Hello everyone,
I am very new to to using a Mikrotik products, I have a Microtik hEx S. I am trying to set up a 1:1 NAT with multiple networks. I am used to working with basic Allen Bradley NATR.
My goal is to take the IPs on the left and map them to the IPs on the right.
The IP 172.22.202.1 is the default GW, 172.22.202.2 is a WLAN device that is being used to connect to the internet, 172.22.202.3 is the hEx S device itself.
Any help would be much appriciated!
Before wasting time because we don't know how the network is structured,
please also provide a diagram of how the cables are connected in the RouterBOARD and how the internal configuration is made, with an export...
What you wrote doesn't add up, and in any case, it's more obvious and easier to make correspondences like
172.22.202.27 -> 192.168.1.27
Especially if they're both /24s, it makes no sense to mix them up like this.
Since it looks like you're just starting, not finishing, align this thing right away so you can find it easier later...
Even if I would have used at least something like
172.19.1.27->192.168.1.27
and then in the future something else was needed, I would have done, for example
172.19.0.27->192.168.0.27
etc...
in short...
172.19.0.0->192.168.0.0
...
172.19.255.255->192.168.255.255
What you want to do is not especially uncommon in the automation/plc/industrial world. I've found Mikrotiks to be a great help in these situations, so you're on the right track. In fact Mikrotiks have much better configurability and long-term support than the usual devices...
The first step is sorting out some basics:
Next, you will unfortunately not escape the request for a network diagram. It should include:
Please also note that the both the ones you label "public" and "local" are in fact rfc1918 private addresses.
The general gist of the solution looks like this:
For initial setup at least, the filtering functionality of the firewall should be disbled.
The model I have is the older RB760, and the software version I have is 6.49.5.
Here is a general idea of how the network is setup. The end goal is to use a VPN which gets me access to the 172.22.202.0/24 subnet. Then from there I can use the Public IPs of the PLCs and camera to control them. It is easier if I have them all in the local 192.168.1.0/24 subnet. I know that the different brands of PLCs and the camera will use different TCP/UDP ports to communicate too. For example the Omron PLC uses TCP port 48898 for Ethernet I/P and the camera uses TCP port 9000.
If you have any more questions on how my setup is let me know and I can answer them. Thank you for taking the time to help me.
Well, you're not getting off this easy.
First of all, what you call "public" is not at all public, just another network. Label them accordingly. Am I tight that the devices on the right are configured with their addresses as 192.168.1.x/24 and have their default gateway set to 192.168.1.1? "And" as in are both of these true?
Am I also correct that on the left (public) side the devices are set to 172.22.202.x/24 addresses and have 172.22.202.1 as their gateway? Presumably there is a router (not shown) that is also on this subnet and deals with any further connectivity?
Is it also true that there will be another device (also not shown) on this 172.22.202.x subnet that will provide you with vpn access? Or is this the same device as mentioned above (the not shown router)?
If all this is true then you're looking at a fairly easy job.
My only worry is this: Am I correct that the WLAN 1120 device is the FL WLAN 1120 module from Pheonix Contact? I don't really have experience with the specific device, but it seems to me that only one side is wired ethernet and the other is WiFi. So... the next question: is the connection to the right (to the hEx S and the switch) the wired one? Is then the other connection (up, towards the cloud) WiFi?
If it is indeed WiFi as I suspect, you may run into some difficulty. The standards compliant (802.11) version of WiFi doesn't support multiple devices behind a single client. There are various workarounds implemented that work... in various ways. The most reliable one is where the access point and the wifi client are both made by the same manufacturer and are documented to work in these situations.
Is it possible for you to temporarily link the hEx to the network using a wired connection (potentially via switches) temporarily? It's much easier to troubleshoot these sorts of things one difficulty at a time.
Update your device to some sensible v7 version. It is fully supported. Although the 6.x versions support everything you need, it's really unnecessary to dig yourself into a legacy hole from the start. (If you would have a fleet of devices already configured and working well, I would suggest the opposite: there's nothing wrong with v6. You'll just find way more documentation for v7, and the newer devices only support that.)
EDIT: Forgot to mention: there's nothing wrong with having the older hEx. It's a thoroughly tested and well respected model.
The basic idea for the solution is the following.
After you have updated the device, make sure that you have access to it via the a MAC connection. (In winbox, this is done by specifying the mac address instead of the ip address.)
