Simple NAT 1:1 Setup

alphawolfxv · July 2, 2024, 3:16pm

Hello All,
I currently have an industrial application where we are trying to NAT local PLCs to our industrial network. The “Public” IP is still local, the DHCP server resides on premise, but we assign static to the PLCs we want to access.

Test Setup:
PC1 - resides on separate connection to network, DHCP IP 10.101.54.22/15, Gateway 10.100.0.1

direct connection via ether5 through separate NIC for Mikrotik Winbox connection (IP 169.254.62.184, Mask 255.255.0.0, GW = n/a) - also route table does not route traffic through this connection.
PC2 (acting as a PLC for testing only) - resides inside MT network, Static IP 192.168.1.10/24, No Gateway (want “public” IP to be 10.100.198.41)
MT RB750R2 - RouterOS 7.14.3. Has Netmask of 255.254.0.0 (/15) and Gateway of 10.100.0.1

What Works:
Ping from PC2->PC1 successful

Wireshark sees packet both PC2 and PC1

/tool sniffer quick ip-protocol=icmp ip-address=10.101.54.22
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, VLAN, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE  TIME   NUM  DIR  SRC-MAC            DST-MAC            VLAN  SRC-ADDRESS    DST-ADDRESS    PROTOCOL  SIZE  CPU
ether2     4.237    1  <-   10:65:30:EF:F3:4A  18:FD:74:67:6B:59        192.168.1.10   10.101.54.22   ip:icmp     74    0
Bridge     4.237    2  <-   10:65:30:EF:F3:4A  18:FD:74:67:6B:59     5  192.168.1.10   10.101.54.22   ip:icmp     78    0
vl5        4.237    3  <-   10:65:30:EF:F3:4A  18:FD:74:67:6B:59        192.168.1.10   10.101.54.22   ip:icmp     74    0
ether1     4.237    4  ->   18:FD:74:67:6B:58  D4:81:D7:B1:B7:9D        10.100.198.41  10.101.54.22   ip:icmp     74    0
ether1     4.238    5  <-   18:4C:08:70:A3:C0  18:FD:74:67:6B:58        10.101.54.22   10.100.198.41  ip:icmp     74    0
vl5        4.238    6  ->   18:FD:74:67:6B:59  10:65:30:EF:F3:4A        10.101.54.22   192.168.1.10   ip:icmp     74    0
Bridge     4.238    7  ->   18:FD:74:67:6B:59  10:65:30:EF:F3:4A     5  10.101.54.22   192.168.1.10   ip:icmp     78    0
ether2     4.238    8  ->   18:FD:74:67:6B:59  10:65:30:EF:F3:4A        10.101.54.22   192.168.1.10   ip:icmp     74    0

The Issue:
Unable to ping from PC1->PC2

Wireshark sees packet but results in timeout on both PC1 and PC2.
makes no difference if eth5 is disconnected

/tool sniffer quick ip-protocol=icmp ip-address=10.101.54.22 
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, VLAN, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE  TIME   NUM  DIR  SRC-MAC            DST-MAC            VLAN  SRC-ADDRESS   DST-ADDRESS    PROTOCOL  SIZE  CPU
ether1     3.409    1  <-   18:4C:08:70:A3:C0  18:FD:74:67:6B:58        10.101.54.22  10.100.198.41  ip:icmp     74    0
vl5        3.41     2  ->   18:FD:74:67:6B:59  10:65:30:EF:F3:4A        10.101.54.22  192.168.1.10   ip:icmp     74    0
Bridge     3.41     3  ->   18:FD:74:67:6B:59  10:65:30:EF:F3:4A     5  10.101.54.22  192.168.1.10   ip:icmp     78    0
ether2     3.41     4  ->   18:FD:74:67:6B:59  10:65:30:EF:F3:4A        10.101.54.22  192.168.1.10   ip:icmp     74    0

What has been tried:
Current Configuration:

/export hide-sensitive
# 1970-01-02 00:24:39 by RouterOS 7.14.3
# software id = xxx
#
# model = RB750r2
# serial number = xxx
/interface bridge
add name=Bridge vlan-filtering=yes
/interface vlan
add comment=SCADA-INSIDE interface=Bridge name=vl5 vlan-id=5
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=Bridge comment=SCADA-INSIDE interface=ether2 pvid=5
add bridge=Bridge comment=SCADA-INSIDE interface=ether3 pvid=5
add bridge=Bridge comment=SCADA-INSIDE interface=ether4 pvid=5
add bridge=Bridge comment=SCADA-INSIDE interface=ether5 pvid=5
add bridge=Bridge comment=SCADA-OUTSIDE disabled=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=Bridge comment=SCADA-INSIDE tagged=Bridge untagged=ether2,ether3,ether5,ether4 vlan-ids=5
/ip address
add address=192.168.1.1/24 comment=SCADA-INSIDE interface=vl5 network=192.168.1.0
add address=10.100.198.41/15 comment=SCADA-OUTSIDE interface=ether1 network=10.100.0.0
/ip firewall filter
add action=accept chain=input
add action=accept chain=output
add action=accept chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=netmap chain=srcnat out-interface=ether1 src-address=192.168.1.10 to-addresses=10.100.198.41
add action=netmap chain=dstnat dst-address=10.100.198.41 in-interface=ether1 to-addresses=192.168.1.10
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.100.0.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system note
set show-at-login=no

