Hello,
I am beginner in this field, and I need your guidance how to configure MikroTik Router (using Winbox) to connect PC and Ethernet device (it might be HMI, PLC, Camera, any devices with Ethernet port) on two different networks, for example - 192.168.7.200 and 192.168.2.10. No Internet, no DHCP, no DHS, no WIFI, just static IPs.
Thank you for your help, much appreciated.
Setup slightly differs depending on whether you want to use one or mutiple ethernet interfaces for connecting devices in particular subnet. E.g. if you want to connect two devices from subnet 192.168.7.x/24 and two devices from subnet 192.168.2.x/24, then you would have to “partition” your MT router into two parts. Each part would be built off a bridge (something like an ethernet switch), spanning two ethernet ports. If you only wanted to connect one of devices in each subnet at the same time, then you could skip this part.
Then you have to set up router with IP address on each of those subnet devices (either bridge or ethernet port).
The following step depends on whether those devices can use router as their default gateway or not. I’m assuming the IoT gadgets (HMI, PLC, Camera, any devices with Ethernet port) can’t and you’ll have to configure router to perform SRC-NAT on the way from PC subnet towards IoT subnet. Which means that from PC you’ll initiate connection towards gadget’s real IP address. Router will replace PC’s address with it’s own address and gadget will respond to router’s address (which is in the same subnet and hence gadget doesn’t need any routing configuration).
If you need some more concrete advice, then describe your use case more in detail.
First of all, thank you for your reply, mkx.
Only one device on every subnet will be connected.
If I understood correctly, I have to do the following steps:
If you have say a hair dryer, connected to ethernet, and it has to be configured manually … entering IP address. Some devices can’t be configured with gateway address which means that (without some tricks) they can only communicate with devices within same LAN subnet. Assuming your hair dryer is one of those devices it will be able to communicate with router directly (because router will have appropriate IP address on one of its interfaces), but won’t know how to talk to your PC because for that it would have to use gateway and hair dryer has no idea about gateways.
And to overcome this problem, one uses SRC-NAT … when PC talks to hair dryer, hair dryer thinks it’s router communicating to it and can send replies … which (after un-SRC-NATing) arrive at PC.
If, on other hand, hair dryer could be configured to use RB as it’s default gateway, then the whole SRC-NAT would not be needed because when talking to PC hair dryer would know that PC is not directly accessible and would use gateway as proxy.
So to the configuration: by default SOHO RouterBoards come configured in a way that ether1 is used as WAN port and the rest of interfaces are bridged together (in a switched group). If you want to use say ether4 and ether5 for your exercise, then you have to take these two interfaces out of list of bridged ports. After that you assign addresses directly to ether ports and configure SRC-NAT between both subnets.
Alternatively you can keep most of default configuration on router intact, only take ether5 out of bridge and assign ether5 with address from ioT subnet. Add SRC-NAT rule for all traffic with out-interface=ether5 and you can access those devices from any device connected to router’s LAN (ports ether2-ether4, wifi, …).
Can you please have a look at the configuration below:
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.7.120 interface=ether3 network=192.168.7.0
add address=192.168.2.20 interface=ether2 network=192.168.2.0
/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.7.120 to-addresses=
192.168.2.20
Provide that PC has IP address 192.168.2.12 and the IoT 192.168.7.100.
You have quite a few errors in your config:
Your SRC-NAT configuration, even if it was fine to construct it using addresses, was not OK, it should have been
Because: src-address is matching criteria which tells NAT engine which packets it should affect and in your case it should affect packets send by PC. At the same time it’s good to narrow down the matching to packets with destination IP of IoT device (in your particular use case it wouldn’t matter much, but if there was internet access involved, then this NAT rule would mess traffic towards internet royally). The to-address is part of action and in case of action=src-nat it instructs NAT engine to replace packet’s original src-address with value of to-address which should be some IP address which will enable target device to send replies (i.e. router’s IP address in the corresponding subnet).
With my “masquerade” rule things are a bit simpler: NAT engine will perform src-nat on any packets leaving it through interface ether3 and will automatically pick appropriate address for rewritten src-address. And we’re not limited to some particular source IP address nor to some particular destination address which means that PC can have any address (outside the IoT subnet that is) and IoT gadget (hair dryer) can have any IP address in same subnet as router has set on ether3 (so you could actually have many IoT gadgets connected to ether3 via some ethernet switch and you would be able to access all of them without adding specific NAT rules).
Thank you, mkx, for your time and your detailed explanations, it all makes perfect sense. I will try to correct the configuration in the office and revert.
So, I have made the corrections in the configuration. Now it is exactly the same as advised, mkx:
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.7.120/24 interface=ether3 network=192.168.7.0
add address=192.168.2.20/24 interface=ether2 network=192.168.2.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether3
I can ping the HMI from Winbox,but I cannot do that from laptop command line, and logically, I cannot read any data from HMI server. What is wrong now?
Does laptop use router as default gateway? Or at least as gateway for IoT subnet?
The laptop default gateway is 192.168.2.1.
So laptop doesn’t talk to router when trying to access HMI. Either set router’s IP address as default gateway on laptop … or set static route on main router (192.168.2.1) towards IoT network via 192.168.2.20 … or you’ll have to construct DST NAT on mikrotik (but personally I’d try to avoid that).
It worked!!! I set router’s IP address as default gateway on the laptop. You were great teacher, mkx, thanks a lot indeed. I have already prepared next challenge )))…