router will send all queries with the NON LOCAL ip address ( the main router doesnt know about this subnet so we inform it by the static route ).
b. firewall rule
add chain=forward action=accept in-interface=VLANXY src-address=WIFI-GUEST-SUBNET dst-address=IPofPrinter ( Or possibly a dst-address-list of devices to be accessible )
ON SECONDARY ROUTER
add chain=forward action=accept src-address=WifiSubnet dst-address=IPofPrinter out-interface=VLANAB ( Or possibly a dst-address-list of devices to be accessible )
add dst-address=wifisubnet gateway=LAN-GATEWAYOFMAINROUTER routing-table=main
Re: Access Printer from another Mikrotik Router
No, this is the router for Wi-Fi users, and no, it’s not in a home; these routers are configured for a business environment. My other MikroTik router is used for local LAN PCs and laptops that will only connect via Ethernet, and the printers are also connected via Ethernet.Please provide config files for both routers and post here.
The one you posted looks like your main router and I also see NAYATEL as your IPS provider. Are you running in a business environment or a home netrwork? I'm assuming it's a home network but I could be wrong since you have 6 available ip addresses.
I am getting a ping response from my printer on my Wi-Fi-configured router, but I can't manage to allow Wi-Fi users to access the printers.
Re: Access Printer from another Mikrotik Router
Yes, but I don’t have VLANs configured on my secondary router, which is set up only for Wi-Fi. I don’t want to grant access to limited users or manually add users to my router. I think I should provide a clear diagram of my network so it will be easier to understand.For me, a detailed network diagram would help illustrate effectively what you are trying to accomplish.
In general if you have a main router and then other sub-set routers connected ( creating double nat ) communication from the main router to the secondary router is easily handled by adding static routes. Assuming that the secondary router is properly configured with masquerade sourcenat, any queries in the opposite direction will appear to come from the secondary router itself so return traffic to the originators behind the second router happens like butta.
So the dfifficult case is your wifi users on the main router trying to get through the secondary router to printers on the secondary routers LAN.
I will assume that the Management Subnet ( trusted ) of which the Secondary WANIP is assigned statically, is NOT the same subnet or vlan used by guest users!!
SO MAIN ROUTER
a. route
add dst-address=IPofPrinter gateway=WANIPofSecondaryRouter routing-table=main. ( or perhaps subnet or perhaps dst-address-list of multiple devices )
The wanip of the secondary router ( also its lanip on the main router subnet ) is where the main router will send all queries with the NON LOCAL ip address ( the main router doesnt know about this subnet so we inform it by the static route ).
b. firewall rule
add chain=forward action=accept in-interface=VLANXY src-address=WIFI-GUEST-SUBNET dst-address=IPofPrinter ( Or possibly a dst-address-list of devices to be accessible )
ON SECONDARY ROUTER
add chain=forward action=accept src-address=WifiSubnet dst-address=IPofPrinter out-interface=VLANAB ( Or possibly a dst-address-list of devices to be accessible )
add dst-address=wifisubnet gateway=LAN-GATEWAYOFMAINROUTER routing-table=main
Re: Access Printer from another Mikrotik Router
Here's the diagram of how my network is configured.
You do not have the required permissions to view the files attached to this post.
Re: Access Printer from another Mikrotik Router
Here's The diagram again with IP. is there anyone how knows how to resolve this issue?????????????
You do not have the required permissions to view the files attached to this post.