I have got very specific problem and I really hope, that someone will make a “magic” and give a solution to my problem.
I our project, we have number of industrial devices - PLC (PLC – programmed logic controller), which got configured:
IP address
network mask
and some of them – gateway address.
Because there are a few areas, we install mikrotik router. We wanted to make destination NAT in order to have uniform addresses for all PLCs. For example:
PLC1 - real IP address: 192.168.0.201, our wish IP address: 10.1.1.11
PLC2 - real IP address: 192.168.0.99, our wish IP address: 10.1.1.21 etc.
The problem is that we DO NOT HAVE control over the PLCs and we can not change gateway address in anyway. So in this situation, the destination NAT will not work.
Is there any “magic” we could done, in order to access:
A host, which need data from PLC, will access our mikrotik router on WAN port, for example on IP address 10.1.1.21
The router will transfer the traffic from WAN to LAN part, to PLC but in away as the traffic comes from its internal IP address (the IP address configured in LAN part is for example 192.168.0.254)
Next when the PLC responds (gateway will not be used, because it is supposed to be network internal traffic), the router must transfer the traffic to source host (the one who request data from PLC) on WAN part?
Is that possible?
PLC has gateway set → MT should be that gateway
in communication from “rest of the world” to PLC, only dnat is needed. Response traffic will be routed to gateway anyway.
PLC doesn’t have gateway set → MT should be a host in same range
in communication from “rest of the world” to PLC, dnat AND srcnt (to ip of MT in same range) is needed. Response traffic will be sent to “requesting” ip in same range.
To make it consistent / easier to deploy assume second case for all.
Dear sebastia,
Thank you for your answer.
Yes, the topology is as you describe: PLC <—> Mikrotik <—> (rest of the world).
The second case you describe is what I am trying to achieve.
I understand that, for communication from “rest of the world” to PLC, a dnat AND srcnt must be configured.
So:
the dnat will change the MT WAN IP addresses (from “rest of the world” range) to the PLC IP address
the snat will change the host IP address, to MT LAN IP address
So the packets will go to PLC, it will respond not using gateway, because it will be LAN traffic.
What I am not understand, is how the return traffic, from PLC to host in “rest of the world”, will be handled by MT?
What configuration has to be done?
Will this configuration will work, if more than hot trying to access the PLC?
Sorry if I do not get obvious - I am kind of laic in the field of ROS.
reagrds,
Yolov
When MT does the DST-NAT, PLC device will see request come from MT itself. So PLC device will answer to MT (hence LAN traffic). MT will perform reverse mapping according to its own dst-nat connection maps for return traffic.
Keep in mind that src-nat and dst-nat perform in similar fashion: in both cases router tracks connections and keeps table of active mappings so it can actually perform reverse action for return traffic. The only big difference between src-nat and dst-nat is that in src-nat router replaces source IP address with its own while in dst-nat router replaces destination IP address with IP address of forward target.
It might make brain spin around, but it is possible to perform both src-nat and dst-nat on the same connection:
“external” host sends packet to router … src-address= dst-address=
router forwards resulting packet according to routing tables
(steps 2. and 3. might involve change of port numbers as well)
It’s the step 3 which makes possible to have PLC devices without default gateway while still be able to connect them from outside their subnet.
For return traffic, the steps are performed in reverse order, but this time router consults dynamic connection tracking tables instead of static NAT rules.
