Community discussions

MikroTik App
 
ivugrinec
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Thu Feb 17, 2011 11:43 am

How to allow two devices with same IP access internet

Sat Jan 27, 2018 6:56 pm

Hi,
I've been ask to find a way to allow several devices with same static IP address/subnetmask/gateway to access internet. Is there a way to do it? Mangle? DST-NAT, SRC-NAT?
So i have a bunch of IoT devices need to be able to access internet over NAT.
I have a same device with same IP settings (fixed) and unable to change attached to CRS switch. Is there any clever way to mangle the traffic in such a way that every interface is its own network and that device is able to access internet (SNTP client, time sync).
Eg.
eth1- device1-192.168.0.100/24 gw: 192.168.0.1
eth2- device1-192.168.0.100/24 gw: 192.168.0.1
eth3- device1-192.168.0.100/24 gw: 192.168.0.1
eth4- device1-192.168.0.100/24 gw: 192.168.0.1
...
eth24-WAN interface, SRC-NAT/Masquerade.

Any idea?
 
miro
Trainer
Trainer
Posts: 38
Joined: Mon May 09, 2011 1:44 pm

Re: How to allow two devices with same IP access internet

Sat Jan 27, 2018 7:04 pm

Perhaps it could be done in nat messing with: you have condition src-mac address, or if you disable hardware switching, you can use in and out bridge port... Or use four cheapets Mikrotik, e.g. mAP...

But, my comment is: say to your customer: if you wan't to use IP network, obey IP standards...
 
ivugrinec
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Thu Feb 17, 2011 11:43 am

Re: How to allow two devices with same IP access internet

Sat Jan 27, 2018 7:17 pm

Hi, first, I am the client! ;-)

I'am very well aware that this goes against all ISO/OSI Layer and TCP/IP standards. But Mikrotik has very powerfull mangle facilities.
In need this in our production facility (factory). I've been able to create a way to access EVERY IoT device on the same network (using Mangle/Route/DST-NAT and virtual IP addresses).
I'ts a hack but it works great! I'can comunicate with any device while they are connected to same CRS switch and have the same IP/subnet/DST-NAT.

The problem is that i also need to find a way to enable this devices to access internet. So this thread is part of bigger issue/chemistry.
To simplify the problem - first i need to find a way to masquerade (at least) two devices of the same IP/Subnet/GW and masquerade their traffic to a WAN IP.

Any ideas?
 
Sob
Forum Guru
Forum Guru
Posts: 8387
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to allow two devices with same IP access internet

Sat Jan 27, 2018 9:12 pm

It shouldn't be too hard. If you already set up the reverse and can access all these same-IP devices, then you know everything you need. I can't test it now, but it should be enough to mark new connections from these devices (different for each port) and then properly mark routing for reply packets, based on connection marks. Everything else should just work.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
jspool
Member
Member
Posts: 440
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: How to allow two devices with same IP access internet

Sat Jan 27, 2018 11:19 pm

What IoT device is made with a fixed and unchangeable IP address?
 
ivugrinec
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Thu Feb 17, 2011 11:43 am

Re: How to allow two devices with same IP access internet

Sun Jan 28, 2018 11:35 am

@ jspool Well, not quite the IoT device - it's a data collector for IoT sensors we have been asked to design and produce. The default TCP/IP settings need to be tested before packaging and shipping.
We need to test hundreds of devices per day - while every device has the same (static) IP address 192.168.0.100/24 and 192.168.0.1 as GW.

@ Sob Can you please take another look at this /Your own/ code and try to figure a way to access internet. The methods and priciples used here are the base of my chemistry.
/ip address
add address=192.168.1.11/24 interface=ether1 network=192.168.1.0
add address=192.168.1.12/24 interface=ether1 network=192.168.1.0
add address=192.168.0.1 interface=ether2 network=192.168.0.1
add address=192.168.0.1 interface=ether3 network=192.168.0.1
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=192.168.1.11 new-connection-mark=port1
add action=mark-connection chain=prerouting dst-address=192.168.1.12 new-connection-mark=port2
add action=mark-routing chain=prerouting connection-mark=port1 new-routing-mark=port1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port2 new-routing-mark=port2 passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.1.11 dst-port=80 protocol=tcp to-addresses=192.168.0.2
add action=dst-nat chain=dstnat dst-address=192.168.1.12 dst-port=80 protocol=tcp to-addresses=192.168.0.2
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=ether2 routing-mark=port1
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=port2
viewtopic.php?f=13&t=107142#p532709

I took your advice and used it in my setup but traffic initiated form the device itself has problems accessing the default gateway (because we have the same IP (192.168.0.1) on every ether* interface)
viewtopic.php?f=13&t=107142

Please do understand that i am aware that this is not "by the network design" - but we need to be able to get some data from the cliens and clients need to be able to access cloud services (testing the device after production and assembly).
 
