RB2011 - local NAT to devices with same IP-address

steve42 · October 24, 2018, 11:33am

Hello MikroTik experts,

I am struggling for a while now with a RB2011UiAS-2HnD-IN (updated from “RouterOS V6.40.8 (bugfix)” to “RouterOS V6.43.4 (stable)”).
I want to connect 8 devices (all with the same static IP-address 192.168.88.20) to a host over only one ethernet. First I tried to DNAT the addresses 192.168.88.21 … 28 to 192.168.88.20 with using routing marks in order to forward the packets to the different interfaces. But I could not manage it to isolate these interfaces from each other. I.e. a ping to 192.168.88.21 has been seen on all (switched?) ports (wireshark “Who has 192.168.88.20?)”.

Then I have tried it with VLAN with the following setup:

Trunk (tagged)           Router       to the devices (untagged)              
                         -------------- 
                        |              |
    192.168.1.1  VLAN11 |              | 192.168.88.21  VLAN821 
    --------------------| bridge_vlan1 |------------------------
                        |              |
    192.168.2.1  VLAN21 |              | 192.168.88.22  VLAN822
    --------------------| bridge_vlan2 |------------------------
                        |              |
         ...            |              |    ...
                        |              |
    192.168.8.1  VLAN81 |              | 192.168.88.28  VLAN828
    --------------------| bridge_vlan8 |------------------------
                        |              |
                         --------------

For the start I tried it with only two interfaces:

VLAN11 and VLAN21 at ether6
VLAN821 at ether7
VLAN822 at ether8

I am using bridged VLAN (not switched VLAN) because as I understand this is necessary for NAT to work.

The problem now:
Pings (e.g. ping 192.168.1.20) does not reach ether7 any more (no “Who has …” with wireshark connected to ether7 any more) as soon as I switch on “VLAN filtering”. I tried it for hours with different settings (mainly in Bridge/port, Bridge/VLAN) but no success. Furthermore I loose connection to WebFig (I use 192.168.8.11 at ether5).

Here is my current configuration:

# jan/02/1970 00:44:36 by RouterOS 6.43.4
# software id = 092K-ZDLX
#
# model = 2011UiAS-2HnD r2
# serial number = ...
/interface bridge
add fast-forward=no name=bridge1
add fast-forward=no name=bridge_vlan1
add disabled=yes fast-forward=no name=bridge_vlan2
/interface vlan
add interface=bridge_vlan1 name=vlan11 vlan-id=11
add interface=ether6 name=vlan21 vlan-id=21
add interface=bridge_vlan1 name=vlan821 vlan-id=821
add interface=ether8 name=vlan822 vlan-id=822
/interface ethernet switch port
set 6 default-vlan-id=11
set 7 default-vlan-id=821 vlan-header=always-strip
set 8 default-vlan-id=822 vlan-header=always-strip
set 12 vlan-mode=secure
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge_vlan1 interface=ether6 pvid=11
add bridge=bridge_vlan1 interface=ether7 pvid=821
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge_vlan2 tagged=bridge_vlan2 untagged=ether8 vlan-ids=822
add bridge=bridge_vlan1 tagged=ether6,bridge_vlan1 vlan-ids=11
add bridge=bridge_vlan2 tagged=bridge_vlan2,ether6 vlan-ids=21
add bridge=bridge_vlan1 tagged=bridge_vlan1 untagged=ether7 vlan-ids=821
/ip address
add address=192.168.1.1/24 interface=vlan11 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan21 network=192.168.2.0
add address=192.168.88.21/24 interface=vlan821 network=192.168.88.0
add address=192.168.88.22/24 interface=vlan822 network=192.168.88.0
add address=192.168.8.1/24 interface=bridge1 network=192.168.8.0
add address=192.168.8.11/24 interface=ether5 network=192.168.8.0
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=vlan821

Any help is appreciated since I am stuck with this problem

steve42 · November 3, 2018, 6:49pm

Now I have found a solution without VLAN on my own. Not to bridge the ports did the trick

      client           Router         to the devices
                   -------------- 
                  |               |
    192.168.3.111 |               | 192.168.88.11  
    --------------| ether9 ether1 |----------------
                  |               |
                  |               | 192.168.88.12 
                  |        ether2 |----------------
                  |               |
                  |               |    ...
                  |               |
                  |               | 192.168.88.18  
                  |        ether8 |----------------
                  |               |
                   ---------------

Here the configuration, the addresses 192.168.88.21 … 28 are DNAT’ed to 192.168.88.20 ( ether1 … 8 ) as wanted.

