I’m looking at getting a 750 and wondering if I can program it to join some networks.
Net 1 = 192.168.3.x
Net 2 = 192.168.1.x
Net 3 = 192.168.10.x
Net 4 = 192.168.100.x
I would like to designate some unused addresses in Net 1 to become sudo addresses into machines on the other networks.
Example: On Net 1 there might be an IP 192.168.3.210; but behind the scenes packets destin for that IP are routed to 192.168.1.10; Also on Net 1 there might be an IP 192.168.3.211; but behind the scenes packets destin for that IP are routed to 192.168.100.100.
Each route would be on a 1:1 basis. Further, I would like to restrict access to these sudo addresses. So 192.168.3.211 might only communicate with 192.168.3.1-192.168.3.12 computers. Packets would simply be dropped from a device at 192.168.3.100 trying to access 192.168.3.211.
No reason to do pseudo addresses when you can go direct. Doing pseudo address will just complicate things.
Keep in mind that Mikrotik uses the routing table to resolve any request that is not bridged. By default the routing table builds what you need to route between these networks. I am assuming all these networks are on the Mikrotik router. (If not a diagram would be needed and routes built into the routing table)
In this case the only thing you need to do is restrict access. Use the firewall filter.
Example Only (the accept coming before the drop will have its rule processed first and accept the packets for that address)
accept input src 192.168.0.101 dst 192.168.1.0/24
accept input src 192.168.0.102 dst 192.168.1.0/24
accept input src 192.168.0.103 dst 192.168.1.0/24
drop input src 192.168.0.0/24 dst 192.168.1.0/24
This would allow 3 addressed to communicate with 192.168.1.0/24 with all others being dropped.
The way you were describing what you wanted to do would have been terribly complicated. This is easier.
I suppose some more background would have exposed – it’s already ‘complicated’.
Some PCs in our 192.168.3.x network need access to manufacturing equipment in two lines. The manufacturer of the lines has preprogrammed PLCs with hard coded IP addresses, so renumbering the equipment not only would be a nightmare, but we’d loose all support from the line manufacturer and be on our own. So there are duplicates already, so you can’t just tie the networks together.
Also, corporate has control of the main routers used for internet access and VPNs to other branches. Which workstation on 192.168.3.x can see now. The corporate office IP scheme already overlaps the manufacturing equipment scheme. (192.168.1.x)
I’ve seen where you could route to specific ports on the 750 so I believe it should also have the ability to isolate the two line networks from seeing each other. My next logical jump was to create some sudo addresses and NAT rules to route to specific ports on the 750.
See now where my fun begins!
Looking at my attached network drawing; I want to map the following:
192.168.3.200 (sudo address) —> NAT —> Port 2 —> 192.168.1.10
192.168.3.201 (sudo address) —> NAT —> Port 2 —> 192.168.10.10
192.168.3.202 (sudo address) —> NAT —> Port 2 —> 192.168.100.10
192.168.3.203 (sudo address) —> NAT —> Port 3 —> 192.168.1.10
192.168.3.204 (sudo address) —> NAT —> Port 3 —> 192.168.10.10
192.168.3.205 (sudo address) —> NAT —> Port 3 —> 192.168.100.10
Port 1 would attach to our existing 192.168.3.x network.
There would be no need for routing outside the 192.168.3.x network to the mfg. line equip. (ie: no other gateway, just the sudo addresses translated)
