Page 1 of 1
Routing/masquerading a device into different network
Posted: Tue Feb 27, 2018 4:59 pm
by Sky18
Hi guys,
I need to route/masquerade a device into a different network.
Configuration:
It is not possible to install a cable connection from the location where the Playstation 4 is to the target router.
Both routers a connected via ether1 interface.
- Device (Playstation 4) with IP 192.168.222.251 is connected to a MikroTik RB (192.168.222.1/24)
- MikroTik RB (192.168.222.1/24) is connected via ether1 interface to FritzBox (192.168.178.1/24) router ether1 interface
- Playstation 4 should there arrive with IP 192.168.178.30
Please advise. THANKS!
Re: Routing/masquerading a device into different network
Posted: Tue Feb 27, 2018 7:02 pm
by mkx
A couple of questions:
how does PS4 connect to RB, via WiFi?
do you need some routing functionality of RB or you simply need a WiFi access point?
Re: Routing/masquerading a device into different network
Posted: Tue Feb 27, 2018 9:57 pm
by Sky18
Hi Metod,
the PS4 is connected via LAN cable. No WiFi avilable in this room.
I need the routing functionallity in RB 951G-2HnD.
Thanks, Tom
Re: Routing/masquerading a device into different network
Posted: Tue Feb 27, 2018 10:47 pm
by mkx
A bit of guesswork on my part...
First you need to add one or more IP addresses to RB on ether1 belonging to Fritz' LAN segment (192.168.178.x), you can't have same IP address for both network segments (RB's 'internal' - LAN and 'external' - Fritz' segment). You'd have the least complications if using only one - the one that Fritz thinks to belong to PS4 (192.168.178.30), but possibly more than one if other traffic, passing through RB has to use different IP address on Fritz' LAN.
Then you add masquerade queue in NAT configuration. In case when you only use one 'external' IP address on RB, it's pretty straight forward:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.222.0/24
In case when you'll use several 'external' IP addresses on RB, it'll be slightly different (my guesswork starts here). You'll need several masquerade actions and order probably makes a difference:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 \
src-address=192.168.222.251/32 dst-address=192.168.178.30 \
comment="NAT for PS4"
add action=masquerade chain=srcnat out-interface=ether1 \
src-address=192.168.222.0/24 dst-address=<the_default_RB_IP_address> \
comment="default NAT"
I've never set-up RB to do NAT using more than one external IP addresses, hence my guesswork above might be far from correct. Hopefully someone experienced will correct me.
Re: Routing/masquerading a device into different network
Posted: Tue Feb 27, 2018 11:05 pm
by mkx
Thinking of it, perhaps there's another possibility: the switch chip in RB is highly configurable and one can create more than one "sub-switch" grouping a subset of ethernet ports. Default setup is to have ports ether2-5 in a switch group while ether1 is isolated (so called WAN port). If the basic problem you're trying to solve is lack of ethernet cables while you don't want to invest in additional ethernet switch, then this might be a way to go (with assumption that PS4 does not have to interact with the rest of devices in RB's LAN): you can create two bridges inside RB, one spanning ether1 and e.g. ether2 and the other bridge spanning the rest of ports (similar to default setup where there's single bridge spanning ether ports 2-5). Then you'd hook PS4 to ether2 and it would function as if there was only a dummy ethernet switch between PS4 and Fritz. RB would then route traffic between both bridges (while default setup is to route traffic between britfe and ether1).
Re: Routing/masquerading a device into different network
Posted: Tue Feb 27, 2018 11:25 pm
by poizzon
A very similar question is being solved here
https://www.youtube.com/watch?v=H4uaO8nDE4Q
Re: Routing/masquerading a device into different network
Posted: Wed Feb 28, 2018 8:54 am
by Sky18
Very good input Metod and poi. Thanks for supporting!
Will check tonight after returning from work and will report my findings.
Just few clarifications relative to my infrastructure (hpe I find some tme today to draw a basic diagram of my network).
The RB is configured as a bridge with an own DHCP server. The FritzBox as also DHCP.
The ethernet cable from the RB to the location where the PS4 is, supports also 2 PC's and 2 Smart TV's.
@Metod, you mentioned a switch. Not sure how this could help to solve my issue, but I have a very simple managed switch (Netgear Netgear-GS105e v2) and a unmanaged switch in spare.
