We bought tons of old MikroTik routers running RouterOS 4.14. These had 3 ports and we used 1 for admin and the other two for routing.
I now have the RB5009UG+S+ running RouterOS 7.11.3
We have systems that are all configured at 192.168.10.100 and we used IP Firewall Filters to do nat-dst and nat-src to move it to 192.168.20.x
Example: System 1 - 192.168.10.100 ==> 192.168.20.10
System 2 - 192.168.10.100 ==> 192.168.20.20
System 3 - 192.168.10.100 ==> 192.168.20.30
But I’m having a bit of difficulty setting the new 8 port up.
this is the complete scripts we used (for one particular Mikrotik):
And this is what I’ve got so far — can’t make it work. Something is missing. I really want 192.168.20.10 to go to port 1, 192.168.20.20 to go to port 2, … 192.168.20.70 to port 7 and use port 8 as the external port
# 1970-01-02 02:00:03 by RouterOS 7.11.3
# software id = VN5D-CB7D
#
# model = RB5009UG+S+
# serial number =
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=gauge-10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether8 list=LAN
add interface=ether1 list=gauge-10
/ip address
add address=192.168.20.80/24 interface=ether8 network=192.168.20.0
add address=192.168.10.100/24 interface=ether1 network=192.168.10.0
/ip firewall nat
add action=dst-nat chain=dstnat comment=mec-10 dst-address=192.168.20.10 \
to-addresses=192.168.10.100
add action=src-nat chain=srcnat comment=mec-10 src-address=192.168.10.100 \
to-addresses=192.168.20.10
/ip route
add distance=1 gateway=192.168.20.1
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
First on firewalls. I gather that this is some sort of industrial/control system. Yes, in these scenarios proper firewall configuration was often historically not done or entirely neglected. This may be acceptable for you currently. However best practice is to use proper firewalls and access controls even in these situations, and depending on the country/jurisdiction and industry, sooner or later there WILL be a requirement for these, so you are best off tackling it sooner rather than later (just my opinion.) But your question is about routing, so enough about this.
(Ok, just a tip: if everyone suggests doing it some specific way - and I’ve been reading the ones taking the time to reply to your question are actually quite knowledgeable - at least consider it.)
The config that you posted for v4 is actually quite reasonable. The only quibble I would have with it is that src-nat and dst-nat actions are intended for situations where a many-to-one (or a 100 to 4, etc. - so dissimilar number or ip addresses are mapped) relationship, and for one-to-one mapping the action netmap is the intended one. But src/dst-nat should work - as indeed it does.
The v4 config should work without issue on v7. (There might be some slight syntax change…)
The v7 config that you posted does not at all resemble the v4 config, and from your description it is totally unclear what you want to accomplish.
So… if you want help then describe (possibly with the aid of a diagram) the compete intended operation of the network. Neither is you initial description complete (but I could at least see what the behavior is from the config), but what you intend for v7 is totally and fully unclear.
yes. This is an industrial control system. Most of the hardware have embedded ip addresses that can only be changed to 1 of 4 available addresses. Regardless, they are all on 192.168.10.x. We don’t allow external network connections, it would be a violation of meeting minimum spec, if anything goes wrong and they waste millions, we don’t accept responsibility if connected externally and got stalled due to network traffic.
Changing the firmware for all the systems would mean custom firmware packages, and make field replacements untenable.
The problem appears to be after natting to/from 192.168.10.100, in a particular case, the packet doesn’t know which physical interface to send the packet, as I have 7 possible destinations for x.x.10.100.
So, I’m investigating prerouting and adding a packet mark, so if I get 192.168.20.30, I mark it to “30”. There used to be a way to set a route that has a packet mark as a condition, but I can’t find it.
We have been doing this at the factory using the old RouterOS 4.0 with great success, but only two interfaces were used, one incoming and one outgoing, so there was no ambiguity.
We now have a customer that want to connect 4 systems together to work in parallel — once again, as an isolated network island.
Okay. Now I see. So while until now you had a Mikrotik router per system/device, now you want one router to handle multiple systems. This is entirely doable.