Sob
Forum Guru
Forum Guru
Posts: 8387
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to allow two devices with same IP access internet

Mon Jan 29, 2018 4:50 am

This should be it:
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=ether2 new-connection-mark=port1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new in-interface=ether3 new-connection-mark=port2 passthrough=yes
It will mark new connections from devices based on interface. Already existing rules will then mark routing for them. It won't influence outgoing packets to non-local networks (other than 192.168.0.0/24), because these routing tables know only about 192.168.0.0/24, so packets will use default route from main table. If you have masquerade on WAN, which will take these connections (i.e. not limited to just some other LAN range), it should work.

One possible trouble could arise if same source port gets used by more than one device. I don't know how exactly conntrack implementation works, but I guess it probably won't object if there would be same source port, but different destination (address or port). But if more devices try to connect to e.g. same webserver (same address and port) and use same source port by accident, conntrack will probably not like it at all. If that happens, I don't see any easy fix for that, other than each device behind own router.

On the other hand, it wouldn't have to be necessarily physical routers, you could do wonders with load of CHRs (even free licenses) and VLAN switch(es). And unlike this funny setup, it would be clean solution. It would just take a little more time to setup, but not really that much.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
ivugrinec
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Thu Feb 17, 2011 11:43 am

Re: How to allow two devices with same IP access internet

Mon Jan 29, 2018 1:05 pm

Thank you, but sorry to say - it still does not work. Can you please try?
 
pe1chl
Forum Guru
Forum Guru
Posts: 8576
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to allow two devices with same IP access internet

Mon Jan 29, 2018 2:28 pm

It is actually a problem in other software as well.
E.g. in some badly written software for Amateur Radio D-Star repeaters, the local system always has to be 10.0.0.2/8 and it has to communicate with an internet server, supposedly via a NAT router on 10.0.0.1/8.
When operating several of those systems behind a single router, one is faced with the same problem.

The way we solved it for now is to run a couple of CHR instances behind our physical router, each routing for a single network on a separate VMware virtual switch.
Maybe you can do the same thing, or buy a couple of separate small routers to do the job.
This could easily be cheaper than to keep trying to run it on a single router.
 
Sob
Forum Guru
Forum Guru
Posts: 8387
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to allow two devices with same IP access internet

Mon Jan 29, 2018 4:45 pm

I'll see what I can do, but I don't have anything prepared for it right now, and have to deal with other things first. But if you start with just one device, it really should work, so try to check what exactly is going on. Use either Tools->Torch to check where the packets are going, or add logging rules to prerouting and postrouting. Easiest way is to connect to some specific address and port from the device and look for that as destination.

Required config also depends on what exactly this router does, if it a) serves as internet gateway itself, or b) is internal router and gateway is something else. In any case, you'll need some srcnat. Either just masquerade rule on WAN for a):
/ip firewall nat
add action=masquerade chain=srcnat out-interface=<WAN>
Or for b):
/ip firewall nat
add chain=srcnat action=src-nat out-interface=<to_gw> connection-mark=port1 to-addresses=192.168.1.11
add chain=srcnat action=src-nat out-interface=<to_gw> connection-mark=port2 to-addresses=192.168.1.12
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
16again
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Fri Dec 29, 2017 12:23 pm

Re: How to allow two devices with same IP access internet

Wed Jan 31, 2018 12:08 am

I'm not sure how far you'll get with it....but this topic needs to have VRF mentioned in it.
 
ivugrinec
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Thu Feb 17, 2011 11:43 am

Re: How to allow two devices with same IP access internet

Wed Jan 31, 2018 11:00 am

Well, i with all the help form Sob and other fellow - i didn't get far. Can you elaborate your idea? I am willing to try.
 
