Doing NAT with bridged ports on routerboard, help needed

pgwosdzfuba · January 3, 2018, 3:03pm

assume the following topology:

It works fine with this Setup:

# jan/02/1970 02:19:49 by RouterOS 6.34.3
# software id = EVZI-U6P0
#
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.88.121/24 interface=ether11 network=192.168.88.0
add address=192.168.1.1 interface=ether1 network=192.168.1.1
add address=192.168.88.122/24 interface=ether11 network=192.168.88.0
add address=192.168.1.1 interface=ether2 network=192.168.1.1
add address=192.168.88.254/24 interface=ether11 network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether12
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=192.168.88.121 new-connection-mark=port121
add action=mark-routing chain=prerouting connection-mark=port121 new-routing-mark=port121 passthrough=no
add action=mark-connection chain=prerouting dst-address=192.168.88.122 new-connection-mark=port122
add action=mark-routing chain=prerouting connection-mark=port122 new-routing-mark=port122 passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.88.121 to-addresses=192.168.1.2
add action=dst-nat chain=dstnat dst-address=192.168.88.122 to-addresses=192.168.1.2
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=ether1 routing-mark=port121
add distance=1 dst-address=192.168.1.0/24 gateway=ether2 routing-mark=port122
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=DEBADS-RB1100-001
/system routerboard settings
set boot-delay=5s protected-routerboot=disabled

From now on, the Ethernet devices have a fixed VLAN tag (ID = 1).
Any attempt to customize the setup for this failed.

one not working example just adding a Bridge, testing without VLAN-ID :

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether1
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.88.121/24 interface=bridge1 network=192.168.88.0
add address=192.168.1.1 interface=ether1 network=192.168.1.1
add address=192.168.88.122/24 interface=bridge1 network=192.168.88.0
add address=192.168.1.1 interface=bridge1 network=192.168.1.1
add address=192.168.88.254/24 interface=ether11 network=192.168.88.0
add address=192.168.1.1 interface=ether2 network=192.168.1.1
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether12
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=192.168.88.121 new-connection-mark=port121
add action=mark-routing chain=prerouting connection-mark=port121 new-routing-mark=port121 passthrough=no
add action=mark-connection chain=prerouting dst-address=192.168.88.122 new-connection-mark=port122
add action=mark-routing chain=prerouting connection-mark=port122 new-routing-mark=port122 passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.88.121 to-addresses=192.168.1.2
add action=dst-nat chain=dstnat dst-address=192.168.88.122 to-addresses=192.168.1.2
add action=src-nat chain=srcnat src-address=192.168.1.2 to-addresses=192.168.88.122
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=ether1 routing-mark=port121
add distance=1 dst-address=192.168.1.0/24 gateway=ether2 routing-mark=port122

remark: I have just updated to MikroTik RouterOS 6.41 , maybe this helps

p3rad0x · January 4, 2018, 8:02am

hi, why are you using a /32 network for 192.168.1.1?

I would make ether1 192.168.2.1/30 and the device 192.168.2.2/30 and ether 2 192.168.3.1/30 ect

Then that mangle rules and marks wont be needed but the VLAN may be a issue then.

pgwosdzfuba · January 4, 2018, 9:56am

Unfortunately , this is not possible because the devices on port ether1 and ether2 etc. all have the same fixed ip 192.168.1.2 and VLAN id.

pgwosdzfuba · January 8, 2018, 1:23pm

Solved!

First a supplement to the topology that was not known to me before:
In the meantime, the devices to be controlled did not only have a VLAN ID of 1, but also mark all frames with TTL=1 to prevent routing.
Worst case!
But thanks Mikrotik, there is also a solution for that.
I made the second mistake myself by working with a bridge at all. Why to use a sledgehammer for cracking a nut?

In the following my working configuration:

# jan/08/2018 11:14:01 by RouterOS 6.41
# software id = EVZI-U6P0
#
# model = 1100AHx2
/interface vlan
add interface=ether1 name=vlan1ether1 vlan-id=1
add interface=ether2 name=vlan1ether2 vlan-id=1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.88.254/24 interface=ether11 network=192.168.88.0
add address=192.168.88.121/24 interface=ether11 network=192.168.88.0
add address=192.168.88.122/24 interface=ether11 network=192.168.88.0
add address=192.168.1.1 interface=vlan1ether1 network=192.168.1.1
add address=192.168.1.1 interface=vlan1ether2 network=192.168.1.1
/ip firewall mangle
add action=change-ttl chain=prerouting new-ttl=set:64 passthrough=yes src-address=192.168.1.2 ttl=equal:1
add action=mark-connection chain=prerouting dst-address=192.168.88.121 new-connection-mark=port121 passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.88.122 new-connection-mark=port122 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=port121 new-routing-mark=port121 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=port122 new-routing-mark=port122 passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.88.121 to-addresses=192.168.1.2
add action=dst-nat chain=dstnat dst-address=192.168.88.122 to-addresses=192.168.1.2
add action=masquerade chain=srcnat out-interface=vlan1ether1
add action=masquerade chain=srcnat out-interface=vlan1ether2
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=vlan1ether1 routing-mark=port121
add distance=1 dst-address=192.168.1.0/24 gateway=vlan1ether2 routing-mark=port122
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set boot-delay=5s