This doesn’t answer your question directly, but have you considered using a cheaper router (the hEX refresh for example) and retain the one system - one router design? This would allow you to retain the old config, and considering that you can (almost-kind of) buy 4 hEX devices for the price of one rb5009, would not increase price dramatically.
Even for the multiple systems - one router way, I would still consider the hEX. This would allow 4 systems/router. (In these low volume industrial settings, this router is an ideal fit in many settings.)
Alternatively, if you have more than 7 systems, you could (depending on traffic volume) you could use a CRS device with the appropriate number of ports… Or if you need higher routing power, than a switch with the appropriate number of ports + rb5009 and VLANs.
What I really can’t understand is that while asking for help, and considering that there are people here that actually want to help you, you do your best to carefully guard any insight into what is that you actually want to do.
Describe the problem. Fully!!!
As to your question directly: yes in case you have more than one system on a given router with the same IP range, you have to have some way of separating them. VRFs are the usual weapon of choice. (While in your case it is not strictly necessary, look into the use of connection marks.) To do this successfully, while not especially hard, requires a solid understanding of networking. I’m sorry to say, but while I have done several such configs before (they are quite common in certain industrial systems,) I am not aware of any good online guide/tutorial on the subject.
But if you write down your problem fully and don’t leave me guessing I’m can at least give you some pointers.
Questions:
How many of these devices/systems do you have?
Would you prefer a central (i.e. one router to handle all of them) or distributed (one router per system, one router per 4 systems, one router per 7 systems…) approach. Central is the easiest to manage, but a failure can take everything offline at once.
What is the traffic direction - i.e. is it always a central “controller” that initiates connections to the “controlled” systems, or are connections initiated in both directions?
Sorry if I’m not clear. I’m trying to make the situation simple. Try this, assume you have 7 devices for which you can not change the IP address and they all have the same IP address, in this case 192.168.10.100. Now, each device is connected to a single physical interface, leaving me with a single outgoing physical interface. So, I want to address each of them uniquely, say 192.168.20.10, 192.168.20.20, …
NAT helps my rewrite the ip address, fine. But, in the incoming example, say 192.168.20.10 it gets natted to 192.168.10.100. Now which physical port does it go out?
Now, to FULLY describe the problem, it is not just a single IP I’m doing this for, but 3 and possibly 4.
No, have not looked at alternate products. Spent some time looking at many different routers, none of which even hinted at being able to be used in this way (read online manuals). However, we knew RouterOS has already demonstrated the ability. I guess I over estimated the difficult of using such and advanced product for such a trivial matter.
For what it’s worth, another engineer spent a week on it with no success and then we sent it to out IT company and they spent a week on it with no success, so now I have it.
Okay, the picture is clear now. As I’ve said this is entirely doable with Mikrotik devices, and I’ve done this sort of config for several systems. It does require a good understanding of networking in Linux. It is non-trivial in the sense that it is not usually done, and therefore a bit more than “copy from a cookbook” approach is required.
Roughly:
You set up VRFs:
Let’s assume ether1 will be used as the “controller” port. This we will put (leave) in VRF main. (No setting required for this.)
The first device/system to be translated is then connected to ether2. We put this in VRF vrf1. The second device (ether3) we put in vrf2. You can figure out the rest
We add addresses to the main VRF (ether1.) These will be all the addresses that we wish to translate (192.168.20.10, 11, 12, etc.). Plus add an address for the router itself for configuration purposes.
We add a gateway address (192.168.10.1) into all device VRFs.
Add a route into all the device VRFs to 192.168.20.0/24 pointing to ether1
Add an address/route to 192.168.10.0/24 to the main table. This can be on lo, on a separate bridge, etc. This is needed for the routing adjustment part of the packet flow. (This is kind of counter-intuitive, and this is not meant as a full explanation of what is going on.)
Mark the packets that are from the controller to the devices (prerouting - mark routing action) - it is not necessary, but adding packet marks as well could result in more aesthetically pleasing nat chain
Use policy routing (routing rules) to direct packets appropriately.
Mark packets from the devices to the controller (prerouting - mark packet) (use these for src-nat)
Use dst/srcnat (or as I would prefer, netmap) to translate the addresses.