From everything I have been learning, netmap should be the 1:1 mapping method. When I review the packet counters, and ping from PC1->PC2, Firewall Filter-> Forward rule increments as does dstnat rule (but only 1 time until idle for ~10 seconds). This would have me believe it was routing correctly, however it does not return to PC1 and results in a timeout.
On a ping from PC2->PC1, I don’t see any counters increment masq, srcnat, or dstnat - and yet it feeds it through and back to PC2, and I get a valid ping response - I expected to see srcnat rule increment, as it came from local 192.168.1.10 NAT’d to 10.100.198.41 out to 10.101.54.22 and back.

Anyone have any ideas what could be the main cause of PC1->PC2 not getting back to complete the ping?
Please advise if anything else can be shared that would help troubleshoot this.

Thank you,
AlphaWolfXV

Sob · July 2, 2024, 5:23pm

My guess would be firewall on PC2 blocking incoming ping requests.

Other than that, I probably misunderstood “No Gateway” for PC2, it must have gateway 192.168.1.1, otherwise it wouldn’t work at all. Counters not incrementing for PC2->PC1 ping is probably oversight, because it happens only at the beginning of “connection”, and you’d have to stop the ping and wait some time before it expires and next ping will be seen as new and incrementss NAT counters again.

You also want the masquerade rule (if you need it at all) after srcnat netmap. When it’s first, it’s always used instead of netmap (even though in this case, if there’s no other traffic, the result is same).

alphawolfxv · July 2, 2024, 5:39pm

Sob,
Thank you very much for assisting. I was maybe not clear in my description. The PLC devices that are currently on their own local network, have no default gateway applied. My PC2 test station I set up as: IPv4, Static IP: 192.168.1.10, Mask 255.255.255.0, GW = (leave blank) - in an effort to simulate the PLC. All Firewalls (both PC1&2) have been set to allow ICMP requests (both incoming and outgoing) for private and domain networks, and the network identifies as private. With this current configuration, PC2-> PC1 actively pings correctly, but PC1->PC2 times out.

Interestingly (or not) I set up pfsense on bare metal computer, and configured NAT through there and was successful PC1-> PC2, so I suspect this is still related to something I have mis-configured in MT. I prefer Mikrotik solution, as it accepts 24V out of the gate and the price is right - for what we are trying to achieve.

I did update to change the default GW on PC2 to 192.168.1.1 - and the result is same, PC2->PC1 ping is successful, PC1->PC2 timeout.

Thank you for the note on moving the masquerade rule, but as you said - it did not change the overall result.

I much appreciate the help - Thank you.

Sob · July 2, 2024, 5:56pm

The problem with missing gateway is that it really can’t work without it. If PLC/PC2 has only 192.168.1.0/24 and no gateway, it means that it knows how to reach any 192.168.1.x, but has no idea where packets to any other address should go.

If you try to ping PC1’s 10.101.54.22, you should get an error (“no route to host” or something like that). If you can ping it, it’s the mystery that needs to be solved first. Is the PC2 connected only to this router, couldn’t it be perhaps connected also to wifi or something? Not that it would explain how you could have better luck with pfSense.

The same problem would be for PC1->PC2. If PC2 gets ping request from 10.101.54.22, without default gateway it doesn’t know where to send response. This case could be fixed with another srcnat/masquerade, e.g.:

/ip firewall nat
add chain=srcnat out-interface=vl5 dst-address=192.168.1.10

which would change source to 192.168.1.1 and PC2 knows how to reach that.

alphawolfxv · July 2, 2024, 6:27pm

Thank you again for your help - it is a mystery.

Can it be that the MT command to add the 192.168.1.1 address gives a “default” route for anything on the /24 of that network?

add address=192.168.1.1/24 comment=SCADA-INSIDE interface=vl5 network=192.168.1.0

Also, is it possible the default route of 0.0.0.0/0 to GW 10.100.0.1 can help with this?

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.100.0.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10

PC2 has no wifi connection, nor any other ethernet except for the one connected to MT RB750 (ether2).

I have added the gateway back in on the PC2 and also added the new srcnat rule - haven’t seen any changes. Just to clarify, when I make a Firewall NAT change, I need to manually remove all the connections from the connections tab correct? To make sure it flushes and starts using the new rules? Also is there a time that it takes from making a change to actually implementing the change?

To summarize, with or without the default gateway (but currently PC2 GW set to 192.168.1.1):
PC2->PC1:

shows (in powershell)

Reply from 10.101.54.22: bytes 32 time 1ms TTL=126

In wireshark I get both the request and the reply on PC2 and PC1.
If I disconnect the network cable from PC1, I get timeout and on plugging back in success continues.