Reset the device with no configuration. This is done by system->reset configuration and checking "no default configuration"
This leaves you with a blank device. If you would like to have a firewall (good idea) you'll have to apply it manually later on. Unfortunately the default firewall is not suitable for this situation, so one must be designed.
Then comes the fun part. But I'll type this up later.
Also, am I correct that connections will be always be initiated from the left (172.22.202.x) side and not from the right (192.168.1.x)?
And please label the Mikrotik's interfaces.
So... here goes the configuration. This was not tested, so it may very well contain errors. (I'll assume ether1 is the "public" and ether2 the "private" side.)
First of all, the basic setup.
/ip address add interface=ether1 address=172.22.202.3/24
/ip address add interface=ether2 address=192.168.1.1/24
# Add default and dns
/ip route add dst-address=0.0.0.0/0 gateway=172.22.202.1
/ip dns set servers=172.22.202.1
And now comes the nat part. For the IP camera (172.22.202.24 -> 192.168.1.160):
/ip address add interface=ether1 address=172.22.202.24/32
/ip firewall nat add chain=dstnat action=dst-nat in-interface=ether1 dst-address=172.22.202.24 to-addresses=192.168.1.160
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 src-address=192.168.1.160 to-addresses=172.22.202.24
This block will have to be repeated for all mappings individually.
This pretty much does exactly what the Allen-Bradley NATR device does. Just for reference, if the PLC ("private side") devices can't be properly configured with a gateway, there is an additional helpful hack: (Hack implies that it should first be tried without this.)
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 to-addresses=192.168.1.1
You are right about the “public side” not truly being public that was just the terminology we were using around the office. Also I will answer some of the questions you had.
You are also correct that connections will be always initiated from the 172.22.202.XX subnet, the 192.168.1.XX will NEVER initiate a connection.
All the devices ARE setup with addresses 192.168.1.XX/24 AND HAVE a default gateway of 192.168.1.1. You are also correct that the left (public) side devices have addresses 172.22.202.XX/24 and have their default gateway of 172.22.202.1.
The VPN I mentioned is just on my computer can have access to the company network, the 172.22.202.XX subnet is on these servers. So the VPN basically just gives me access to this subnet.
The WLAN 1120 is the Phoenix Contact FL WLAN 1120 device. The wired ethernet will be connected to the hEx S ether1 port to give it access to the 172.22.202.XX subnet, and the wireless side is connected to the company network.
You mentioned that there may be an issue with multiple clients not working behind a single client. I don’t think this will be an issue because I have had this working with an AB 1783-NATR device. I am switching out that AB device with the hEx S because the AB device isn’t being reliable for maintaining all the NAT rules.
I am NOT able to connect to the network directly temporality just because of how the company network is set up.
I went through and tried the code that you suggested, this was the same approach I was trying earlier that I was having issues with. The method you suggested works perfectly with the camera, but for some reason it does not work with any of the PLCs. I can’t ping the devices from my computer when I am connected to the correct network. The PLCs and the camera are all on the same switch so they are all connected to ether2 on the hEx S. I know some of the PLCs use ports for communication to connect to the PLC with the software, but this shouldn’t effect me being able to ping the device. Just to be sure I even tried your “hack” and I am getting the same results of not being able to ping the PLCs.
This is the interesting part 
I actually use Mikrotiks in these sorts of scenarios quite often. One of the reasons is that it has built-in tools for diagnosing the sort of issues you are facing.
As another aside: usually bridging behind WiFi clients is discouraged for a very good reason. It typically works okay as long as there is only one MAC address behind the client (as in our case.) It is usually better if the Mikrotik itself can be the wireless client as well. Of course when you know that your device works fully and correctly with the given AP, and unsure whether the Mikrotik would as well, that opens a whole new can of worms. Anyway, I don't think that this is the source of your problems.
So...
(1) Give the version of RoutesOS that you have installed on your device.
(2) Try pinging the PLC from the Mikrotik. It has a built-in tool for it in tools->ping. If you can't do that, there's no chance of it working through NAT.
(3) While pinging in the intended way (from your laptop to the plc), use the tools->packet sniffer functionality to capture the packets going in and out of the router. The correct configuration is interfaces: ether1, ether2; mac protocol: ip; ip protocol: icmp; direction: any; filer op: and.
Should you want to publish the results of this capture here, you can get a nice textual export with the command /tool/sniffer/packet/print proplist=num,direction,time,interface,src-address,dst-address,size
If this doesn't give clarity as to the reasons for the behavior, post an export of your device configuration obtained by /export file=mylittleconfig.rsc
For some devices, the "hack" is necessary. If/when you try it, it's important to pause the pinging for more than 10s for it to take effect.
