Hello. I have hardware and software for it that works over the network. The problem is that the address of the device is 192.168.125.1 and the address of my local network is 10.10.0.xxx. I need to access the device via mikrotik from the local network. On my own, I did not manage to fully configure masquerade and port forwarding, so I am asking for your help.
Here is the table.
I will be grateful for your help!
In ROS most often configuration (and is also default) is to do some kind of generic SRC-NAT for outgoing connections, which should cover the items marked “Direction: Out” in your table. For the “Direction: In” one has to configure DST-NAT. The table is missing one crucial information: which IP address is using local server providing the service on UDP port 5513. But otherwise the DST-NAT rule would look like this:
/ip/firewall/nat
add chain=dstnat action=dst-nat protocol=udp dst-port=5513 to-address=<IP address of local server>
(and optionally/preferably some other properties, such as in-interface-list=WAN to make the rule as specific as possible not to interfere with unrelated connections).
If there are some firewall rules enabled (either raw or filter), then one has to allow NAT-ed traffic to pass as well. Default config allows DST-NATed traffic as well (there’s a specific rule with connection-nat-state=dstnat set), if you’re running different set of rules then something similar might be needed (or not).
Now, my mental picture of your network topology is not clear enough to make a better advice. Including your current router config will help as well.
Thank you for your reply.
I can give examples for a better understanding of topology.
The device has the address: 192.168.125.1
My PC has the address: 10.10.0.55
The communication program needs to be set up exactly from my PC to the device.
I thought that it was necessary to do both masquerade and port forwarding. I have NAT enabled.
Well … I still have to guess. So here it goes: you have your mysterious device connected to ether5, so router has ether5 configured with IP address 192.168.125.254/24. And you have your PC connected to port ether4, so router has ether4 configured with IP address 10.10.0.254/24. The mysterious device has 192.168.125.254 configured as default gateway, your PC has 10.10.0.254 configured as default gateway. The mysterious device doesn’t have any access restrictions enabled. So everything just works and no NAT is needed.
How am I doing so far? Because if my guess is not right, you need to provide the details …
The device is not so mysterious, it is an ABB robot.
I either don’t understand you or you are laughing at me.
I have a MikroTik RB750r2 router, which is connected to the WAN port with a cable, and the robot is connected to LAN port number 3. If I take my laptop and connect to any port (for example, 2), the program works without problems. If I try to connect through a local network, then I need to configure the router so that data can pass through it and return to my address.
To do this, I need to configure the router taking into account the given plate.
That’s why I need your help.
My previous post was a mix of me not understanding your situation and a bit sarcastic way of describing how I may understand the situation from your vague description.
Now the situation is a bit more clear, but not completely.
Is there any reason why you don’t change robot’s IP address to fall into your normal LAN subnet? That would make things much easier.
Is ether3 dedicated to connecting robot? If yes, then you could take ether3 out of LAN bridge and configure separate IP subnet on it. Next: can robot communicate outside it’s own subnet (that’s re-worded question about default gateway setting on robot)? … the table in your original post indicates that it can. If it can’t then you need SRC-NAT from LAN towards robot … and that’s relatively easily done if you can dedicate subnet for robot (this is the first part of this paragraph). If robot only accepts connections from within own subnet (due to some security settings), then you again to configure SRC-NAT anyway. I don’t think you need to perform DST-NAT for communication with robot since you have full control over router between LAN device and robot.
Etc.
We do not change IP addresses at this time. It can be done, but there is other equipment connected and configured to work with this address (192.168.125.1)
You can configure the router as you like, if it helps to establish communication on the local network… To be honest, I do not have much experience in configuring routers and I am not an expert in network settings. Therefore, I need the help of a specialist. The colleagues who work with me also do not have much experience in similar tasks…
You didn’t answer to many of my questions, but answers are important step towards working configuration. I’m sorry, but I don’t feel like asking about every bit of information multiple times. If you don’t make effort find the answers, then I’ll stop trying to help. You can always hire a consultant, I guess they will be more motivated to do it.
For my part, I try to provide all the information I have.
