How to configure Mikrotik so that the following requirements are met?

A

ALLIGATOR2020-09-04 09:45:09

Mikrotik

ALLIGATOR, 2020-09-04 09:45:09

Добрый день, есть такая схема сети:
                     --------------------------------------------------
                     |                    MIKROTIK                    |
PC1 192.168.3.2/24 - | ether1 192.168.3.1/24                          |
PC2 192.168.4.2/24 - | ether2 192.168.4.1/24    192.168.7.2/24 ether4 | - 192.168.7.1/24 PC4
PC3 192.168.5.2/24 - | ether3 192.168.5.1/24                          |
                     --------------------------------------------------

It is necessary that for each of PC1, PC2, PC3 the PC4 device should be available as if it were in the same local network with them. So that networks .3 .4 .5 do not "connect" with each other.

What has been done:
dst-nat is
configured: In.Interface: ether1
Action: netmap
To Address: 192.168.7.1

This option works for PC1, but you have to specify mikrotik's address as gateway for PC1 - 192.168.3.1

FIX!!!
I have to specify mikrotik's address as a gateway for PC4 - 192.168.7.2
And PC1, PC2, PC3 - without a gateway
In principle, this suits me and the question can be removed, but another question has arisen - is it possible to make this scheme work without using gateways at all?
END FIX

And it is necessary that it works without specifying the gateway.

In routing it is not strong - if the question is noob, I ask you to forgive.

SOLUTION (Found by Andrey Barbolin ):

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ether1 to-addresses=192.168.7.1
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.7.1
add action=masquerade chain=srcnat dst-address=192.168.7.1 src-address=192.168.3.0/24

add action=dst-nat chain=dstnat in-interface=ether2 to-addresses=192.168.7.1
add action=masquerade chain=srcnat out-interface=ether2 src-address=192.168.7.1
add action=masquerade chain=srcnat dst-address=192.168.7.1 src-address=192.168.4.0/24

add action=dst-nat chain=dstnat in-interface=ether3 to-addresses=192.168.7.1
add action=masquerade chain=srcnat out-interface=ether3 src-address=192.168.7.1
add action=masquerade chain=srcnat dst-address=192.168.7.1 src-address=192.168.5.0/24

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Andrey Barbolin, 2020-09-04
@ALLIGATOR

Because PCs in different subnets, then without GW it will not work.
If you want without GW - put all PCs on the same subnet and write rules on the MIC.

/ip firewall filter
add action=accept chain=forward src-address=192.168.3.2 dst-address=192.168.3.7
add action=accept chain=forward src-address=192.168.3.3 dst-address=192.168.3.7
add action=accept chain=forward src-address=192.168.3.4 dst-address=192.168.3.7
add action=drop chain=forward src-address=192.168.3.0/24 dst-address=192.168.3.0/24

R

Roman, 2020-09-04
@scripterasm

In principle, this suits me and the question can be removed, but another question has arisen - is it possible to make this scheme work without using gateways at all?

Without a gateway, devices will not send packets to the router, but will broadcast to their network (only suitable if you have a simple switch), but if you set a network mask that is not limited to the last octet, for example, instead of ip / 24, specify ip / 22 in your case (if the penultimate octet means more than from 0 to 3, then the mask should be lowered, there is a sign on the wiki), and set up routes on Mikrotik, then it will work as one network, which can be delimited by rules using the Mikrotik itself using packet marking