Mikrotik Nat

candan · March 30, 2018, 12:32pm

I have a question about configuration of Mikrotik Nat
We had used Mikrotik rb2011 for our production site. In our scenario two PLC with same ip address (192.168.125.1) are on different interfaces(ether2 and ether4) which have absolutely connection between them and outside. I try it to do NAT But by this way they block each other traffic when two interfaces are up. When I disable one of them they continue to reach other networks. How can I avoid this?

Thanks in advance.

haik01 · March 30, 2018, 5:59pm

I do not get it. What do you want?

That the two PLC’s can talk to each other as well as reaching other networks? Or are they supposed to be only going to “the internet”?

If all ports are in bridge, then of course you get problems. Change one of the IP’s to an unused IP in the same range and then they can talk to each other.

sindy · March 30, 2018, 6:38pm

This type of problem started poping up here now and then with the emergence of IoT. A typical scenario is “I have XXX devices which have the same fixed address in default configuration and I need to connect as many as possible of them to a test bed at the same time”, another (actually the same but put differently) one is “I am unable to change the IP address of a device and I need to use several such devices with the same IP address”.

Communication between these devices is usually not required.

Sob · March 31, 2018, 2:50am

Check these threads:
http://forum.mikrotik.com/t/port-to-interfacing/97096/1
http://forum.mikrotik.com/t/how-to-allow-two-devices-with-same-ip-access-internet/115990/1

But remember, it’s all wrong, ugly hacks.

candan · April 2, 2018, 9:06am

in fact I can explain the problem in the following way
WAN IP 10.4.220.X/21
Mikrotik IP:10.4.220.115/21
PLC IP:192.168.10.1 we need to reach from 10.4.0.12 server
ROBOT1:192.168.125.1 we need to reach from 10.4.0.12 server
ROBOT2:192.168.125.1 we need to reach from 10.4.0.12 server

sindy · April 2, 2018, 9:15am

Which side initiates the connection? Does the server initiate the establishment of the connection to the robot or does the robot initiate the establishment the connection to the server?

candan · April 2, 2018, 9:21am

server initiate the establishment of the connection to the robots and plc here is the config

