I am experiencing some difficulties with a router config, and I am asking for help.
I am quite new to MikroTik and RouterOS. I bought my router 2 weeks ago.
TL;DR
I cannot manage to srcNAT and dstNAT to 2 devices with same IP, that are on 2 VLANs on the same port of the router.
Edit : solution
Be careful with fasttrack firewall rules (from default ruleset) and with dynamic routes, when playing with complicated source NAT and destination NAT.
The Context
I am working with industrial devices that have a network port for debug usage. Each device has an identical IP configuration (addr 10.0.0.1/24, gateway 10.0.0.2).
I do not want to change it, since this configuration is the target when the device will be deployed. Anyway, this is a debug port, there are not supposed to pe publicly accessible.
My company is writing the software inside the device.
The Use Case
For testing purposes, I would like to make many devices accessible from a LAN at the same time. There will be ~ 80 devices.
The Plan
I plan to expose a public external address for each device, and use a source NAT and a destination NAT in relation to the port where the device is plugged.
I have bought a RB760iGS (MikroTik Hex S) and a smart managed switch (Netgear GS110TPP).
A small trap for some fun : ;-)
I have plenty of devices : they will not fit a 10-port MikroTik router. I have created VLAN-interfaces and configured my switch accordingly.
Here is my plan :
Code: Select all
____________________ _____________
| | | |
| RB760iGS | | VLAN 31 | --- 10.0.0.1 - device 1
| | | |
---- LAN ---- | ether1 | | VLAN 31 | --- 10.0.0.1 - device 2
192.168.1.250 | | | |
+ .251 for device1 | VLAN_31/ether5 | --- 10.0.0.2 --- | | VLAN X | --- 10.0.0.1 - device X
+ .252 for device2 | VLAN_32/ether5 | --- 10.0.0.2 --- | | |
| .... | | --- trunk --- | trunk |
| VLAN_XX/ether5 | --- 10.0.0.2 --- | |_____________|
| |
|____________________|
Similar solutions from other users
I have read solutions from these topics :
viewtopic.php?t=107142#p532709 and https://gist.github.com/0x4C4A/3ba83e2e ... f6ee6e60d4
viewtopic.php?t=130127
viewtopic.php?t=119134
I cannot manage to make them work.
I have tried some changes (mark-packet instead of mark-connection -see below-, disabling any masquerade...)
The Router Configuration
Let's start with 2 devices only. Here is my configuration :
Code: Select all
/ip address
add address=192.168.1.251/24 interface=ether1 network=192.168.1.0
add address=192.168.1.252/24 interface=ether1 network=192.168.1.0
add address=10.0.0.2/24 interface=VLAN_K1 network=10.0.0.0
add address=10.0.0.2/24 interface=VLAN_K2 network=10.0.0.0
# + a dynamic address 192.168.1.250 on ether1 given by DHCP. This is my management address.
/interface vlan
add interface=ether5 name=VLAN_K1 vlan-id=31
add interface=ether5 name=VLAN_K2 vlan-id=32
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.1.251 to-addresses=10.0.0.1
add action=dst-nat chain=dstnat dst-address=192.168.1.252 to-addresses=10.0.0.1
add action=src-nat chain=srcnat out-interface=ether1 packet-mark=VLAN_K1 src-address=10.0.0.1 to-addresses=192.168.1.251
add action=src-nat chain=srcnat out-interface=ether1 packet-mark=VLAN_K2 src-address=10.0.0.1 to-addresses=192.168.1.252
/ip firewall mangle
add action=mark-packet chain=prerouting dst-address=192.168.1.251 in-interface=ether1 new-packet-mark=VLAN_K1 passthrough=yes
add action=mark-packet chain=prerouting dst-address=192.168.1.252 in-interface=ether1 new-packet-mark=VLAN_K2 passthrough=yes
add action=mark-packet chain=prerouting in-interface=VLAN_K1 new-packet-mark=VLAN_K1 passthrough=yes
add action=mark-packet chain=prerouting in-interface=VLAN_K2 new-packet-mark=VLAN_K2 passthrough=yes
add action=mark-routing chain=prerouting dst-address=192.168.1.251 new-routing-mark=VLAN_K1 passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=VLAN_K1 packet-mark=VLAN_K1 passthrough=no
add action=mark-routing chain=prerouting dst-address=192.168.1.252 new-routing-mark=VLAN_K2 passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=VLAN_K2 packet-mark=VLAN_K2 passthrough=no
/ip route
add distance=1 dst-address=10.0.0.0/24 gateway=VLAN_K1 routing-mark=VLAN_K1
add distance=1 dst-address=10.0.0.0/24 gateway=VLAN_K2 routing-mark=VLAN_K2
The Problem
The point is that, it seems to work... when I connect to the first device. But when I connects to a second device, it leads to random connection failures.
It looks like the router was trying to kill multiple/concurrent/unused connections, as if NAT-masquerade cleanup routine was performed.
The Strange Workaround
I tried to debug with the Packet sniffer tool. When I enable it, the connections are magically valid and everything works great !
It even works when I changed the rules of the sniffer, to make it capture nothing (For example, by changing the sniffed port to an unused port).
But this is not a true workaround if I do not understant why this does work... :-/
The Clues
The VLANs are working correctly, and the router have detected each device on its port :
Code: Select all
[admin@MikroTik] > /ip arp print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete
# ADDRESS MAC-ADDRESS INTERFACE
0 DC 192.168.1.1 xx:xx:xx:xx:xx:xx ether1 <- my gateway on my LAN
1 DC 192.168.1.18 yy:yy:yy:yy:yy:yy ether1 <- my PC
...
7 DC 10.0.0.1 B8:27:EB:AB:xx:xx VLAN_K1 <- device 1, mocked with a RaspberryPi
8 DC 10.0.0.1 B8:27:EB:10:xx:xx VLAN_K2 <- device 2
The Questions
Does anybody have an idea of what is missing in my router configuration ?
Why does the Packet Sniffer tool make it work?
Will there be any overhead if I let this (workaround) tool enabled, even if I make it capture nothing (no matching rule)?
Thank you very much for reading this loooong question. :-)
Kind regards,
K.B.