How to hide internal network addresses in Mikrotik?

R

Roc272020-03-04 13:54:51

Mikrotik

Roc27, 2020-03-04 13:54:51

Hello.
There are 2 Mikrotik routers.
The first one manages all connections, there are all sorts of markings, channel division, vpn, and so on. Users connect to it.
Mikrotik address is 192.168.88.1. In his network, everyone has the address 192.168.88.10-100.
It has a default route to the second Mikrotik.
The second Mikrotik all that does is connect to the Internet and, accordingly, gives the Internet to the first Mikrotik.
The problem is this:
The second Mikrotik sees all the connections of the users of the first Mikrotik with the Internet. That is, the IP address 192.168.88.100 located in the network of the first Mikrotik accesses IP 8.8.8.8, during the call the second Mikrotik sees the entire chain. And so with all connections.
How to make the second Mikrotik see instead of 192.168.88.100->8.8.8.8 192.168.88.1->8.8.8.8?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

T

Turilion, 2020-03-04
@Turilion

Throw out the second Mikrotik from the scheme, set up routing and disguise the internal network.

R

RomanKu, 2020-03-04
@RomanKu

If you leave the scheme with 2 microticks (let’s say it’s necessary), then on 1 you need to enable masquerading on 2, i.e. instead of routing, configure NAT by analogy with how it was done on router 2. As a result, 1 router will know who goes where and where, and only one address of 1 router will go to the second router. https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
If you need to completely hide the presence of nodes 192.168.88.100, then you need to fix the ttl in the packets.

/ip firewall mangle add action=change-ttl chain=prerouting new-ttl=increment:1 passthrough=yes

S

SysAn, 2020-03-10
@SysAn

What are the subnet masks?