How to create NAT for multi device software update

thefear · June 19, 2019, 5:37pm

Hello everyone.

In my case I want two or more devices to be connected on mikrotik for software update. Software must be downloaded from FTP server (connected on router). Each device will be connected on different port on the router. Depends of device software version it comes with different IP addresses (for example: 192.168.0.100 or 10.0.0.100) and these addresses can’t be changed manually.

Devices are connected like that:

[FTP server]---------[MT Router]-----[Device #1] (192.168.0.100 or 10.0.0.100)
(192.168.1.9)                  |-----[Device #2] (192.168.0.100 or 10.0.0.100)
                               |-----[Device #3] (192.168.0.100 or 10.0.0.100)

On the devices no gateway can be set. And software update must be started from device itself.
How can I configure it to make that possible. I try different ways, but its not working.

Configuration from PC to devices has been made with help from this post and everyting works perfect.

When I made configuration below it works only for p1 (192.168.0.11).

/ip address
add address=192.168.0.11/24 interface=p1 network=192.168.0.0
add address=192.168.0.12/24 interface=p2 network=192.168.0.0
add address=192.168.0.13/24 interface=p3 network=192.168.0.0
add address=192.168.0.14/24 interface=p4 network=192.168.0.0
add address=10.0.0.11/24 interface=p1 network=10.0.0.0
add address=10.0.0.12/24 interface=p2 network=10.0.0.0
add address=10.0.0.13/24 interface=p3 network=10.0.0.0
add address=10.0.0.14/24 interface=p4 network=10.0.0.0
/ip firewall nat
add action=dst-nat chain=dstnat src-address=192.168.0.100 dst-address=192.168.0.11 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat src-address=192.168.0.100 dst-address=192.168.0.12 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat src-address=192.168.0.100 dst-address=192.168.0.13 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat src-address=192.168.0.100 dst-address=192.168.0.14 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat src-address=10.0.0.100 dst-address=10.0.0.11 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat src-address=10.0.0.100 dst-address=10.0.0.12 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat src-address=10.0.0.100 dst-address=10.0.0.13 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat src-address=10.0.0.100 dst-address=10.0.0.14 to-addresses=192.168.1.9

I try different ways with and without magle rules and its the same. It works only for p1 (192.168.0.11) or not working at all.

Sob · June 19, 2019, 6:58pm

You need some connection marking. In prerouting, check for new incoming connections on px interfaces. Give them unique connections marks. And then in output, mark routing for connections with these marks.

thefear · June 27, 2019, 6:26pm

Hello.

I tried what you saying (or I hope so), but its not working. May be the mistake is obvious, but I’m not so familiar with mangle.

Here is the code:

/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    p1 new-connection-mark=dev-in-mc-1.1 passthrough=yes src-address=\
    192.168.0.100
add action=mark-routing chain=output connection-mark=dev-in-mc-1.1 \
    new-routing-mark=dev-out-mr-1.1 passthrough=no
	
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.0.11 src-address=\
    192.168.0.100 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=192.168.0.12 src-address=\
    192.168.0.100 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=192.168.0.13 src-address=\
    192.168.0.100 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=192.168.0.14 src-address=\
    192.168.0.100 to-addresses=192.168.1.9
add action=masquerade chain=srcnat src-address=192.168.0.100

/ip route
add distance=1 gateway=FTP routing-mark=dev-out-mr-1.1

P.S. I made mangle rules only for one port just to be sure at first place that its working.

Sob · June 28, 2019, 1:08am

Mangle rules should be different (wrong chain in second one was my fault):

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=p1 new-connection-mark=dev-in-mc-1.1 passthrough=yes
add action=mark-routing chain=prerouting src-address=192.168.1.9 connection-mark=dev-in-mc-1.1 new-routing-mark=dev01 passthrough=no

NAT rules stay. You shouldn’t need route to FTP, it should already exist in default table. And finally, routes to devices on individual ports should already exist too (they are routing-mark=dev01-04 in the post you say served as your original inspiration).

thefear · June 29, 2019, 2:44pm

Hello mate. Thanks for helping me.
I tried and again its working only for p1 (target 192.168.0.11).
When I observing connections for p1 and the other ones I saw that for the other ones state is syn received. Screenshots attached below.

I will attach all code, because the reason for failure can be somewhere else.
You will see also another IP address (192.168.0.50) in some software versions devices are with this ip. That is the reason why I add additional rules.
And I forgot to mention that PC and FTP server are the same device.

