Multiple device with same IP access

RouterOS General
1

Hi,
I’ve been ask to find a way to allow several devices with same static IP address/subnetmask/gateway to access.

Eg.
eth2- device1-192.168.2.254/24
eth3- device2-192.168.2.254/24
eth4- device3-192.168.2.254/24

eth10- device10-192.168.2.254/24
eth1- Control PC-192.168.11.x/24

We’re using WAN(eth1) access through ICMP and SSH to eth2-10(which all the same ip as 192.168.2.254)
eth1-WAN interface, SRC-NAT/Masquerade.

I did followed the link as below for some inspiration
http://forum.mikrotik.com/t/how-to-allow-two-devices-with-same-ip-access-internet/115990/1

As for now connect is good, but we faced a little bug, which is that as we connect device 2 & 3, and both ping is OK.
But as we ping the rest of the port with no connection is still reachable.

Is there any idea about how to clear identify each port?

/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=--L interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=bridge list=WAN
/ip address
add address=192.168.11.2/24 interface=ether1 network=192.168.11.0
add address=192.168.11.3/24 interface=ether1 network=192.168.11.0
add address=192.168.11.4/24 interface=ether1 network=192.168.11.0
add address=192.168.11.5/24 interface=ether1 network=192.168.11.0
add address=192.168.11.6/24 interface=ether1 network=192.168.11.0
add address=192.168.11.7/24 interface=ether1 network=192.168.11.0
add address=192.168.11.8/24 interface=ether1 network=192.168.11.0
add address=192.168.11.9/24 interface=ether1 network=192.168.11.0
add address=192.168.11.10/24 interface=ether1 network=192.168.11.0
add address=192.168.2.99/24 interface=ether2 network=192.168.2.0
add address=192.168.2.99/24 interface=ether3 network=192.168.2.0
add address=192.168.2.99/24 interface=ether4 network=192.168.2.0
add address=192.168.2.99/24 interface=ether5 network=192.168.2.0
add address=192.168.2.99/24 interface=ether6 network=192.168.2.0
add address=192.168.2.99/24 interface=ether7 network=192.168.2.0
add address=192.168.2.99/24 interface=ether8 network=192.168.2.0
add address=192.168.2.99/24 interface=ether9 network=192.168.2.0
add address=192.168.2.99/24 interface=ether10 network=192.168.2.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=192.168.11.2 \
    new-connection-mark=port1 passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.11.3 \
    new-connection-mark=port2 passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.11.4 \
    new-connection-mark=port3 passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.11.5 \
    new-connection-mark=port4 passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.11.6 \
    new-connection-mark=port5 passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.11.7 \
    new-connection-mark=port6 passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.11.8 \
    new-connection-mark=port7 passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.11.9 \
    new-connection-mark=port8 passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.11.10 \
    new-connection-mark=port9 passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether2 \
    new-connection-mark=port1 passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether3 \
    new-connection-mark=port2 passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether4 \
    new-connection-mark=port3 passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether5 \
    new-connection-mark=port4 passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether6 \
    new-connection-mark=port5 passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether7 \
    new-connection-mark=port6 passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether8 \
    new-connection-mark=port7 passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether9 \
    new-connection-mark=port8 passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether10 \
    new-connection-mark=port9 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=port1 \
    new-routing-mark=port1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port2 \
    new-routing-mark=port2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port3 \
    new-routing-mark=port3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port4 \
    new-routing-mark=port4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port5 \
    new-routing-mark=port5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port6 \
    new-routing-mark=port6 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port9 \
    new-routing-mark=port9 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port7 \
    new-routing-mark=port7 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port8 \
    new-routing-mark=port8 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat connection-limit=100,32 connection-type="" \
    dst-address=192.168.11.2 dst-limit=1,5,dst-address/1m40s routing-mark=\
    port1 to-addresses=192.168.2.254
add action=dst-nat chain=dstnat dst-address=192.168.11.3 dst-limit=\
    1,5,dst-address/1m40s routing-mark=port2 to-addresses=192.168.2.254
add action=dst-nat chain=dstnat dst-address=192.168.11.4 dst-limit=\
    1,5,dst-address/1m40s routing-mark=port3 to-addresses=192.168.2.254
add action=dst-nat chain=dstnat dst-address=192.168.11.5 dst-limit=\
    1,5,dst-address/1m40s routing-mark=port4 to-addresses=192.168.2.254
add action=dst-nat chain=dstnat dst-address=192.168.11.6 dst-limit=\
    1,5,dst-address/1m40s routing-mark=port5 to-addresses=192.168.2.254
add action=dst-nat chain=dstnat dst-address=192.168.11.7 dst-limit=\
    1,5,dst-address/1m40s routing-mark=port6 to-addresses=192.168.2.254
add action=dst-nat chain=dstnat dst-address=192.168.11.8 dst-limit=\
    1,5,dst-address/1m40s routing-mark=port7 to-addresses=192.168.2.254
add action=dst-nat chain=dstnat dst-address=192.168.11.9 dst-limit=\
    1,5,dst-address/1m40s routing-mark=port8 to-addresses=192.168.2.254
add action=dst-nat chain=dstnat dst-address=192.168.11.10 dst-limit=\
    1,5,dst-address/1m40s routing-mark=port9 to-addresses=192.168.2.254
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
add action=masquerade chain=srcnat out-interface=ether4
add action=masquerade chain=srcnat out-interface=ether5
add action=masquerade chain=srcnat out-interface=ether8
add action=masquerade chain=srcnat out-interface=ether6
add action=masquerade chain=srcnat out-interface=ether7
add action=masquerade chain=srcnat out-interface=ether9
add action=masquerade chain=srcnat out-interface=ether10
add action=src-nat chain=srcnat out-interface=ether1 routing-mark=port1 \
    to-addresses=192.168.11.2
add action=src-nat chain=srcnat out-interface=ether1 routing-mark=port2 \
    to-addresses=192.168.11.3
add action=src-nat chain=srcnat out-interface=ether1 routing-mark=port3 \
    to-addresses=192.168.11.4
add action=src-nat chain=srcnat out-interface=ether1 routing-mark=port4 \
    to-addresses=192.168.11.5
add action=src-nat chain=srcnat out-interface=ether1 routing-mark=port5 \
    to-addresses=192.168.11.6
add action=src-nat chain=srcnat out-interface=ether1 routing-mark=port6 \
    to-addresses=192.168.0.117
add action=src-nat chain=srcnat out-interface=ether1 routing-mark=port7 \
    to-addresses=192.168.11.8
add action=src-nat chain=srcnat out-interface=ether1 routing-mark=port8 \
    to-addresses=192.168.11.9
add action=src-nat chain=srcnat out-interface=ether1 routing-mark=port9 \
    to-addresses=192.168.11.10
/ip route
add distance=1 dst-address=192.168.2.0/24 gateway=ether2 routing-mark=port1
add distance=1 dst-address=192.168.2.0/24 gateway=ether3 routing-mark=port2
add distance=1 dst-address=192.168.2.0/24 gateway=ether4 routing-mark=port3
add distance=1 dst-address=192.168.2.0/24 gateway=ether5 routing-mark=port4
add distance=1 dst-address=192.168.2.0/24 gateway=ether6 routing-mark=port5
add distance=1 dst-address=192.168.2.0/24 gateway=ether7 routing-mark=port6
add distance=1 dst-address=192.168.2.0/24 gateway=ether10 routing-mark=port9
add distance=1 dst-address=192.168.2.0/24 gateway=ether8 routing-mark=port7
add distance=1 dst-address=192.168.2.0/24 gateway=ether9 routing-mark=port8
add distance=1 dst-address=192.168.11.0/24 gateway=bridge,ether1
2