Right now I have version RouteOS version 7.18.2 installed
I was SUCCESSFULLY able to ping all the PLCs from the Mikrotik.
Below is a picture of the packet sniffer report. The top shows when I was pinging the Mikrotik (172.22.202.3) from my computer (172.22.10.17). Then in shows me trying to ping two of the PLCs 172.22.202.9 and 172.22.202.10, it shows that my computer was pinging it but it never responded to my computer.
Again, thank you for helping me. I am very new to the whole networking world.
The packet capture shows that the packet destined for 172.22.202.9 never gets forwarded. (We would like to see it go out on ether2 with the proper address translation.) There are two possibilities: it actually isn't going out, or your packet capture is set up incorrectly. You can verify this by attempting to record (with the same settings) your successful pings from the router.
If the packet is not making it through, you have a configuration problem. Really, only seeing your /export will help with this. Some variations: nat and/or addressing is set up incorrectly, a forward filter rule is blocking the traffic, maybe even that ether2 is part of a bridge (as would be the default configuration for this device), which would obviously not allow things to work correctly.
Provide the export.
Instructions here:
Here is the export from my device. This morning I did realize that the ether2 was apart of the bridge and there was an error within the firewall NAT. After I removed ether2 from the bridge that error went away. Now when I use the /ping command from the terminal I don't get any response from any device, but the camera is still working fine from an external ping.
# 2025-03-12 05:49:39 by RouterOS 7.18.2
# software id = XXXXXXXXXX
#
# model = RB760iGS
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=172.22.202.3/24 interface=ether1 network=172.22.202.0
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=172.22.202.24/8 interface=ether1 network=172.0.0.0
add address=172.22.202.9 interface=ether1 network=172.0.0.0
add address=172.22.202.10/24 interface=ether1 network=172.22.202.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=172.22.202.24 in-interface=ether1 \
to-addresses=192.168.1.160
add action=src-nat chain=srcnat out-interface=ether1 src-address=\
192.168.1.160 to-addresses=172.22.202.24
add action=dst-nat chain=dstnat dst-address=172.22.202.9 in-interface=ether1 \
to-addresses=192.168.1.21
add action=src-nat chain=srcnat out-interface=ether1 src-address=192.168.1.21 \
to-addresses=172.22.202.9
add action=dst-nat chain=dstnat dst-address=172.22.202.10 in-interface=ether1 \
to-addresses=192.168.1.22
add action=src-nat chain=srcnat out-interface=ether1 src-address=192.168.1.22 \
to-addresses=172.22.202.10
add action=src-nat chain=srcnat out-interface=ether2 to-addresses=192.168.1.1
/ip route
add dst-address=0.0.0.0/0 gateway=172.22.202.1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether1,ether2 filter-ip-protocol=icmp \
filter-mac-protocol=ip filter-operator-between-entries=and
Please, post also the output of:
/ip route print
Here is the output for /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 As+ 0.0.0.0/0 172.22.202.1 1
1 As+ 0.0.0.0/0 172.22.202.1 1
DAc 172.0.0.0/8 ether1 0
DAc+ 172.22.202.0/24 ether1 0
DAc+ 172.22.202.0/24 ether1 0
DAc+ 192.168.1.0/24 bridge 0
DAc+ 192.168.1.0/24 ether2 0
DAc 172.0.0.0/32 ether1 0
Your configuration doesn't work because you have strayed from the righteous path.
The "default configuration" for these routers is for the typical home router scenario, where you have an ISP connection, a local address pool, a local bridge, dhcp server, etc. Also, it comes with a firewall that is supposed to protect your internal devices from external connections. This is wholly unsuitable for what you are trying to do.
That's why I asked you to do a system->reset configuration with no-default-config checked, so that you can start off from a bare router. (You will have to establish a MAC Winbox connection to the device after this.)
Starting from your current configuration, you would have to manually remove everything that the default configuration has added, so I suggest that you simply start by resetting your router and applying the configuration that you have (of course, I mean only the parts that you've added manually).
The configuration that you have applied, btw., is off to a good start, and seems almost correct.
One of the things that immediately stands out is that you have incorrect prefix lengths on your addresses on the 172.22 side. Only one address should have the correct prefix len, which is 172.22.202.3/24 (which is the actual address of the router), all the others should be /32 (that are the addresses that the router "impersonates" for the other devices behind it.
