I am interested in using a Mikrotik router to replace something like an Allen Bradley 1783-NATR device. I am familiar with doing one to one nat on Mikrotiks but the outside and inside interfaces have always had gateways on the mikrotik doing the natting. The Allen Bradley lets me take a layer two connection from an upstream router like a CIsco with a gateway of 10.10.10.1, assign 10.10.10.2 to the mikrotik, then nat things behind the mikrotik to 10.10.10.3-6. The devices behind the mikrotik on the inside have addresses from a network 192.168.1.0/24 that lives on the mikrotik. Here is the config:

/interface bridge
add name=Bridge vlan-filtering=yes
/interface vlan
add comment=SCADA-INSIDE interface=Bridge name=vl66 vlan-id=66
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=Bridge comment=SCADA-INSIDE interface=ether2 pvid=66
add bridge=Bridge comment=SCADA-INSIDE interface=ether3 pvid=66
add bridge=Bridge comment=SCADA-INSIDE interface=ether4 pvid=66
add bridge=Bridge comment=SCADA-INSIDE interface=ether5 pvid=66
add bridge=Bridge comment=SCADA-OUTSIDE disabled=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=Bridge comment=SCADA-INSIDE tagged=Bridge untagged=ether2,ether3,ether5,ether4 vlan-ids=66
/ip address
add address=192.168.1.254/24 comment=SCADA-INSIDE interface=vl66 network=192.168.1.0
add address=10.10.10.2/24 comment=SCADA-OUTSIDE interface=ether1 network=10.10.10.0
/ip firewall filter
add action=accept chain=input
add action=accept chain=output
add action=accept chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=src-nat chain=srcnat out-interface=ether1 src-address=192.168.1.4 to-addresses=10.10.10.4
add action=dst-nat chain=dstnat dst-address=10.10.10.4 in-interface=ether1 to-addresses=192.168.1.4
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10

I have a laptop plugged into port 2 with a static ip of 192.168.1.4 255.255.255.0 192.168.1.254 GW. From the upstream cisco router I am unable to ping 10.10.10.4 which should nat to my laptop at 192.168.1.4. Am I missing something in the nat statements? What about proxy arp?

I attached a drawing of the ALlen Bradley design. Its using two different 1783-NATR devices which is not what I need, I am just needing one. The gateway for the public IP is on the Stratix, like I would be doing with a Cisco.

With lots of fiddling it is possible to replace the two 1783-NATR devices with a single "multi purpose" router. But it's not easy as both "private" LANs use same IP address space and this is actually problem from routing point of view. So it is actually much easier to use one NAT gateway per LAN subnet ... and that would be true also when using a ROS device.

If you're looking to replace single 1783-NATR with a MT device and you don't know how to use multiple "public" IP addresses: assign all "public" IP addresses you want to use for NAT to WAN interface. I.e.:

That did the trick, MKX. Thank you!