PC1-> PC2:

shows (in powershell)

Request timed out.

In Wireshark both PC1 and PC2 show only “request” and

(no response found!)

Updated Config:

# 1970-01-02 03:42:18 by RouterOS 7.14.3
# software id = xx
#
# model = RB750r2
# serial number = xxx
/interface bridge
add name=Bridge vlan-filtering=yes
/interface vlan
add comment=SCADA-INSIDE interface=Bridge name=vl5 vlan-id=5
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=Bridge comment=SCADA-INSIDE interface=ether2 pvid=5
add bridge=Bridge comment=SCADA-INSIDE interface=ether3 pvid=5
add bridge=Bridge comment=SCADA-INSIDE interface=ether4 pvid=5
add bridge=Bridge comment=SCADA-INSIDE interface=ether5 pvid=5
add bridge=Bridge comment=SCADA-OUTSIDE disabled=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=Bridge comment=SCADA-INSIDE tagged=Bridge untagged=ether2,ether3,ether5,ether4 vlan-ids=5
/ip address
add address=192.168.1.1/24 comment=SCADA-INSIDE interface=vl5 network=192.168.1.0
add address=10.100.198.41/15 comment=SCADA-OUTSIDE interface=ether1 network=10.100.0.0
/ip firewall filter
add action=accept chain=input
add action=accept chain=output
add action=accept chain=forward
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.10 out-interface=vl5
add action=netmap chain=srcnat out-interface=ether1 src-address=192.168.1.10 to-addresses=10.100.198.41
add action=netmap chain=dstnat dst-address=10.100.198.41 in-interface=ether1 to-addresses=192.168.1.10
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.100.0.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system note
set show-at-login=no

Thank you again for all your help.

Sob · July 2, 2024, 7:13pm

In random order:

For solving the mystery, check (on PC2) “ipconfig /all” and “route print”. Even if you remove default gateway, it should be there … somehow.
Sorry about the srcnat rule I posted, it’s incomplete, it should have action=masquerade.
No, address on router doesn’t provide default gateway to connected devices.
Default route on router doesn’t provide default gateway to connected devices either.
Yes, removing connections from Connections tab resets the state and can be useful for debugging.
All changes to firewall take effect immediatelly (when there are already established connections, it may behave differently than you might expect, but you know how to deal with them ^^^).
If on PC2 you see ping request from PC1, it means that it already successfully passed through router. If there’s no response seen by Wireshark on PC2, it’s PC2’s fault for not sending it.

alphawolfxv · July 2, 2024, 7:31pm

Sob - Thank you very much! That solved it!!!

The Action masquerade for the new rule worked for PC1->PC2 and did not break PC2->PC1. Thank you.

add action=masquerade chain=srcnat dst-address=192.168.1.10 out-interface=vl5

As for the ipconfig on PC2, it shows no Gateway, but also as you stated, route print - shows the 10.100.0.0 with mask of 255.254.0.0 with a gateway of 192.168.1.1 on interface 192.168.1.10 - so you were right on that! Thank you very much for all the help - you are awesome!

Updated Config for reference:

[admin@MikroTik] /ip/firewall/nat> /export hide-sensitive                                       
# 1970-01-02 04:48:59 by RouterOS 7.14.3
# software id = xxx
#
# model = RB750r2
# serial number = yyy
/interface bridge
add name=Bridge vlan-filtering=yes
/interface vlan
add comment=SCADA-INSIDE interface=Bridge name=vl5 vlan-id=5
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=Bridge comment=SCADA-INSIDE interface=ether2 pvid=5
add bridge=Bridge comment=SCADA-INSIDE interface=ether3 pvid=5
add bridge=Bridge comment=SCADA-INSIDE interface=ether4 pvid=5
add bridge=Bridge comment=SCADA-INSIDE interface=ether5 pvid=5
add bridge=Bridge comment=SCADA-OUTSIDE disabled=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=Bridge comment=SCADA-INSIDE tagged=Bridge untagged=ether2,ether3,ether5,ether4 vlan-ids=5
/ip address
add address=192.168.1.1/24 comment=SCADA-INSIDE interface=vl5 network=192.168.1.0
add address=10.100.198.41/15 comment=SCADA-OUTSIDE interface=ether1 network=10.100.0.0
/ip firewall filter
add action=accept chain=input
add action=accept chain=output
add action=accept chain=forward
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.10 out-interface=vl5
add action=netmap chain=srcnat out-interface=ether1 src-address=192.168.1.10 to-addresses=10.100.198.41
add action=netmap chain=dstnat dst-address=10.100.198.41 in-interface=ether1 to-addresses=192.168.1.10
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.100.0.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system note
set show-at-login=no

Thanks again!
AlphaWolfXV

Sob · July 2, 2024, 9:47pm

Actually, if the new masquerade rule helped, you should check PC2’s firewall again and make sure that it allows icmp from anywhere and not just from local subnet. Then this masquerade rule wouldn’t be needed. But you would need it for PLC if that really doesn’t have any gateway.