NAT or HOTSPOT multiple clients with same IP, using 2 RB1100

mcfleeg · June 3, 2010, 8:04pm

Hello,

This is a hard one. We need to support 24 client devices all set to the same fixed IP address and GW.

We are trying to use 2 RB1100’s connected upstream to a cheap dumb uplink switch, and need to support 24 client devices that unfortunately all have the same IP address that cannot be changed. All these clients need to be NAT’d so they each have a known IP and can talk to a server upstream connected to the cheap dumb switch.

We have tried the hotspot functionality and it sort of works, but we need to know that everytime a client connects to a specific port it will always get the same NAT’d IP for that physical port on the RB.

Example, given this:
Client1 connected to port1 of RB#1, has an IP=192.168.0.17/24 GW=192.168.0.200
Client2 connected to port2 of RB#1, has an IP=192.168.0.17/24 GW=192.168.0.200
…
Client 23 connected to port 11 of RB#2, has an IP=192.168.0.17/24 GW=192.168.0.200
Client 24 connected to port 12 of RB#2, has an IP=192.168.0.17/24 GW=192.168.0.200

We want this:
We always want port1 of RB#1 client to be NAT’d to 192.168.162.201/24, and its GW traffic go to 192.168.162.1
We always want port2 of RB#2 client to be NAT’d to 192.168.162.202/24, and its GW traffic go to 192.168.162.1
…
We always want port23 of RB#2 client to be NAT’d to 192.168.162.223/24, and its GW traffic go to 192.168.162.1
We always want port24 of RB#2 client to be NAT’d to 192.168.162.224/24, and its GW traffic go to 192.168.162.1

Port 13 of both RB#1 & RB#2 are connected to a dumb switch upstream, where 192.168.162.1 lives.

Any advice?

Thanks,
–Lee

fewi · June 4, 2010, 1:05pm

Use mangle in the prerouting chain to mark the connection based on interface, and then NAT according to the mark.

/ip firewall mangle
add chain=prerouting in-interface=ether1 action=mark-connection new-connection-mark=port1
add chain=prerouting in-interface=ether2 action=mark-connection new-connection-mark=port2

/ip firewall nat
add chain=srcnat connection-mark=port1 action=src-nat to-address=192.168.162.201
add chain=srcnat connection-mark=port2 action=src-nat to-address=192.168.162.202

mcfleeg · June 4, 2010, 2:03pm

fewi:

Use mangle in the prerouting chain to mark the connection based on interface, and then NAT according to the mark.

/ip firewall mangle
add chain=prerouting in-interface=ether1 action=mark-connection new-connection-mark=port1
add chain=prerouting in-interface=ether2 action=mark-connection new-connection-mark=port2

/ip firewall nat
add chain=srcnat connection-mark=port1 action=src-nat to-address=192.168.162.201
add chain=srcnat connection-mark=port2 action=src-nat to-address=192.168.162.202

Thanks for the reply!

Aye, that’s part of the solution. But what about IP addressing for the ports that each client is plugged into? Each client ARP’s for its GW at 192.168.0.200. It needs to find its default GW first. Then, the client application starts sending a bunch of packets to its GW 192.168.0.200 - but I want these sent on upstream to 192.168.162.1, and make them look like they came from 192.168.1.205 (port5) for example.

The connection-mark works for NAT’ing, thats for sure, thanks for the tip on that!

mcfleeg · June 4, 2010, 7:57pm

In other words, I can get bi-directional communication between one client and the server, but when I plug a second client in, things go bad because both clients have the same IP and unfortunately we cannot change them. I’ve tried all sorts of stuff but just cant get it to work.

Maybe VLANs are the answer, but those seem a little different to me on Mikrotik than what I’m used to working with on brand name switches.

–Lee