Thanks, Tom
Re: Routing/masquerading a device into different network
Posted: Wed Feb 28, 2018 9:42 am
by mkx
@Metod, you mentioned a switch. Not sure how this could help to solve my issue, but I have a very simple managed switch (Netgear Netgear-GS105e v2) and a unmanaged switch in spare.
As I wrote: if PS4 doesn't have to interact with the 2 PCs and 2 Smart TVs (at least not via ethernet), then it would be easier if you connected it to "WAN" segment of your RB. Either by placing a switch in front of RB (either of yours would do, personally I'd choose the managed one) or by reconfiguring the RB in the way I mentioned in my previous post ... and link to video tutorial that @poison mentioned in his post actually illustrates the same concept (with distinction that you don't have to manually set-up the PS4's IP parameters, DHCP packets will pass RB in that kind of setup just fine).
The text above applies only in case where in Fritz land PS4 would use different IP address than RB (with other 4 devices behind it). If all 5 devices (PS4, 2 PCs and 2 smart TVs) are allowed only to use single IP address in Fritz land, then you'll have to use the first case of my post ('WAN' interface of RB taking up the PS4 address and NAT everything onto it).
You might want to consider this possibility even if you can use more than one IP address from Fritz land as the RB setup is much simpler with single 'WAN' IP address ... unless you have to use more than one due to some certain reason.
Re: Routing/masquerading a device into different network
Posted: Thu Mar 01, 2018 8:55 pm
by Sky18
Did some good progress.
PS4 is now connected to the FritzBox
. So thanks very much for this
Metod and
pio!
But now I have two new challenges:
- cannot ping the gateway (FritzBox) from RB terminal window anymore - Internet connection works fine
- QoS (bandwidth limitation) with simple queue and tree queue does not work anymore - neither for PS4 on ether 4 nor for the other ports 2, 3, 5
Will dig deeper into this tomorrow.
Router/Switch setup is not an easy exercise
and became really time consuming over the past two+ months...
Re: Routing/masquerading a device into different network
Posted: Sat Mar 03, 2018 4:46 pm
by Sky18
Ok, (hopefully) only few steps away from the final goal.
- ether4 is connected to Fritz!Box, the according devices get their IP addresses from the Fritz!Box and the child saftey function works as expected
- ether2+3+5+wlan1 are bridged and QoS is working properly
So most is working now as wanted, except two points:
- Common QoS/traffic management for all ether ports - currently QoS for ether4 is not working at all (network 192.168.178.0/24)
- Two devices on the Lan-cable connected to ether4 should belong to network 192.168.222.0/24 and not to network 192.168.178.0/24 as they currently do based on the configuration of ether4
Questions:
- What to do to have common QoS for all interfaces, including ether4?
- What to do to route 2 devices connected to ether4 (network 192.168.178.0/24) to the other network 192.168.222.0/24?
Any ideas how to configure the RB that the remaing topics also work?
Thanks, Tom
.
# mar/03/2018 15:26:48 by RouterOS 6.41.1
# software id = EMY6-ULA2
#
# model = 951G-2HnD
/interface bridge
add fast-forward=no name=bridge_192.168.178.0
add fast-forward=no name=bridge_192.168.222.0
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] name=ether1_LAN
set [ find default-name=ether2 ] name=ether2_basement
set [ find default-name=ether3 ] name=ether3_lounge
set [ find default-name=ether4 ] name=ether4_Kids
set [ find default-name=ether5 ] name=ether5_Synology
/interface list
add name=LAN
add name=LAN-via-FB
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.222.100-192.168.222.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge_192.168.222.0 \
lease-time=1000w name=dhcp1
/queue simple
add disabled=yes max-limit=384k/2M name=queue1 queue=default/default target=\
192.168.222.254/32
/queue tree
add max-limit=50M name=total-traffic parent=global queue=default
add name=upload packet-mark=upload parent=total-traffic queue=default
add name=download packet-mark=download parent=total-traffic queue=default
/interface bridge port
add bridge=bridge_192.168.178.0 interface=ether1_LAN
add bridge=bridge_192.168.178.0 interface=ether4_Kids
add bridge=bridge_192.168.222.0 interface=ether2_basement
add bridge=bridge_192.168.222.0 interface=ether3_lounge
add bridge=bridge_192.168.222.0 interface=ether5_Synology
/interface list member
add interface=ether2_basement list=LAN
add interface=ether3_lounge list=LAN
add interface=ether5_Synology list=LAN
add interface=wlan1 list=LAN
add interface=ether4_Kids list=LAN-via-FB
add interface=ether1_LAN list=LAN-via-FB
