Hi,

I need to sort out the following case:
Topology:

PC with OPC server (192.168.0.220) - Switch from company network ( 192.168.4.0/24 ) – mAP 2nd( 192.168.4.180/24) – ETN device (no option for gateway setup, only static IP 192.168.4.153)


I cannot communicate with the Ethernet device.
Please advise what have to be done in this case?

I need to sort out the following case:
Topology:

PC with OPC server (192.168.0.220) - Switch from company network ( 192.168.4.0/24 ) – mAP 2nd( 192.168.4.180/24) – ETN device (no option for gateway setup, only static IP 192.168.4.153)

I cannot communicate with the Ethernet device.
Please advise what have to be done in this case?

Proxy ARP needs to be enabled on whatever the default gateway of the 192.168.4.0/24 network is (the mAP, if that's it).

Preferably, the Ethernet device would be defenestrated from at least a 3rd-story window, but that's probably not going to be an option :-)

Thank you, mbovenka. I was looking for more information for proxy arp , but I could not find something helpful. I do not mean what proxy-arp is, this is clear, rather some similar examples for MT devices.

Take a look at:

https://wiki.mikrotik.com/wiki/Manual:IP/ARP#Proxy_ARP

Not sure if I understood everything, but anyway, this is the first configuration attempt:

# model = RBmAP2nD
# serial number = B93F0B4C87E9
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp
set [ find default-name=ether2 ] arp=proxy-arp
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add interface=ether1 trusted=yes
add interface=ether2
/ip address
add address=192.168.0.220/24 interface=ether1 network=192.168.0.0
add address=192.168.4.80/24 interface=ether2 network=192.168.4.0
/ip arp
add address=192.168.4.153 interface=ether2 mac-address=00:0C:26:02:79:FE
add address=192.168.0.220 interface=ether1 mac-address=64:00:6A:25:19:CA

In the ARP list I have set the iP address and MAC address of the Ethernet device and PC.
What else is missing to make it working?

It's not clear from your description how is everything connected. But if mAP should serve as gateway between PC in 192.168.0.0/24 subnet and device (which doesn't support any default gateway) in 192.168.4.0/24 subnet, then you need just this:
No bridges or proxy ARP. PC connected to ether1 needs to have either 192.168.0.X as its default gateway, or static route to 192.168.4.0/24 via 192.168.0.X. The 192.168.4.Y on mAP's ether2 is address not used by anything else in .4 subnet.

Thank you, Sob. I think the misunderstanding comes from my configuration, indeed, the way it is written now it suppose exactly the same approach you have advised.
However my real connection (my starting post) is:

PC with OPC server (192.168.0.220) - Switch from company network ( 192.168.4.0/24 ) – mAP 2nd( 192.168.4.180/24) – ETN device (no option for gateway setup, only static IP 192.168.4.153)
So the router mAP I have placed in between will be used (or it was supposed to be used) to provide gateway to the ethernet device, or some different approach for communication. I do not know if it sounds logical, correct me if I am wrong.

It's your starting post that's not clear to me. You have company network 192.168.4.0/24, that's fine, no problem. But suddenly there's PC with completely different address connected to same switch. Where does it come from? Why isn't it in same subnet? Is there another router? Can the PC currently access anything in 192.168.4.0/24? Or the 192.168.4.0/24 actually isn't company network and you're adding it now only for that one device? It feels like there's something missing from that description.

PC can access everything on 192.168.4.0/24, which one of the company's VLAN.

Then you can solve it either on router which is between PC and this VLAN (using srcnat rule similar to what I posted, limited to just the device as target) and you wouldn't need mAP at all, or you can connect device behind mAP with this config:
and then either this:
or this:

Thank you, Sob. I would be able to check the configuration on Monday, and then will revert.
One more question: what will happen if the ethernet device has IP address outside of 192.168.4.0/24 and that IP cannot be changed. for example, 192.168.10.130?

If you mean that the gateway-less device would have 192.168.10.130, then you couldn't connect it to 192.168.4.0/24 network like this, because nothing would know to look for it there. But you could configure mAP as simple router, with 192.168.4.X/24 on one interface and 192.168.10.Y/24 on another, and do NAT 1:1 from 192.168.4.X to 192.168.10.130. Other devices would be connecting to 192.168.4.X instead of 192.168.10.130 and it would work.

Tried today. Now I am able to ping 192.168.4.180, but still cannot connect to the Ethernet device. Both options above checked without success.

And the configuration (the first variant suggested by Sob; IP address 192.168.4.180 replaced by 192.168.4.152 after consultation with our IT department):
/interface bridge
add name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.4.152/24 interface=bridge1 network=192.168.4.0
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.4.153 src-address=\
!192.168.4.0/24
/ip route
add distance=1 gateway=192.168.4.120

any errors found?

I actually tested this one and it worked for me. Does the device have /24 mask? Or in other words, can you access it from other devices in 192.168.4.0/24 subnet? If yes, then use Tools->Torch on both interfaces and check what's going on, if you see incoming packets from 192.168.0.220 on one interface, if they get the source changed to 192.168.4.153 on the other, and if there's any response from 192.168.4.152.

It seems like no packets go to 192.168.4.152 from 192.168.0.213/24.(previously 192.168.0.220/24)

Once more, can you access 192.168.4.153 (the gateway-less device) from other 192.168.4.X devices? And that with this router present, and if that doesn't work, then without this router, with device connected directly to switch in 192.168.4.0/24 network?

I cannot connect to Ethernet device from PC with 192.168.4.x with the router present. Same pictures as above from the torch on both interfaces from PC on 192.168.4.x.
Without the router I can connect to the device from PC on 192.168.4.x.

What if you set use-ip-firewall=no, is it possible to connect from 192.168.4.x to device? It should be, because the router will function as completely transparent bridge (of course it won't work from other subnets like this). If even this won't work, then there's something really weird, but I don't see it.

Thank you, Sob. I will try that asap. The problem is it takes time to do trials from 192.168.4.x/24, since I need to follow some security procedures - this is simply not the subnet I am allowed to operate with.

In that case it may be better to do a local test first, get the hang of it, and then if it doesn't work in target location, you'll know that it's not you. If the network cares a lot about security, maybe it's something they are doing, perhaps they don't like more than one MAC address connected to one port, or something.

Finally sorted out this task, but I have applied different approach. I do not use bridge any more and I have configured 2 subnets on the router (mAP 2ND.) The first subnet on ethernet 1 is 192.168.4.0/24. Then just classic src and dst NAT worked. Now I have access to the Ethernet device.
Thank you, Sob, for your time and guidance, much appreciated, I have learned other stuff from you working on that task! Hope to keep the same good communication for new challenges in the future.

Yes, that too can be used. I took 192.168.4.153 for the device as requirement, I didn't think much about it, that maybe it isn't. :)