I have in hands the setup shown in the picture. On the left side is PC connection, which is connected via managed switch to ether2 interface of CCR1016-12G router. On the right side are 10 pieces of equipments, which are connected to ether3-ether12 interfaces of the router. The equipments are all identical with unchangeable overlapping MAC and IP addresses. I need means to connect from the ether2 interface to all of the ether3-ether12 interfaces. However, from each ether3-ether12 interface it should be possible to connect only to ether2 interface, but not others.
For the PC side there is need to strip the VLAN200 tag (and vice versa), since the equipments only understand VLAN201, VLAN202 and untagged. For the equipment side also IP and MAC NAT processing should be done in addition to tagging/untagging.
I believe that the necessary measures could be taken with the CCR1016-12G router, but still rookie with routers… Any recommendations which steps in RouterOS are needed and in which order to carry out the needed processing?
I think the first step is to decide which method for vlans will be used by the OP.
a. switch chip method (older but applicable to switches and routers that could take advantage of such setup)
b. vlan bridge filtering method (newer but may not be applicable).
Hopefully ones familiar with your device will chime it with some advice on the method to be used.
I would prefer they state A. because then I dont have to help being a complete noob at switch chip configurations.
Which parts of the processing would you do with the virtual routing and forwarding (VRF) technology? The VLAN tag/untag and NATing has to be done in lower layers than L3 anyway, right?
VLAN tagging/untagging don’t really complicate anything, you’ll just end with bunch of VLAN-interfaces on each of the ethernet ports.
You can treat it like a separate pre-task.
The tricky part is to route between same addresses on different interfaces, that’s where VRF + mangle will help.
NAT will do the rest: mapping address - VRF table pairs to new address and back.
I’ve done this once for only two interfaces, and config is rather huge.
In your case it will be massive, I guess.
Here’s is a link to an article in Russian: https://habr.com/ru/post/262091/
Try to google-translate it. However the code blocks are kind of self-explanatory.
Almost exactly your case: but because of the VLANs you will end up with the same number of VRFs (ok, not the same - you have 10 pieces of equipment, not 4), and each will contain 3 interfaces (for each of the VLANs).
xvo, I tried your example in https://habr.com/ru/post/262091/, but it doesn’t work as such. I used Raspberry PIs in ether3, ether4 and ether5 with identical addresses as yours. No connection available from 192.168.2.2 to 192.168.2.13 or 192.168.2.14. Is there something missing?
You should have your management PC (or in your case management RPi) on ether5 with an address 192.168.2.2
And two managed devices (RPi’s) on ether3 and ether4, both with 192.168.1.1
And with this config it has to be possible to reach managed devices by 192.168.2.13 and 192.168.2.14 from management PC.
That is what you do, right?
And that don’t work?
Yes the setup is like in this picture that feel probably familiar:
There is basic ether1 address setup for management purposes. Your config is set for ether3, ether4 and ether5. No other setting in the box. The dark red arrows and partly hidden addresses in the picture are connections for management/debug purposes.
No ping or ssh connection work from management RPi to DEVs. But…
Is this rule being hit at all?
The idea is, dst-nat is performed after the prerouting chain, so probably the action reversing the src-nat too (although it’s not placed anywhere on the packet flow diagram).
What if you change 192.168.2.2 to 192.168.1.2 in thе rule above?
Niiice!
However that makes me wonder if the guy who wrote the article ever tried it himself in the exact way he wrote.
I once built a test setup somehow using this article as a guidance, but the setup itself had some major differences.
I got also connections initiated by RPi working, but only with connection marks in NAT, which was generated in mangle preprocessing phase. Otherwise I was not able to get srcnat working.
How should the VLANs work with VRF? Should there be one bridge that include all the interfaces or multiple bridges?
I don’t think you need bridges at all: just vlan-interfaces on top of each of ethernet ports.
It’s not that you will be switching between to ports with vlan tag in mind, but rather untagging - routing - then tagging again.