If robot can not communicate outside its own subnet, then I wonder what are the entries with “Direction: Out” in your table from initial post referring? It would help to understand requirements if you could explain what kind of communication is there between robot and its surroundings … If the table you posted in initial post is from robot’s perspective and you want to communicate with it from outside its own subnet, then it’s important to understand the communication …
For the remote access (UDP) to robot, a SRC NAT rule would do. Let’s say you can single out ether3 for robot’s subnet … then this SRC-NAT should do:
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether3
Meaning that any connection from anywhere which is targeting hosts beyond ether3 will get SRC-NAT-ed … src-address will be replaced by router’s own address from that subnet and src-port will be preserved if possible. Robot will see the incoming connection as if it was coming from router itself, which is in the same subnet.
From your PC you will still try to connect to robot’s actual IP address and port number (no DST-NAT configured on router for this purpose).
And so I tried to configure the router by myself: I removed port number 3 from the bridge (now it is on its own), I did what you wrote.
As a result, it did not help. Now when I search for the robot through the address of the router, I do not find anything
These are the settings that I had and with which I can see the robot at the address of the router, but I cannot connect.
Can you post full router’s config? Open terminal window, execute command /export hide-sensitive file=anynameyouwish, fetch resulting file from router, open it with text editor and copy-paste contents inside [__code] environment (that’s square bracket “” symbol in tool ribbon above post editing window). This way we’ll see how exactly router is configured.
Looking at screenshot of firewall settings I have a feeling you have a pretty big mess there.
I’m here again. Took another router (had to give it back). I configure it for a different network (different addresses, but it does not change the essence). Here is the file you requested.
https://drive.google.com/file/d/1Oxd8UQgBUBq1cONWNCQrtGMPlgCYPk-8/view?usp=sharing
Post the config please, not about going to open files from places…
Do you mean to make a backup file?
No, the file is fine, but @anav doesn’t want to click through layers of GUI just to get to the file.
Now, the configuration is … interesting to pout it mildly 
. But before I can tell if it’s all crap or something might actually be usable I’d need to know how exactly that robot communicates. You did not tell us a thing about it (apart from the information it’s a robot).
I hope that router only sits between your usual LAN and that robot (because you can’t change robot’s IP address)? Because the “crap” part of the previous paragraph applies to firewall part of config at it fullest.
Also adverse to clicking on links I have no knowledge about its veracity or cleanliness…
I don’t know how to upload the file here correctly, so I used Google Drive. The link is absolutely safe, here is the confirmation
I can provide you with instructions on how the program works and work in general. This may help to solve future questions.
I quickly went through the manual and it seems that the table from first post in this thread is pretty much irrelevant (it is shown as aide to configure firewall on windows PC which is used to connect to robot). The manual contains another section, which seems more relevant to me:
Remote network connection
To enable connection to the controller on a remote subnet or over the local network, the relevant network traffic must be allowed through any firewall between the PC and the controller. The firewall must be configured to accept the following TCP/IP traffic from the PC to the controller:
• UDP port 5514 (unicast)
• TCP port 5515
• Passive FTP
All TCP and UPD connections to remote controllers are initiated by the PC, that is, the controller only responds on the given source port and address.
So apart from SRC-NAT (which has to be performed when connecting from different subnet) the following DST NAT rules have to be configured:
/ip firewall nat
add chain=dstnat action=dst-nat protocol=udp dst-port=5514 to-addresses=192.168.125.1
add chain=dstnat action=dst-nat protocol=tcp dst-port=5515 to-addresses=192.168.125.1
add chain=dstnat action=dst-nat protocol=tcp dst-port=21 to-addresses=192.168.125.1
and make sure that FTP helper is enabled (check /ip service and verify that service ftp (port 21) is not disabled.
N.b.: FTP is a complex protocol because it uses separate connections for data sessions (e.g. file transfer). There are two modes (active, passive), both are nasty to firewalls … either firewall on FTP server’s edge or FTP client’s edge (or OS firewall), so one has to choose the less evil possibility. In case of robot, mode is fixed to passive and passive mode is nasty to FTP server’s edge (in this case it’s the Routerboard you’re trying to configure), hence need for FTP helper being active. More about active vs. passive FTP.
When trying if anything works: autodiscovery of robot doesn’t work, so you have to configure your software to connect to router’s LAN IP address (e.g. 10.10.0.254 or whatever it’s set to).
BTW, when it comes to firewall … as I already mentioned, you have assorted crap in the config. Which can greatly interfere with attempts to configure NAT. If your LAN and robot subnets are generally equally secure, I’d remove all firewall filter rules until the NAT part starts to work. You can later add some firewall filter rules to limit access to robot (if that’s what you want) and some filter rules to protect router itself (from both ends; robot can be malware infested as well).