RS305-1G-4S: map 4 devices with same IP to different IPs

Hi,

I am trying to achieve this with the CRS305:

• Connect one “main” computer to one of the ports; let’s say it has IP 192.168.2.1
• Give the CRS305 a compatible IP, say, 192.168.2.2
• On the four remaining ports, connect 4 different devices; all 4 devices have the same statically configured IP 192.168.1.1; all 4 devices are running an http(s) webserver on port 443
• I would like to connect to all 4 simultaneously from the main computer; my idea was to somehow “map” these 4 devices to different IPs e.g. 192.168.2.3-6 via some sort of NAT/port forwarding/vlan

So far, I’ve been unsuccessful in getting this to work – any suggestion?

No time right now but you really should search this forum yourself.
This has been discussed several times not too long ago.

Hi,

Really common question. Here are the references:

http://forum.mikrotik.com/t/1-1-nat-dnat-configuration-help/182840/1
http://forum.mikrotik.com/t/quick-guide-bidirectional-1-1-nat-snat-dnat-setup-w-working-example/183024/1

The first one has explanations, he second one has a working example. (The second one will probably get corrected based on my latest comments in the first one.)

Have fun!

Hi,

Thank you for the pointer. I’ve tried to adjust the final script to my environment.

• I reset the router
• I changed the router password
• I changed the router IP to 192.168.2.2
• My computer IP connected to the router is 192.168.2.1
• My computer is connected to the port labelled “PoE/In ETH/BOOT”
• The four external devices all with IP 192.168.1.1 are connected to the four SFP+ ports.

I’ve created a templated version of the script where the extracted template variables are:

    systemName = "PLC-Gateway"
    interfaceDevices = "PLC-PORTS"
    interfaceWAN = "WAN"
    interfaceForWAN = "ether1"
    interfaceForDevices = ["ether2", "ether3", "ether4"]
    primaryIP = "172.29.10.1"
    externalIPs = ["172.29.10.102", "172.29.10.103", "172.29.10.104"]
    internalIP = "192.168.2.180"
    toIP = "192.168.2.20"
    dstIP = "192.168.2.0"

I’ve adjusted them for my purposes to:

    systemName = "Devices-Switch"
    interfaceDevices = "DEVICES-PORTS"
    interfaceWAN = "NUC"
    interfaceForWAN = "ether1"
    interfaceForDevices = ["sfp-sfpplus1", "sfp-sfpplus2", "sfp-sfpplus3", "sfp-sfpplus4"]
    primaryIP = "192.168.2.2"
    externalIPs = ["192.168.2.101", "192.168.2.102", "192.168.2.103", "192.168.2.104"]
    internalIP = "192.168.1.180"
    toIP = "192.168.1.1"
    dstIP = "192.168.1.0"

Resulting in the final script:

## /export
## /export verbose
## /system reboot
## /system reset-configuration

# Identity for better management
/system identity set name="Devices-Switch"

#######################################
# Interface Organization
#######################################

# Create interface lists for better management
/interface list
add name=DEVICES-PORTS
add name=NUC

# Add interfaces to lists
/interface list member
add interface=ether1 list=NUC
add interface=sfp-sfpplus1 list=DEVICES-PORTS
add interface=sfp-sfpplus2 list=DEVICES-PORTS
add interface=sfp-sfpplus3 list=DEVICES-PORTS
add interface=sfp-sfpplus4 list=DEVICES-PORTS


#######################################
# IP Configuration
#######################################

# WAN interface (Edge device connection)
/ip address
add address=192.168.2.2/24 interface=ether1 comment="Edge Network Primary IP"
# Add virtual IPs for each PLC on the WAN interface
add address=192.168.2.101/24 interface=ether1 comment="Idx 0 External IP"
add address=192.168.2.102/24 interface=ether1 comment="Idx 1 External IP"
add address=192.168.2.103/24 interface=ether1 comment="Idx 2 External IP"
add address=192.168.2.104/24 interface=ether1 comment="Idx 3 External IP"

# Configure IP addresses for each device interface - directly using Ethernet ports
add address=192.168.1.180/24 interface=sfp-sfpplus1 comment="Idx 0 Network"
add address=192.168.1.180/24 interface=sfp-sfpplus2 comment="Idx 1 Network"
add address=192.168.1.180/24 interface=sfp-sfpplus3 comment="Idx 2 Network"
add address=192.168.1.180/24 interface=sfp-sfpplus4 comment="Idx 3 Network"


#######################################
# Create Routing Tables
#######################################

/routing table
add disabled=no fib name=to-idx0
add disabled=no fib name=to-idx1
add disabled=no fib name=to-idx2
add disabled=no fib name=to-idx3


#######################################
# Create Routing Rules
#######################################

/routing rule
add action=lookup-only-in-table routing-mark=to-idx0 table=to-idx0
add action=lookup-only-in-table routing-mark=to-idx1 table=to-idx1
add action=lookup-only-in-table routing-mark=to-idx2 table=to-idx2
add action=lookup-only-in-table routing-mark=to-idx3 table=to-idx3