mar/23/2018 15:55:09 by RouterOS 6.39.2

software id = EIJ5-GDZI

/interface bridge
add name=bridge1
add name=bridge2
add name=bridge3
/interface ethernet
set [ find default-name=ether5 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n wireless-protocol=
nv2-nstreme-802.11
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether2
add bridge=bridge1 disabled=yes interface=ether5
add bridge=bridge2 interface=ether10 point-to-point=yes
add bridge=bridge1 interface=ether4
add bridge=bridge3 interface=ether3
/ip address
add address=192.168.10.3/24 interface=ether3 network=192.168.10.0
add address=10.4.220.113/21 interface=ether1 network=10.4.216.0
add address=10.4.220.45 interface=ether1 network=10.4.220.45
add address=192.168.125.100/24 disabled=yes interface=ether5 network=
192.168.125.0
add address=10.4.220.46 interface=ether1 network=10.4.220.46
add address=10.4.220.47 interface=ether1 network=10.4.220.47
add address=192.168.125.100/24 interface=ether10 network=192.168.125.0
add address=10.4.220.78 interface=ether1 network=10.4.220.78
add address=10.4.220.78 disabled=yes interface=ether4 network=10.4.220.78
add address=192.168.125.100/24 interface=ether4 network=192.168.125.0
/ip dns
set servers=8.8.8.8,10.5.0.1
/ip firewall address-list
add address=10.4.0.12 comment=OPCPCOSRV list=accept
add address=192.168.10.1 comment=PLC list=accept
add address=192.168.125.1 comment=ROBOTS list=accept
add address=10.4.0.120 comment=BASLIKSRV list=accept
add address=10.4.16.2 comment=IKARAHAN list=accept
/ip firewall filter
add action=drop chain=forward connection-state=established,related
log-prefix=FirewallDrop src-address-list=!accept
add action=accept chain=forward connection-state=established,related
src-address-list=accept
add action=accept chain=forward connection-state=established,related
disabled=yes
add action=accept chain=forward connection-state=established,related
disabled=yes
add action=accept chain=forward connection-state=established,related
disabled=yes
add action=accept chain=forward connection-state=established,related
disabled=yes
add action=accept chain=forward disabled=yes dst-address=192.168.125.110
out-interface=ether3 src-address=192.168.10.1
add action=drop chain=forward disabled=yes dst-address=0.0.0.0/0
out-interface=ether3 src-address=192.168.10.1
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=10.4.220.78
new-connection-mark=port4 passthrough=yes
add action=mark-connection chain=prerouting dst-address=10.4.220.46
new-connection-mark=port10 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new
in-interface=bridge1 new-connection-mark=port4 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new
in-interface=bridge2 new-connection-mark=port10 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=port4
new-routing-mark=port4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port10
new-routing-mark=port10 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=
192.168.125.140 to-addresses=10.4.220.45 to-ports=3399
add action=dst-nat chain=dstnat dst-address=10.4.220.45 protocol=tcp
to-addresses=192.168.125.140 to-ports=3389
add action=dst-nat chain=dstnat dst-address=10.4.220.47 protocol=tcp
to-addresses=192.168.10.1 to-ports=102
add action=dst-nat chain=dstnat connection-mark=port10 dst-address=
10.4.220.46 protocol=tcp to-addresses=192.168.125.1 to-ports=0-65535
add action=dst-nat chain=dstnat connection-mark=port4 dst-address=10.4.220.78
protocol=tcp to-addresses=192.168.125.1 to-ports=0-65535
add action=dst-nat chain=dstnat connection-mark=port10 dst-address=
10.4.220.46 protocol=udp to-addresses=192.168.125.1 to-ports=0-65535
add action=dst-nat chain=dstnat connection-mark=port4 dst-address=10.4.220.78
protocol=udp to-addresses=192.168.125.1 to-ports=0-65535
add action=src-nat chain=srcnat connection-mark=port4 out-interface=ether1
to-addresses=10.4.220.78
add action=src-nat chain=srcnat connection-mark=port10 out-interface=ether1
to-addresses=10.4.220.46
/ip route
add distance=1 dst-address=192.168.125.0/24 gateway=bridge1 routing-mark=
port4
add distance=1 dst-address=192.168.125.0/24 gateway=bridge2 routing-mark=
port10
add distance=1 gateway=10.4.220.254
add distance=1 gateway=10.5.30.50
/lcd
set touch-screen=disabled
/system clock
set time-zone-name=Europe/Istanbul
/system logging
add topics=firewall
/system ntp client
set enabled=yes primary-ntp=10.5.0.1
/system package update
set channel=bugfix
/tool graphing
set store-every=24hours
/tool graphing interface
add

sindy · April 2, 2018, 12:21pm

Can you dedicate an individual IP address from ****

10.4.216.X/21

? (

10.4.220.x/21

is not a network address, so either it is

10.4.220.x/22

or it must be

10.4.216.x/21

). If not, can you tell the server to establish the connection to a non-standard TCP (or UDP?) port, so that you could use the port as robot selector?

I have partially tested something that may work but I didn’t have enough hardware to test it completely. So depending on your answer I’ll give you the necessary modifications to your configuration for final testing.

sindy · April 3, 2018, 8:29pm

So, after collecting three boxes on a single table, I can confirm that it is possible to have two or more devices with identical IPs, each connected to another Mikrotik port, and have selective access to each of them from outside.

The example below shows how to configure ssh access to device connected to ****

ether4

via dst-nat of port 4022 on any of Mikrotik’s own addresses, and ssh access to device connected to

ether5

via dst-nat of port 5022 on any of Mikrotik’s own addresses. Both devices have the same IP address 192.168.101.89/24.