/ip address
add address=192.168.178.20/24 interface=bridge_192.168.178.0 network=\
192.168.178.0
add address=192.168.222.1/24 interface=ether2_basement network=192.168.222.0
/ip dhcp-server network
add address=192.168.222.0/24 gateway=192.168.222.1
/ip dns
set allow-remote-requests=yes servers=192.168.178.1,8.8.8.8
/ip firewall mangle
add action=mark-packet chain=prerouting comment=upload in-interface=\
bridge_192.168.178.0 new-packet-mark=upload passthrough=yes
add action=mark-packet chain=postrouting comment=download new-packet-mark=\
download out-interface=bridge_192.168.178.0 passthrough=yes
add action=mark-packet chain=prerouting comment=upload in-interface=\
bridge_192.168.178.0 new-packet-mark=upload passthrough=yes
add action=mark-packet chain=postrouting comment=download new-packet-mark=\
download out-interface=bridge_192.168.178.0 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge_192.168.178.0
add action=masquerade chain=srcnat out-interface=bridge_192.168.178.0
add action=masquerade chain=srcnat comment=nat-internet-access out-interface=\
bridge_192.168.178.0
/ip route
add distance=1 gateway=192.168.178.1
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik-RB951G-2HnD
/system ntp client
set enabled=yes primary-ntp=213.235.200.199 secondary-ntp=129.70.132.34
Re: Routing/masquerading a device into different network
Posted: Sat Mar 03, 2018 7:29 pm
by mkx
Re QoS: I don't think it's posible to affect QoS on ROS devices which don't go through router's CPU. You have ether1 and ether4 in common switch "domain", so traffic between those two interfaces doesn't go through CPU. There might be a way, but I can't give you any concrete guides: get those two ports in as SW bridge making all traffic between the two to pass through RBs CPU. Then some queue mechanizm may do it's job.
Re devices off ether4: please describe what do you want to achieve: a) make the two devices to become members of 192.168.222.0/24 or b) have those two devices possibility to reach certain services, available from machines inside 192.168.222.0/24?
If you want a), then you need to connect those two devices either to port ether2, ether3 or ether5. No way around it.
If you want b) and the amount of services is not too big, you can add some dstnat rules to the NAT table on your RB. And possibly add some filters to the FW to limit access to those services to only select clients. dstnat means that in order to use "internal" services externally (internal being 192.168.222.0/24 and external being anything else, including 192.168.178.0/24), clients need to connect to RB's address and to exported port which is not necessarily the same as "native" service port on the server itself. Example: you want to allow 192.168.178.242 access to http service, provided by 192.168.222.42. In this case you need dstnat rule that forwards TCP port (e.g.) 8080 to 192.168.222.42 TCP port 80. Then your client machine would request URL
http://192.168.178.20:8080/
If the amount of services that you want to "export" is bigger, then you might want to think about routing between the two networks, but that would imply end of NATting on the RB device and start of doing NAT also for 192.168.222.0 on the Fritz. Also you would need to add explicit routes for 192.168.222.0/24 to Fritz (which should use your RB as gateway). You would create some FW rules on RB to protect your 192.168.222.0 from the evil rest of your household except for the services you want to "export".
Re: Routing/masquerading a device into different network
Posted: Sun Mar 04, 2018 10:42 am
by Sky18
Thanks Metod, understand.
What about changing the subnet mask or a VLAN setup to access all devices in both networks from every device in both networks?
Read something about these topics and now trying to understand what subnetting or VLAN means for real life...
Re: Routing/masquerading a device into different network
Posted: Sun Mar 04, 2018 11:30 am
by mkx
In your case, using VLANs won't give you much. Using VLANs has its merrits if you use more than one VLAN-capable switch in the network and you lack the cabling and/or ports on the switches/routers. If you only use one VLAN-configured switch (in your case the RB), then you can achieve the same with the L2 setup you currently use. Because: to have connectivity between two VLANs, you need to do routing anyway. In your case, you do kind of routing already, except that currently you are doing NAT instead of "proper" routing. Again: if you'd do routing between the two networks, you'd need to do some additional configuration on the router which is default gateway for 192.168.178.0/24 ... or else the devices in that network wouldn't know how to reach devices from network 192.168.222.0/24.
