Hi,
I need to communicate two devices with identical network interfaces config.
I cannot change its configurations.
I use MikroTik RB952Ui (hAP ac lite) with router OS 6.49.1 (stable).
Configuration is:
dev2:
IP: 192.168.1.1/24
GW: 192.168.1.254
dev3:
IP: 192.168.1.1/24
GW: 192.168.1.254
dev2 is connected to eth2
dev3 is connected to eth3
What I’m trying to achieve is:
- flow from dev2 to 192.168.3.1 goes to dev3 (it should be dropped if dev3 doesn’t exist)
flow from dev2 to 192.168.2.1 goes back to dev2 (there should be hairpin nat here so dev2 “thinks” that reverse flow is coming from 192.168.2.1)
flow from dev3 to 192.168.2.1 goes to dev2 (it should be dropped if dev2 doesn’t exist)
flow from dev3 to 192.168.3.1 goes back to dev3 (there should be hairpin nat here so dev3 “thinks” that reverse flow is coming from 192.168.3.1)
eth2 end eth3 are in separated vlans, something like code below, but it doesn’t work.
I tried to make something like to map dev2 to 192.168.2.1 in it’s vlan and dev3 to 192.168.3.1 accordingly.
Maybe someone has a working solution to this problem ?
/interface bridge
add ingress-filtering=yes name=bridge-vlan vlan-filtering=yes
add interface=bridge-vlan name=vlan-2 vlan-id=2
add interface=bridge-vlan name=vlan-3 vlan-id=3
/interface bridge port
add bridge=bridge-vlan ingress-filtering=yes interface=ether2 pvid=2
add bridge=bridge-vlan ingress-filtering=yes interface=ether3 pvid=3
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge-vlan tagged=bridge-vlan untagged=ether2 vlan-ids=2
add bridge=bridge-vlan tagged=bridge-vlan untagged=ether3 vlan-ids=3
/ip address
add address=192.168.2.1/24 interface=vlan-2 network=192.168.2.0
add address=192.168.3.1/24 interface=vlan-3 network=192.168.3.0
add address=192.168.1.254/24 interface=vlan-2 network=192.168.1.0
add address=192.168.1.254/24 interface=vlan-3 network=192.168.1.0
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=192.168.3.0/24 \
in-bridge-port=ether2 new-connection-mark=vlan3_to_vlan2_packets \
passthrough=no
add action=mark-routing chain=prerouting connection-mark=\
vlan3_to_vlan2_packets new-routing-mark=vlan3_to_vlan2_packets \
passthrough=no
add action=mark-routing chain=output connection-mark=vlan3_to_vlan2_packets \
new-routing-mark=vlan3_to_vlan2_packets passthrough=no
add action=mark-connection chain=prerouting dst-address=192.168.2.0/24 \
in-bridge-port=ether3 new-connection-mark=vlan3_to_vlan2_packets \
passthrough=no
add action=mark-routing chain=prerouting connection-mark=\
vlan3_to_vlan2_packets new-routing-mark=vlan3_to_vlan2_packets \
passthrough=no
add action=mark-routing chain=output connection-mark=vlan3_to_vlan2_packets \
new-routing-mark=vlan3_to_vlan2_packets passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.2.1 to-addresses=\
192.168.1.1
add action=dst-nat chain=dstnat connection-mark=vlan3_to_vlan2_packets \
dst-address=192.168.3.1 to-addresses=192.168.1.1
add action=src-nat chain=srcnat out-interface=vlan-2 src-address=192.168.1.1 \
to-addresses=192.168.2.1
add action=src-nat chain=srcnat connection-mark=vlan3_to_vlan2_packets \
out-interface=vlan-3 src-address=192.168.1.1 to-addresses=192.168.3.1
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=vlan-3 routing-mark=\
vlan3_to_vlan2_packets
add distance=1 dst-address=192.168.1.0/24 gateway=vlan-2 routing-mark=\
vlan2_to_vlan3_packets
