Answer the question
In order to leave comments, you need to log in
How to convert ip address from one subnet to another using mikrotik?
Gentlemen, I can’t figure out how to do it right:
There are two offices with Mikrotiks, an SSTP tunnel with IP addresses 172.16.30.1 and 172.16.30.2 is stretched between them.
In one office, the subnet is 192.168.
The problem is that when I ping a computer from one subnet to another, the firewall of the destination computer cuts the pings because it sees that the pings are coming from the wrong subnet in which it is located. If I disable the firewall everything works fine.
Question: what do I need to do on micros so that in packets going from one subnet to another, the source-ip is changed and the destination computer thinks that the packet came from its subnet. I know that I need to dig in the direction of NAT, but it didn’t work out at random, since I didn’t particularly encounter nating. Help me please.
Happy Holidays, by the way :)
Answer the question
In order to leave comments, you need to log in
Nat will reduce network performance.
Maybe it's worth setting up firewalls on clients?
You should not deploy NAT - this way you kill other possibilities, for example, access to network balls in a neighboring network will not be a trivial task.
The Windows firewall is relatively easy to steer remotely, even without AD, etc. - The netsh console command can remotely control the firewall. Naturally, it needs to be run with admin rights on a remote PC.
I hope at least the admin username / password on your computers is the same?
Here you need to dig in the direction of the domain in the office (unless, of course, it exists) and through it allow these subnets as allowed. If there is no domain, then do it on each computer.
About NAT. Imagine that every packet going into the tunnel changes its source ip address. This greatly affects performance. Personally, I did this, only to hide the routes to my internal networks on the client device, where there is no DMZ. What you are suggesting is a crutch.
In any case, I don’t know what tasks you are solving, and why SSTP will be pulled instead of the usual GRE or EoIP (since these are two microtics). Therefore, further two rules of Nata, the answer to your question.
For a router with tunnel address 172.16.30.1:
For the second one, respectively:
ip firewall nat add chain=srcnat in-interface="интерфейс sstp-туннеля2" dst-address=192.168.13.0/24 action=src-nat to-addresses="адрес микротика2"
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question