Another overlap subnet remapping (CarPlay)

RouterOS General
1

Hey. I have a wireguard road warrior configuration (WG is running on a VM outside Mikrotik) on a couple of mobile devices. When connected my vehicle’s CarPlay, the carplay network overlaps all of my subnets, including all my site-to-site routes. The carplay is 10.0.0.0**/16**, I have subnets 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/24, 10.0.5.0/24, 10.0.6.0/24, 10.0.7.0/24 scattered across various sites. I don’t know why they picked a /16, it makes no sense for a point-to-point link.

I’ve solved this by using nat and connection tracking to remap the subnet, then updating the apps to use this remapped address.
This works both on a wg connection, and when my phone is back on my home wifi.
I have only done this for a 3 hosts locally on the router’s lan as proof of concept, and it works fine.

The problem is, Is there a way to map an entire /24 to another /24? Having to make a srcnat+dstnat entry for every host on every network seems like the wrong thing to do. This could end up being 1500+ nat rules. I then have to duplicate these rules onto the other sites for the same behavior
Or is there a better way in general to do this?


[admin@MikroTik] > ip/firewall/mangle/ print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 3    ;;; Track Carplay connections
      chain=prerouting action=mark-connection new-connection-mark=carplay passthrough=yes dst-address=10.4.4.0/24 log=no log-prefix=""
 
 
 [admin@MikroTik] > ip/firewall/nat/ print
Flags: X - disabled, I - invalid; D - dynamic 
 0    chain=srcnat action=masquerade out-interface=wan_quantum log=no log-prefix="" 

 1    ;;; RoadWarrior phone to VM
      chain=dstnat action=dst-nat to-addresses=10.0.4.16 to-ports=51820 protocol=udp in-interface-list=wans dst-port=51820 log=no log-prefix="" 

 2    ;;; carplay-homeassistant-dst
      chain=dstnat action=dst-nat to-addresses=10.0.4.11 dst-address=10.4.4.11 connection-mark=carplay log=no log-prefix="" 

 3    ;;; carplay-homeassistant-src
      chain=srcnat action=src-nat to-addresses=10.4.4.11 dst-address=10.0.4.11 connection-mark=carplay log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=10.0.4.41 dst-address=10.4.4.41 connection-mark=carplay log=no log-prefix="" 

 5    chain=srcnat action=src-nat to-addresses=10.4.4.41 dst-address=10.0.4.41 connection-mark=carplay log=no log-prefix="" 

 6    chain=dstnat action=dst-nat to-addresses=10.0.4.43 dst-address=10.4.4.43 connection-mark=carplay log=no log-prefix="" 

 7    chain=srcnat action=src-nat to-addresses=10.4.4.43 dst-address=10.0.4.43 connection-mark=carplay log=no log-prefix=""
2

https://help.mikrotik.com/docs/spaces/ROS/pages/3211299/NAT

netmap?

3

Not sure if this is an option for you, but if it’s just a handful of mobile devices and one CarPlay, you could configure them with static IP/mask/gateway/DNS, something like 10.0.0.0/24 or even shorter CIDR. Since you were going to touch all mobile devices anyway…

4

Oh man. This ‘netmap’ was it. Did exactly what I was trying to do. Alias my private an IP ranges to another IP range at the router level.

My final config that works:

[admin@MikroTik] > ip/firewall/mangle/ print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 3    ;;; Track Carplay connections
      chain=prerouting action=mark-connection new-connection-mark=carplay passthrough=yes dst-address=10.4.4.0/24 log=no log-prefix="" 
[admin@MikroTik] > ip/firewall/nat/ print   
Flags: X - disabled, I - invalid; D - dynamic 
 0    chain=srcnat action=masquerade out-interface=wan_quantum log=no log-prefix="" 

 1    ;;; RoadWarrior phone to VM
      chain=dstnat action=dst-nat to-addresses=10.0.4.16 to-ports=51820 protocol=udp in-interface-list=wans dst-port=51820 log=no log-prefix="" 

 2    chain=srcnat action=netmap to-addresses=10.4.4.0/24 dst-address=10.0.4.0/24 connection-mark=carplay log=no log-prefix="" 

 3    chain=dstnat action=netmap to-addresses=10.0.4.0/24 dst-address=10.4.4.0/24 connection-mark=carplay log=no log-prefix=""
5

Unrelated, but how did you discover this problem? I imagine getting the routing table form an iOS device was not trivial.

6

“netmap” is pretty useful trick in RouterOS. So that part make sense.

I’m curious too on the use case…
So you have a MikroTik on some car’s “LAN”, and want to enable your own VPN or something to the car?

7

I understood it that when an iPhone is connected to both a remote LAN (over WG) and to a vehicle (for Carplay), Carplay inserts a routing rule for 10.0.0.0/16 which makes resources on the remote LAN unreachable.

8

There are apps for that. I just checked my CarPlay connection with HE Network Tools app. In my case it’s 10.174.189.0/24, definitely nothing commonly used.

Speaking of /16, wouldn’t /24 routes take precedence being more specific? I suspect the OP has something like 0.0.0.0/0 over VPN.

9

Yes, unless policy routing is involved.