Remote LAN on a different router question

Started by jerryd, July 02, 2025, 12:55:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 02, 2025, 12:55:11 PM
Trying to route or forward traffic on my local lan 192.168.3.0/24 to 192.168.6.0/24

192.168.6.0/24 is a remote isolated private network that is handled by a Mikrotik router with a local address of 192.168.0.2

I establish a gateway with the 0.2 on opnsense

I have a separate LAN for WiFi so private networks are blocked between the networks.

When I attempt to allow he 6.0 network, I get invalid messages.

Thanks

Jerry
July 02, 2025, 01:24:52 PM #1
Can you show/draw a diagram of your network? How is 192.168.0.2 (Mikrotik WAN IP?) connected to 192.168.3.0/24? And 192.168.6.0/24 is an interface/network directly connected to the Mirotik router?
Deciso DEC740
July 03, 2025, 03:09:25 AM #2 Last Edit: July 03, 2025, 03:11:49 AM by jerryd Reason: Additonal Info
Ok, here is a quick diagram of the network.

The local lan is 192.168.0.0/24 not 3.0 as posted earlier.

This setup worked with a untangle (arsta) firewall previously.
July 03, 2025, 05:33:14 AM #3
Quote from: jerryd on July 03, 2025, 03:09:25 AMOk, here is a quick diagram of the network.

The local lan is 192.168.0.0/24 not 3.0 as posted earlier.

This setup worked with a untangle (arsta) firewall previously.
Ok, thanks for the diagram, that makes it clear.

With setting a static route to 192.168.6.0/24 with gateway 192.168.0.2 it should reach the Mikrotik router. Is traffic a) reaching the Mikrotik router and b) is traffic to 192.168.6.0/24 routed or NAT-ted on the Mikrotik router?

The default firewall rule on LAN allows only traffic from 'LAN net' (192.168.0.0/24) leaving the interface. For traffic from 192.168.6.0/24 to be allowed you have to add it to the 'Source' networks. That is if 192.168.6.0/24 traffic is routed on Mikrotik and not NAT-ted.

QuoteWhen I attempt to allow he 6.0 network, I get invalid messages.
Can you post the messages?
Deciso DEC740
July 03, 2025, 12:34:13 PM #4
The 192.168.6.0 network is routed, no NAT involved.

After I added the route, I lost RDP and SMTP mail services on the router and disabling the 192.168.0.2 gateway did not help I had to revert back to the old firewall.  My testing & switch over will have to be after hours now due the problems.

Jerry
July 03, 2025, 01:15:28 PM #5
Best practice would be to separate the Mikrotik from the LAN and spawn up a transit network between it and OPNsense. This could be a VLAN hooked up on the existing LAN.

You can also make it work with an outbound NAT rule on the LAN for the source of LAN subnet and destination of the VPN subnet, masquerading the traffic with the interface IP.
This is what Untangle probably does. But then it most probably does that without source and destination limitations, which is a pretty dangerous behavior.
July 13, 2025, 05:11:14 PM #6
I got it to work as I intended.

Gateway priority was the same for the WAN address and the 0.2 gateway so that was causing my issues with the other services failing.  Then the static route worked correctly

Add an Alias for the 6.0/24 and then do a LAN pass rule.

Thanks

Jerry
Print
Go Up Pages1
User actions