/24 would also work, so this is not the big problem with your configuration, but the fact that the default configuration interferes with your custom one. Correct that and you should be very close to getting a working setup.
I didn't see anything about resetting it to NOT have the default config, but I have done that now. I have only set up the camera now because I don't want to set up the others if the camera isn't even working.
I setup the packet sniffer again because I can't ping the camera from my PC, but I can ping it from within the Mikrotik terminal. Here are the results of that. i started my pinging the Mikrotik 4 times from my PC, then I tried to ping the camera 4 times from my PC.
Columns: NUM, DIRECTION, TIME, INTERFACE, SRC-ADDRESS, DST-ADDRESS, SIZE
# NUM DIRECTION TIME INTERFACE SRC-ADDRESS DST-ADDRESS SIZE
0 1 rx 2.846 ether1 172.22.10.17 172.22.202.3 74
1 2 tx 2.847 ether1 172.22.202.3 172.22.10.17 74
2 3 rx 3.86 ether1 172.22.10.17 172.22.202.3 74
3 4 tx 3.86 ether1 172.22.202.3 172.22.10.17 74
4 5 rx 4.86 ether1 172.22.10.17 172.22.202.3 74
5 6 tx 4.861 ether1 172.22.202.3 172.22.10.17 74
6 7 rx 5.923 ether1 172.22.10.17 172.22.202.3 74
7 8 tx 5.923 ether1 172.22.202.3 172.22.10.17 74
8 9 tx 6.88 ether2 192.168.1.1 192.168.1.160 103
9 10 tx 6.881 ether2 192.168.1.1 192.168.1.160 103
10 11 rx 8.015 ether1 172.22.10.17 172.22.202.24 74
11 12 tx 11.171 ether1 172.22.202.24 172.22.10.17 102
12 13 rx 11.209 ether1 172.22.10.17 172.22.202.24 74
13 14 tx 14.301 ether1 172.22.202.24 172.22.10.17 102
14 15 rx 14.31 ether1 172.22.10.17 172.22.202.24 74
15 16 tx 16.902 ether2 192.168.1.1 192.168.1.160 103
16 17 tx 16.903 ether2 192.168.1.1 192.168.1.160 103
17 18 tx 17.411 ether1 172.22.202.24 172.22.10.17 102
18 19 rx 17.437 ether1 172.22.10.17 172.22.202.24 74
19 20 tx 20.531 ether1 172.22.202.24 172.22.10.17 102
20 21 tx 22.981 ether2 192.168.1.1 192.168.1.160 100
21 22 tx 22.982 ether2 192.168.1.1 192.168.1.160 100
Here is also the config just to show that I have reset it all and only added what I thought was necessary for now.
# 2026-01-29 11:41:11 by RouterOS 7.18.2
# software id = XXXXXXXX
#
# model = RB760iGS
# serial number = XXXXXXXX
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=172.22.202.3/24 interface=ether1 network=172.22.202.0
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
add address=172.22.202.24/8 interface=ether1 network=172.0.0.0
/ip dns
set servers=172.21.60.16,10.0.1.34
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=172.22.202.24 in-interface=ether1 \
to-addresses=192.168.1.160
add action=src-nat chain=srcnat out-interface=ether1 src-address=\
192.168.1.160 to-addresses=172.22.202.24
/ip route
add dst-address=0.0.0.0/0 gateway=172.22.202.1
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool sniffer
set filter-interface=ether1,ether2 filter-ip-protocol=icmp \
filter-mac-protocol=ip filter-operator-between-entries=and
Everything should be back to square 1 now.
Now we're getting somewhere So step by step:
(1) You don't need the interface lists. They don't help, but don't hurt either.
(2) The addresses are still messed up. For your current situation you should do:
# This is correct!
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
# This as well!
add address=172.22.202.3/24 interface=ether1 network=172.22.202.0
# Delete this! There is no connection to any 192.168.1.x network via ether1
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
# Correct this to address=172.22.202.24/32 (and network=172.22.202.24)
add address=172.22.202.24/8 interface=ether1 network=172.0.0.0
(The third line is what's messing up your routing. Once you delete that, things will look much better.)
As you add more devices, only the last (/32) address line should be repeated for each address, along with the two NAT rules for each.
The rest is fine!
Only as a side note:
It is rare to find such a "wide" subnet address, with that you can connect to ALL the 16,777,214 IP's in the range 172.0.0.1 - 172.255.255.254.
Are you sure you want that?