/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface ethernet
set [ find default-name=ether1 ] name=eth1
set [ find default-name=ether2 ] name=eth2
set [ find default-name=ether3 ] name=eth3
set [ find default-name=ether4 ] name=eth4
/interface bridge
add name=PC
add name=p1
add name=p2
add name=p3
add name=p4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=pass \
    supplicant-identity="" wpa-pre-shared-key=******** wpa2-pre-shared-key=\
    ********
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no frequency=2422 mode=ap-bridge name=wlan security-profile=pass \
    ssid=MT wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:F3:01:2F \
    master-interface=wlan multicast-buffering=disabled name=wlan-mgmt \
    security-profile=pass ssid=mgmt wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/ip pool
add name=dhcp_pool-1.9 ranges=192.168.1.9
/ip dhcp-server
add address-pool=dhcp_pool-1.9 disabled=no interface=PC name=dhcp-1.9
/interface bridge port
add bridge=PC interface=wlan-mgmt
add bridge=p1 hw=no interface=eth1
add bridge=p2 hw=no interface=eth2
add bridge=p3 hw=no interface=eth3
add bridge=p4 hw=no interface=eth4
/ip address
add address=192.168.1.1/24 interface=PC network=192.168.1.0
add address=192.168.0.11/24 interface=p1 network=192.168.0.0
add address=192.168.0.12/24 interface=p2 network=192.168.0.0
add address=192.168.0.13/24 interface=p3 network=192.168.0.0
add address=192.168.0.14/24 interface=p4 network=192.168.0.0
add address=10.0.0.21/24 interface=p1 network=10.0.0.0
add address=10.0.0.22/24 interface=p2 network=10.0.0.0
add address=10.0.0.23/24 interface=p3 network=10.0.0.0
add address=10.0.0.24/24 interface=p4 network=10.0.0.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip firewall address-list
add address=10.0.1.1 list=translate-to-dev1
add address=10.0.1.2 list=translate-to-dev1
add address=10.0.1.3 list=translate-to-dev1
add address=10.0.1.4 list=translate-to-dev1
add address=10.0.2.1 list=translate-to-dev2
add address=10.0.2.2 list=translate-to-dev2
add address=10.0.2.3 list=translate-to-dev2
add address=10.0.2.4 list=translate-to-dev2
add address=10.0.3.1 list=translate-to-dev3
add address=10.0.3.2 list=translate-to-dev3
add address=10.0.3.3 list=translate-to-dev3
add address=10.0.3.4 list=translate-to-dev3
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=10.0.1.1 new-connection-mark=dev1.1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev1.1 \
    new-routing-mark=dev1.1 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=10.0.1.2 new-connection-mark=dev1.2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev1.2 \
    new-routing-mark=dev1.2 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=10.0.1.3 new-connection-mark=dev1.3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev1.3 \
    new-routing-mark=dev1.3 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=10.0.1.4 new-connection-mark=dev1.4 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev1.4 \
    new-routing-mark=dev1.4 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=10.0.2.1 new-connection-mark=dev2.1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev2.1 \
    new-routing-mark=dev2.1 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=10.0.2.2 new-connection-mark=dev2.2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev2.2 \
    new-routing-mark=dev2.2 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=10.0.2.3 new-connection-mark=dev2.3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev2.3 \
    new-routing-mark=dev2.3 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=10.0.2.4 new-connection-mark=dev2.4 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev2.4 \
    new-routing-mark=dev2.4 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=10.0.3.1 new-connection-mark=dev3.1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev3.1 \
    new-routing-mark=dev3.1 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=10.0.3.2 new-connection-mark=dev3.2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev3.2 \
    new-routing-mark=dev3.2 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=10.0.3.3 new-connection-mark=dev3.3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev3.3 \
    new-routing-mark=dev3.3 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=10.0.3.4 new-connection-mark=dev3.4 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev3.4 \
    new-routing-mark=dev3.4 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=p1 new-connection-mark=dev-in-mc-1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev-in-mc-1 \
    new-routing-mark=dev-mr-1 passthrough=no src-address=192.168.1.9
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=p2 new-connection-mark=dev-in-mc-2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev-in-mc-2 \
    new-routing-mark=dev-mr-2 passthrough=no src-address=192.168.1.9
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=p3 new-connection-mark=dev-in-mc-3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev-in-mc-3 \
    new-routing-mark=dev-mr-3 passthrough=no src-address=192.168.1.9
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=p4 new-connection-mark=dev-in-mc-4 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=dev-in-mc-4 \
    new-routing-mark=dev-mr-4 passthrough=no src-address=192.168.1.9
/ip firewall nat
add action=masquerade chain=srcnat out-interface=p1 src-address=\
    192.168.1.9
add action=masquerade chain=srcnat out-interface=p2 src-address=\
    192.168.1.9
add action=masquerade chain=srcnat out-interface=p3 src-address=\
    192.168.1.9
add action=masquerade chain=srcnat out-interface=p4 src-address=\
    192.168.1.9
add action=dst-nat chain=dstnat dst-address-list=translate-to-dev1 \
    src-address=192.168.1.9 to-addresses=192.168.0.100
add action=dst-nat chain=dstnat dst-address-list=translate-to-dev2 \
    src-address=192.168.1.9 to-addresses=10.0.0.100
add action=dst-nat chain=dstnat dst-address-list=translate-to-dev3 \
    src-address=192.168.1.9 to-addresses=192.168.0.50
add action=dst-nat chain=dstnat dst-address=192.168.0.11 src-address=\
    192.168.0.100 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=192.168.0.12 src-address=\
    192.168.0.100 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=192.168.0.13 src-address=\
    192.168.0.100 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=192.168.0.14 src-address=\
    192.168.0.100 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=192.168.0.11 src-address=\
    192.168.0.50 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=192.168.0.12 src-address=\
    192.168.0.50 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=192.168.0.13 src-address=\
    192.168.0.50 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=192.168.0.14 src-address=\
    192.168.0.50 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=10.0.0.21 src-address=10.0.0.100 \
    to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=10.0.0.22 src-address=10.0.0.100 \
    to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=10.0.0.23 src-address=10.0.0.100 \
    to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=10.0.0.24 src-address=10.0.0.100 \
    to-addresses=192.168.1.9
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=p1 routing-mark=dev1.1
add distance=1 dst-address=192.168.0.0/24 gateway=p2 routing-mark=dev1.2
add distance=1 dst-address=192.168.0.0/24 gateway=p3 routing-mark=dev1.3
add distance=1 dst-address=192.168.0.0/24 gateway=p4 routing-mark=dev1.4
add distance=1 dst-address=10.0.0.0/24 gateway=p1 routing-mark=dev2.1
add distance=1 dst-address=10.0.0.0/24 gateway=p2 routing-mark=dev2.2
add distance=1 dst-address=10.0.0.0/24 gateway=p3 routing-mark=dev2.3
add distance=1 dst-address=10.0.0.0/24 gateway=p4 routing-mark=dev2.4
add distance=1 dst-address=192.168.0.0/24 gateway=p1 routing-mark=dev3.1
add distance=1 dst-address=192.168.0.0/24 gateway=p2 routing-mark=dev3.2
add distance=1 dst-address=192.168.0.0/24 gateway=p3 routing-mark=dev3.3
add distance=1 dst-address=192.168.0.0/24 gateway=p4 routing-mark=dev3.4
/ip service
set telnet disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system routerboard settings
set auto-upgrade=yes