/ip firewall mangle
# mark connections at arrival of the establishing packet
add action=mark-connection chain=prerouting connection-state=new dst-port=4022 new-connection-mark=via-ether4 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=5022 new-connection-mark=via-ether5 passthrough=yes protocol=tcp

# translate connection mark into routing mark for every single packet
add action=mark-routing chain=prerouting connection-mark=via-ether4 new-routing-mark=on-ether4
add action=mark-routing chain=prerouting connection-mark=via-ether5 new-routing-mark=on-ether5

/ip firewall nat
# dst-nat the connections based on connection-mark assigned earlier
add action=dst-nat chain=dstnat connection-mark=via-ether4 protocol=tcp to-addresses=192.168.101.89 to-ports=22
add action=dst-nat chain=dstnat connection-mark=via-ether5 protocol=tcp to-addresses=192.168.101.89 to-ports=22

/ip address
# assign the same IP addresses to both interfaces to which the devices are connected
add address=192.168.101.1/24 interface=ether4 network=192.168.101.0
add address=192.168.101.1/24 interface=ether5 network=192.168.101.0

/ip route
#create routes for the routing marks (no gateway IP address necessary)
add distance=1 dst-address=192.168.101.0/24 gateway=ether4 routing-mark=on-ether4
add distance=1 dst-address=192.168.101.0/24 gateway=ether5 routing-mark=on-ether5

/ip firewall filter
# IMPORTANT! Prevent connection-establishing packets for the overlapping addresses from being output via any interface 
# not matching their connection mark. If an interface is down, the corresponding individual route above goes down as well, 
# and thus the one from routing table main is used, so the packet would end on a wrong device and the connection 
# could be established
# IMPORTANT! As always with policy-routing, fasttracking must not be used.
add action=accept chain=forward connection-mark=via-ether4 connection-state=new out-interface=ether4
add action=accept chain=forward connection-mark=via-ether5 connection-state=new out-interface=ether5
add action=drop chain=forward connection-mark=via-ether4 connection-state=new
add action=drop chain=forward connection-mark=via-ether5 connection-state=new
... some unrelated rules ...
add action=accept chain=forward connection-state=established,related

By adding just the two mangle rules below anywhere in the mangle table before those translating ****

connection-mark

to

routing-mark

, and by adding a condition to the

dst-nat

rules so as to only act on packets for the devices with overlapping addresses (using

in-interface-list

,

out-interface-list

or

src-address

, choose what fits your needs best), also connections initiated by the devices with overlapping addresses themselves are handled properly (they actually are even without these rules but I assume that adding these rules makes it possible to avoid conflicts even if both the port at the device side and the socket at the remote end of the connection are exactly the same for connections of different devices):

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=ether4 new-connection-mark=via-ether4 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new in-interface=ether5 new-connection-mark=via-ether5 passthrough=yes

Where it is possible to reserve a dedicated alias address to each of the devices with overlapping addresses, the mangle and nat rules may be modified accordingly:

/ip firewall mangle
# replace marking up to protocol and port by marking up to IP address, keep the rest as above
add action=mark-connection chain=prerouting connection-state=new dst-address=alias.IP.for.ether4 new-connection-mark=via-ether4 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new dst-address=alias.IP.for.ether5 new-connection-mark=via-ether5 passthrough=yes

/ip firewall nat
# remove to-ports and protocol from the dst-nat rules, use a match on the original destination address to prevent the rules from acting in wrong direction
add action=dst-nat chain=dstnat connection-mark=via-ether4 dst-address=alias.IP.for.ether4 to-addresses=192.168.101.89
add action=dst-nat chain=dstnat connection-mark=via-ether5 dst-address=alias.IP.for.ether5 to-addresses=192.168.101.89

# add selective src-nat rules
add action=src-nat chain=srcnat connection-mark=via-ether4 in-interface=ether4 to-addresses=alias.IP.for.ether4
add action=src-nat chain=srcnat connection-mark=via-ether5 in-interface=ether5 to-addresses=alias.IP.for.ether5

As @Sob has declared earlier - it’s all wrong
But it works.

candan · April 4, 2018, 10:12am

it is worked out, many thanks.