I think the only way you going to get this to work properly will be by using VRF configuration.

In a nutshell , VRF does for layer 3 what vlans does for layer 2

3

Dear CZFan,

I have a little question between the route rules I have set and the VRF rules, is there any difference between these two?

I will try to set up with VRF rules recently. And about the setting about VRF, I’ll just need to replace the whole route rules to VRF, right?

Second, I face a little problem for the setting I’m using, I’m using the host(Eth1)to access the device (Eth2-10) through telnet at the same time.
As the test steps, it will need to send a reboot command, but as I send the command for Eth2, the other devices of the telnet session will close randomly.
Furthermore, the session would not be able to reconnect unless I reinject the interfaces manually.
Have you seen this phenomenon before, the reason I confused is that the session and rules seem working properly.

Thanks,
Peter

4

Might just be semantics or maybe I missed it, but I don’t see any “route rules” in the information you have posted, Route Rules are typically found under /ip route rules.

What you have implemented I suppose is emulating VRF as VRF also marks traffic, etc, but I dont know if what you tried is everything VRF does under the hood, also, why reinvent the wheel, just use what is already designed for this purpose, i.e. VRF

5

The thing is that if you assign a routing-mark using mangle rules, and there is no active route with that routing-mark, the routing engine uses routing table main as a backup. To prevent this from happening, you need to add the following rows into the /ip route rule table:
routing-mark=port1 action=lookup-only-in-table table=port1
:
routing-mark=port9 action=lookup-only-in-table table=port9

As for VRF, in the Mikrotik (= Linux) implementation, it is merely a way to automatically assign the routing-mark to a received packet based on the in-interface rather than using /ip firewall mangle rule(s); one difference is that with VRF, the fallback to routing table main does not happen. But in your setup, the in-interface of the ICMP echo and TCP SYN packets arriving from the control PC is the same for all the destinations, so VRF cannot help here. Nor can it help for the connections eventually initiated by the clones, as the response packets of these connections must be paired with the requests, and for that, it is necessary to assign connection-marks to the initial packets of these connections and translate them to routing-marks for the response packets.

6

Dear sindy,

Seems like the problem is based on the respone packet, after the route rules and the src-nat with routing table is all working properly,

Thanks for your inspiring.

Peter