Multiple WAN IP addresses on the same interface, forwarding to internal devices

ptihanyi · March 4, 2024, 11:41am

Hello!

I have a 192.168.0.0/24 local area network with PLCs and other IP devices. Let’s call this a standalone production line in a factory.
This network is behind a Mikrotik router (RB4011iGS).
The WAN port of the router is also connected to a local network (10.0.0.0/24) where the whole segment is obtained.
In this segment (10.0.0.0/24) there are several similar networks (production lines) behind Mikrotik routers.

The goal would be to reach some PLCs on TCP 102 port from each production line with IP address 10.0.0.X/24.

So the idea is as follows:
The ether1 port of the 1st Mikrotik is the WAN, this has multiple IP addresses:
10.0.0.1
10.0.0.2
10.0.0.3

These would reach the following internal network PLCs:
192.168.0.10
192.168.0.20
192.168.0.30

The port ether1 on 2nd Microtik is the WAN, it has multiple IP addresses:
10.0.0.101
10.0.0.102
10.0.0.103

These would reach the following internal network PLCs:
192.168.0.10
192.168.0.20
192.168.0.30

I have tried dst-nat / src-nat pairs, incoming packets are delivered but not replies.
Unfortunately VPN is not possible.
Please help me with this! Thanks in advance!

rplant · March 7, 2024, 12:11am

Assuming the Mikrotik’s LAN/Bridge address is 192.168.0.xx/24 perhaps apply a src-nat masquerade rule to
the LAN/Bridge interface.

Unfortunately, this will result in the PLC’s not knowing what real IP connected to them.
You will likely need to enable Logging on the dst-nat rule, so you can, when necessary, get this information from the Mikrotik.

(This sort of indicates the PLC’s either don’t have a default gateway, or it is pointing to some other router)

Amm0 · March 7, 2024, 2:16am

Just for testing, I’d use action=netmap which maps all ports. If that works, you can get more restrictive on ports and protocols. But it has to be symmetrical for both side to communicate & keep IPs hidden but “mapped” 1 to 1.

/ip firewall nat add chain=dstnat dst-address=10.0.0.1 action=netmap to-addresses=192.168.0.10 comment=PLC10-IP1
/ip firewall nat add chain=srcnat src-address=192.168.0.10 action=netmap to-addresses=10.0.0.1 comment=PLC10-IP1

/ip firewall nat add chain=dstnat dst-address=10.0.0.2 action=netmap to-addresses=192.168.0.20 comment=PLC20-IP2
/ip firewall nat add chain=srcnat src-address=192.168.0.20 action=netmap to-addresses=10.0.0.2 comment=PLC20-IP2

…

And all of the 10.0.0.x address need to be a /ip/address on each router.

If the 192.168.0.10 “PLC LAN” address are an unbroken sequence (.10, .11, .12) then action=netmap allows ranges. So this maps the range “10.0.10.10 – 10.0.10.19” to “192.168.0.10 – 192.168.0.19”, respectively. May not work here but very convient for these “address remapping” problems.

/ip firewall nat add chain=dstnat dst-address=10.0.10.10-10.0.10.19 action=netmap to-addresses=192.168.0.10-192.168.0.19
/ip firewall nat add chain=srcnat src-address=192.168.0.10-192.168.0.19 action=netmap to-addresses=10.0.0.10-10.0.0.19