sindy · June 29, 2019, 4:01pm

Your configuration export suggests that you haven’t got the point of the use of connection-marks and routing-marks to choose routes.

Your mangle rules assign two sets of connection-marks and routing-marks, devX.Y and dev-in-mc-X/dev-mr-X, but you then use only the routing marks from the first group to mark routes. So when the FTP connection is initiated by the device connexted to p2 as a client, like on your second picture, the connection gets the connection-mark dev-in-mc-2 which is then translated into routing-mark dev-mr-2 also for the response packets from the PC to the device, but as there is no route with gateway=p2 for this routing-mark, the response packet is not forwarded anywhere.

Also, you don’t need the aliases 192.168.0.11-192.168.0.14 to assign correct connection-marks; it is enough to assign the connection-marks depending on the source interface (p1 to p4) even if all the devices connect to 192.168.0.9 directly.

You also don’t need to use separate connection-marks and routing-marks for FTP connections and the supposed management connections to the devices, so you can basically just change the rules currently assigning connection marks dev-in-mc-X to start assigning devX.Y and you should be good.

thefear · June 29, 2019, 4:37pm

FTP server address is 192.168.1.9

sindy · June 29, 2019, 4:45pm

That doesn’t change the essence of the message. You do need distinctive aliases of the devices’ addresses for connections initiated by the PC because the actual addresses of the devices are the same so you need something else to choose the right interface; you don’t need the distinctive aliases for the PC as in-interface=pX is sufficient to assign the appropriate connection-mark.

thefear · June 29, 2019, 6:02pm

Thanks for both of you.
After adding these new routes everyting works just fine.

add distance=1 gateway=p1 routing-mark=dev-mr-1
add distance=1 gateway=p2 routing-mark=dev-mr-2
add distance=1 gateway=p3 routing-mark=dev-mr-3
add distance=1 gateway=p4 routing-mark=dev-mr-4