If, on the other hand, you would enable using VLANs also on Fritz (I don't know if that is possible at all), then you coud have the connection between the two routers configured as VLAN trunk and you would have freedom to physically connect any device, which logically belong to any of the two networks, to any switch/router while keeping the two (logical) networks separated. You'd still need to do routing between the two (logical) networks, but that could be done by Fritz ... I tend to keep all the routing on single device, it simplifies the setup (no need to do static routes towards the other router and NAT towards internet is done for all logical networks at the same time).
You could use VLANs in your case as well, but that would mean configuring VLANs on your end devices (PCs and what not). In that case, you could configure ports to be "VLAN mixed", eg. accept VLAN tagged packets and have some default VLAN id for untagged packets. In that case you could have VLAN-enabled network even with using dumb switches (e.g. one hanging off your ether4 port) ... if the dumb switches support the slightly larger ethernet frames (VLAN tagged ethernet frame is 4 bytes longer than "standard" ethernet frame, if switch is really dumb it might drop frames longer than 1500 bytes). And you could use the VLANs only inside RB (and its vicinity) in this case, no need to bother with Fritz.
You're asking about netmask ... the two address ranges (192.168.178.0 and 192.168.222.0) are quite far away, so the netmask would have to be quite short. On the other hand, this would pose quite a challenge to get the traffic between the two halves of the network pass through RB. Reason: if one device needs to send packet to the other device, which according to IP address and address mask belongs to the same network, it is assumed that packet can be sent directly. Sending device sends that packet with unicast ethernet packet with destination MAC address of the receiving device (first it has to know dst MAC address, discovery is handled by ARP handshake). Which in your case can not because RB is in the way. RB could, in principle, be configured to do proxy-arp ... but I don't know how well it would work as RB would not know in advance about which devices are on which side (proxy ARP works like this: when some device asks about MAC address of a particular IP address, the proxy-arp device answers with its own MAC address. When later it receives packet with destination IP address of the third device, it will route that packet over appripriate interface. But the proxy-arp device needs to know all the IP addresses for which it needs to stand in between).
Re: Routing/masquerading a device into different network
Posted: Sun Mar 04, 2018 11:51 am
by mkx
Re VLANs:
Let me explain my use of VLANs at my home. Traditionally I had a VLAN-capable switch in my comms room and enough cabling so that any device inside my home could have its own wired connection to that switch. I was using VLANs internally inside the switch to have fast communication between the devices belonging to same VLAN. The switch has a fancy feature (unsymetrical VLANs meaning a given port can belong to more than one VLAN
and untag all packets exiting that port) meaning I could do some device separation without any of them being aware of VLANs, including the router.
Then the number of wired devices at a particular place (living room) grew to the point I no longer had enough ethernet cables. So I had to install another VLAN capable device (in my case a RB951G-2HnD) and have VLAN trunk on single ethernet cable between the two devices.
And I really needed VLANs, I needed separate (either physical cables or VLANs) connections for the following services:
- home LAN
- guest LAN - VAP on WiFi with internet only access and limited speed
- IPTV - provider delivers multicast streams in a VLAN so I replicated that particular VLAN nside my home network
- internet for the IPTV set-top box - I don't want to make it a part of my home LAN and I don't want to expose it to the guest WiFi users
All those VLANs are used by 4 devices: WiFI AP, smart TV, IP set-top box, and home cinema receiver. I needed a smart device already for the second bullet (VLAN-tagged WiFi) and I really didn't have possibility to run 5 ethernet cables (in case I'd actually install 2 WiFi APs to have two different SSIDs on air).
My current setup (deploying RB device) allows me to do all of that using one ethernet cable. For a while the very same device also did the routing between my home and internet (I get internet via VDSL and I used the existing VLAN switch do create another VLAN for PPPoE connection ... I could safely run that through my existing ethernet cables without fear of exposing my LAN to evil internet.
Now I actually have two RB951G-2HnD devices, one acting mainly as router and the other one performing as switch/AP. But I have kind of hardware redundancy: if one device fails, I can run my home network with only two out of three devices (even my 24-port switch can fail, some less important device might become temporarily unconnected) in case of failure .. and that gives me time to purchase another RB device (I'm thinking of cheapest xxxRM device)
Re: Routing/masquerading a device into different network
Posted: Mon Mar 05, 2018 9:19 am
by Sky18
@Metod, thanks very much for the detailed explanation. Will focus on this the next few days. Currently on the road...