That’s all there is to it
I would have suggested that you contract your local IT supplier, because while it seems a bit involved, actually for someone who knows what they are doing this config can be done in 2-3-4 hours. (And most of that is replicating your setup to be able to test it, the actual config should take at max. 2 hours for someone with experience.) But you have done that and it didn’t work out
If you can’t find someone locally, I’m willing to consult with you, and replicate your setup, etc. and send you a tested/labbed configuration.
If you rather want to learn, I’m still of course happy to help. Start by labbing up your setup (if you have not already done so.) I would suggest two devices, because that is then trivial to expand to more.
So your have a Mikrotik router, it has one port going to some switch with 2+ devices with same IP and subnet? If each device with the same IP was connected to a different port on Mikrotik router, the duplicate IP/subnet is solved by adding an interface to route, in which case only a src-nat be needed. But if you really have same IP with multiple device on same segment+subnet, you may need to do some more sophisticated tricks with /ip/arp and/or bridge NAT/filter rules but this get complex/specific.
Most of time industrial device with the same IP are on different LAN/Layer2/ethernet segments (either via ports on Mikrotik or via VLANs coming from switch). If the device are all on the same LAN segment, you mention these device support 4 different subnet choices, so if you just switch each to a different subnet, then can all be on same L2/ethernet segment/“router port” & router would then use an 4 IP addresses, one for each of the devices unique subnets. And if you want to “renumber” them to a different subnet (like your 192.168.20.x), you can use “netmap” rule to remap the device subnet to something unique in your overall routing. This approach still mean your are limited to number of fixed subnets the device has per port/VLAN.
Also I’m not familar with specifics on RouterOS v4… but I’m still not sure why this would have worked there. The only thing is perhaps the route cache helped with maintaining the ARP table, but really IDK - but v7 does use a different routing engine while v6 be more similar to v4. Which begs the question have you considered trying your v4 config on v6 first? V6 is still supported, so if that worked that might be an option, or at least a worthwhile test to narrow the scope of problem. (oops, RB5009 only support V7)
Let me check on Monday. A few billable hours may not be a problem. I had a sense the VRF stuff was going to peek up and show it’s head. I’ve been reading up quite a lot lately. But, alas, I’m working at home this weekend and the router is on my desk.
It can be done in a less convoluted way and with fewer rules, but you lose some edge-case functionality/behavior - you only have to write out the basic config once and then change IPs around, so I tend to go with the more complicated approach if it yields fewer surprises in the future.
Unless I am missing something, it should be possible even without VRF’s, the “generic” case being “access multiple devices with same fixed IP address connected to different ports/interfaces”.
Using VRF’s may make the configuration more “linear” and easy to read in the future, though.
The referenced solution, adapted to ROS 7, would need explicitly declared routing tables (in /ip route the “routing-mark” would become “routing-table”) so at the end it won’t look very different from a VRF based solution.
Yep. And in v6 there is actually almost no difference, being that vrfs are implemented “in the background” as routing tables. VRFs in v7 bring some niceties because they are actual namespaces.
So, for RouterOS 7, I can’t do one of the options. It seems more options available via RouterOS 6.
So, the ‘src-nat’ and ‘dst-nat’ is part of the Routing Decision and should be okay, ie src-nat/dst-nat rules shouldn’t change.
The Firewall mangle rules have a ‘mark-routing’ that let’s me choose a routing table from ‘main’, ‘vrf1’, ‘vrf2’.
It appears that all I need, then are correct routing tables in ‘vrf1’ and ‘vrf2’…
I brought in a bunch of Raspberry PI’s to set them up because I can change THOSE ip addresses to test jaclaz’s solution. And it works fine.
Been trying to convert them over to the ip addresses I need, but typo’s being typo’s haven’t got it done yet.
I’ll mark this as ‘closed’ or ‘solved’ come Monday/Tuesday, if all goes well (and it should) - and post the solution I ended up with.
I want to thank everybody, especially lurker888 and jaclaz.
thanks, will check. Here’s my ‘cleaned up’ script. It is saved onto the Mikrotik, so it actually includes instructions for future me in years from now.