#######################################
# Connection Marking for Policy Routing
#######################################

/ip firewall mangle
# Mark inbound traffic from WAN to devices with routing marks directly
add chain=prerouting in-interface=ether1 dst-address=192.168.2.101 action=mark-routing new-routing-mark=to-idx0 comment="Route to Idx 0"
add chain=prerouting in-interface=ether1 dst-address=192.168.2.102 action=mark-routing new-routing-mark=to-idx1 comment="Route to Idx 1"
add chain=prerouting in-interface=ether1 dst-address=192.168.2.103 action=mark-routing new-routing-mark=to-idx2 comment="Route to Idx 2"
add chain=prerouting in-interface=ether1 dst-address=192.168.2.104 action=mark-routing new-routing-mark=to-idx3 comment="Route to Idx 3"


# Mark connections based on initiator
add chain=prerouting connection-mark=no-mark in-interface=ether1 action=mark-connection new-connection-mark=from-mgmt comment="Mark connection from MGMT side"
add chain=prerouting connection-mark=no-mark in-interface=sfp-sfpplus1 action=mark-connection new-connection-mark=from-idx0 comment="Mark connection from device 0"
add chain=prerouting connection-mark=no-mark in-interface=sfp-sfpplus2 action=mark-connection new-connection-mark=from-idx1 comment="Mark connection from device 1"
add chain=prerouting connection-mark=no-mark in-interface=sfp-sfpplus3 action=mark-connection new-connection-mark=from-idx2 comment="Mark connection from device 2"
add chain=prerouting connection-mark=no-mark in-interface=sfp-sfpplus4 action=mark-connection new-connection-mark=from-idx3 comment="Mark connection from device 3"


# Route return traffic from router to devices (where connection-mark=from-idx)
add chain=output connection-mark=from-idx0 action=mark-routing new-routing-mark=to-idx0 comment="Route to idx 0"
add chain=output connection-mark=from-idx1 action=mark-routing new-routing-mark=to-idx1 comment="Route to idx 1"
add chain=output connection-mark=from-idx2 action=mark-routing new-routing-mark=to-idx2 comment="Route to idx 2"
add chain=output connection-mark=from-idx3 action=mark-routing new-routing-mark=to-idx3 comment="Route to idx 3"


#######################################
# Policy-Based Routing Rules
#######################################

# Policy routes for the entire device subnet (/24), not just the device (/32)
/ip route
add dst-address=192.168.1.0/24 gateway=sfp-sfpplus1 routing-table=to-idx0 comment="Route to idx 0"
add dst-address=192.168.1.0/24 gateway=sfp-sfpplus2 routing-table=to-idx1 comment="Route to idx 1"
add dst-address=192.168.1.0/24 gateway=sfp-sfpplus3 routing-table=to-idx2 comment="Route to idx 2"
add dst-address=192.168.1.0/24 gateway=sfp-sfpplus4 routing-table=to-idx3 comment="Route to idx 3"


#######################################
# NAT Configuration - Inbound & Reply Traffic
#######################################

# Destination NAT
/ip firewall nat
add chain=dstnat in-interface=ether1 dst-address=192.168.2.101 action=dst-nat to-addresses=192.168.1.1 comment="Idx 0 Inbound"
add chain=dstnat in-interface=ether1 dst-address=192.168.2.102 action=dst-nat to-addresses=192.168.1.1 comment="Idx 1 Inbound"
add chain=dstnat in-interface=ether1 dst-address=192.168.2.103 action=dst-nat to-addresses=192.168.1.1 comment="Idx 2 Inbound"
add chain=dstnat in-interface=ether1 dst-address=192.168.2.104 action=dst-nat to-addresses=192.168.1.1 comment="Idx 3 Inbound"


# Source NAT for replies (makes router appear as 192.168.1.180 to devices)
add chain=srcnat out-interface-list=DEVICES-PORTS action=src-nat to-addresses=192.168.1.180 comment="Source NAT to devices"

# might be default but just in case
/ip firewall connection tracking set enabled=yes

I can execute this script on the router without any issues.

However, when I try to connect to e.g. http://192.168.2.102 from my computer, I would expect to see the web server of one of the devices, but it actually shows RouterOS.

Any idea what I messed up?

Any number of things

My guesses would start at:

• resetting the device without no-default-configuration
• somehow your script doesn’t run to the end (if any error is encountered, execution stops) - it’s best to copy-paste it in parts into the terminal while debugging to actually see the error (if you aren’t doing it like this already)
• a variant of this: if you select a script to run after reset, some interfaces that you reference may not be ready

If you’ve verified that your config is correctly applied, you can add logging (with your choice of prefix) to every firewall rule. Do this, and see if the appropriate rules are being matched/executed. The correct order would be something like:

• the mangle mark-routing for the address
• the mangle mark-connection for the address
• the dst-nat
• the src-nat

Thank you! Resetting with no default configuration did the trick. Amazing!!

Glad it worked.

You’re always welcome to share your script/template as a reply in the “Useful user articles” topic I referenced. Hint-hint?