/interface bridge port
add bridge=bridge interface=ether10
add bridge=bridge interface=ether9
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.88.11/24 interface=ether1 network=192.168.88.0
add address=192.168.88.12/24 interface=ether2 network=192.168.88.0
add address=192.168.3.111/24 interface=ether9 network=192.168.3.0
add address=192.168.88.13/24 interface=ether3 network=192.168.88.0
add address=192.168.88.14/24 interface=ether4 network=192.168.88.0
add address=192.168.88.15/24 interface=ether5 network=192.168.88.0
add address=192.168.88.16/24 interface=ether6 network=192.168.88.0
add address=192.168.88.17/24 interface=ether7 network=192.168.88.0
add address=192.168.88.18/24 interface=ether8 network=192.168.88.0
/ip firewall filter
add action=drop chain=forward out-interface=!ether1 routing-mark=1
add action=drop chain=forward out-interface=!ether2 routing-mark=2
add action=drop chain=forward out-interface=!ether3 routing-mark=3
add action=drop chain=forward out-interface=!ether4 routing-mark=4
add action=drop chain=forward out-interface=!ether5 routing-mark=5
add action=drop chain=forward out-interface=!ether6 routing-mark=6
add action=drop chain=forward out-interface=!ether7 routing-mark=7
add action=drop chain=forward out-interface=!ether8 routing-mark=8
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Prerouting: Mangle --> DNAT" dst-address=192.168.88.21 new-routing-mark=\
    1 passthrough=yes
add action=mark-routing chain=prerouting dst-address=192.168.88.22 \
    new-routing-mark=2 passthrough=yes
add action=mark-routing chain=prerouting dst-address=192.168.88.23 \
    new-routing-mark=3 passthrough=yes
add action=mark-routing chain=prerouting dst-address=192.168.88.24 \
    new-routing-mark=4 passthrough=yes
add action=mark-routing chain=prerouting dst-address=192.168.88.25 \
    new-routing-mark=5 passthrough=yes
add action=mark-routing chain=prerouting dst-address=192.168.88.26 \
    new-routing-mark=6 passthrough=yes
add action=mark-routing chain=prerouting dst-address=192.168.88.27 \
    new-routing-mark=7 passthrough=yes
add action=mark-routing chain=prerouting dst-address=192.168.88.28 \
    new-routing-mark=8 passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="Prerouting: Mangle --> DNAT" \
    dst-address=192.168.88.21 to-addresses=192.168.88.20
add action=dst-nat chain=dstnat dst-address=192.168.88.22 to-addresses=\
    192.168.88.20
add action=dst-nat chain=dstnat dst-address=192.168.88.23 to-addresses=\
    192.168.88.20
add action=dst-nat chain=dstnat dst-address=192.168.88.24 to-addresses=\
    192.168.88.20
add action=dst-nat chain=dstnat dst-address=192.168.88.25 to-addresses=\
    192.168.88.20
add action=dst-nat chain=dstnat dst-address=192.168.88.26 to-addresses=\
    192.168.88.20
add action=dst-nat chain=dstnat dst-address=192.168.88.27 to-addresses=\
    192.168.88.20
add action=dst-nat chain=dstnat dst-address=192.168.88.28 to-addresses=\
    192.168.88.20
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
add action=masquerade chain=srcnat out-interface=ether4
add action=masquerade chain=srcnat out-interface=ether5
add action=masquerade chain=srcnat out-interface=ether6
add action=masquerade chain=srcnat out-interface=ether7
add action=masquerade chain=srcnat out-interface=ether8
/ip route
add distance=1 dst-address=192.168.88.20/32 gateway=ether1 routing-mark=1
add distance=1 dst-address=192.168.88.20/32 gateway=ether2 routing-mark=2
add distance=1 dst-address=192.168.88.20/32 gateway=ether3 routing-mark=3
add distance=1 dst-address=192.168.88.20/32 gateway=ether4 routing-mark=4
add distance=1 dst-address=192.168.88.20/32 gateway=ether5 routing-mark=5
add distance=1 dst-address=192.168.88.20/32 gateway=ether6 routing-mark=6
add distance=1 dst-address=192.168.88.20/32 gateway=ether7 routing-mark=7
add distance=1 dst-address=192.168.88.20/32 gateway=ether8 routing-mark=8