Sob
Forum Guru
Forum Guru
Posts: 8387
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to allow two devices with same IP access internet  [SOLVED]

Thu Feb 01, 2018 12:54 am

I tested my suggestion and it works here. Only problematic scenario is the same source port for same destination address and port. In more detail:

Works:
Device 1: 192.168.0.2:12345 -> 1.2.3.4:80
Device 2: 192.168.0.2:54321 -> 1.2.3.4:80

Also works:
Device 1: 192.168.0.2:12345 -> 1.2.3.4:80
Device 2: 192.168.0.2:12345 -> 4.3.2.1:80

Does not work (but it's "first come, first served", already established connection does not break):
Device 1: 192.168.0.2:12345 -> 1.2.3.4:80
Device 2: 192.168.0.2:12345 -> 1.2.3.4:80

Whole config:
/ip address
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
add address=192.168.1.11/24 interface=ether1 network=192.168.1.0
add address=192.168.1.12/24 interface=ether1 network=192.168.1.0
add address=192.168.0.1 interface=ether2 network=192.168.0.1
add address=192.168.0.1 interface=ether3 network=192.168.0.1
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=192.168.1.11 new-connection-mark=port1 passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.1.12 new-connection-mark=port2 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new in-interface=ether2 new-connection-mark=port1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new in-interface=ether3 new-connection-mark=port2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=port1 new-routing-mark=port1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port2 new-routing-mark=port2 passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.1.11 dst-port=80 protocol=tcp to-addresses=192.168.0.2
add action=dst-nat chain=dstnat dst-address=192.168.1.12 dst-port=80 protocol=tcp to-addresses=192.168.0.2
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
add action=src-nat chain=srcnat connection-mark=port1 out-interface=ether1 to-addresses=192.168.1.11
add action=src-nat chain=srcnat connection-mark=port2 out-interface=ether1 to-addresses=192.168.1.12
/ip route
add gateway=192.168.1.1
add distance=1 dst-address=192.168.0.0/24 gateway=ether2 routing-mark=port1
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=port2
It's the variant where this router only connects devices to LAN (192.168.1.0/24) and internet gateway is another router (192.168.1.1). The other one, where the same router would be connected directly to internet, would differ only in added srcnat rules, where it would be just a common one.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
ivugrinec
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Thu Feb 17, 2011 11:43 am

Re: How to allow two devices with same IP access internet

Fri Feb 02, 2018 10:22 pm

It works ! Thank you for all the help.
 
ivugrinec
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Thu Feb 17, 2011 11:43 am

Re: How to allow two devices with same IP access internet

Mon Jun 04, 2018 9:27 am

Hi, i started using this solution and it works great. I have one little extension of the problem and hope you could help me yet a little bit. Devices can access internet quite nice. I installed NTP server extension packet and enabled unicast. It looks like the client devices with current rules cannot access the services on device itself. I also tried telnet and ssh.
Any ide how to "extend" the ruleset to enable client devices access the device services?
Complete file export is here.
https://www.dropbox.com/s/t6zxecstnlo7k ... t.rsc?dl=0

It's a dirty and out of standard configuration but it works for the purpose i need. Now i just need to improve it a little to be able to access the 192.168.0.1 device itself. (NTP server).
 
sindy
Forum Guru
Forum Guru
Posts: 9097
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to allow two devices with same IP access internet

Tue Jun 05, 2018 5:51 am

To make the Mikrotik route its responses to NTP, DNS etc. requests to the same IoT device which has asked them, it should be sufficient to add a "twin" rule in chain=output of /ip firewall mangle to each of the following ones (X=1..20):

add action=mark-routing chain=prerouting connection-mark=portX new-routing-mark=portX passthrough=no

The twin rule looks exactly the same except the chain name
add action=mark-routing chain=output connection-mark=portX new-routing-mark=portX passthrough=no

BTW, there is no need to have the addresses 10.10.14.1 to 10.10.14.20 up on the Mikrotik as its own addresses, the pre-routing, src-nat and dst-nat rules are sufficient.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ivugrinec
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Thu Feb 17, 2011 11:43 am

Re: How to allow two devices with same IP access internet

Wed Jun 06, 2018 3:35 pm

It works great. Thank you.

p.s If i remove the IP's as suggested, things don't work anymore.
 
sindy
Forum Guru
Forum Guru
Posts: 9097
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to allow two devices with same IP access internet

Wed Jun 06, 2018 3:41 pm

If i remove the IP's as suggested, things don't work anymore.
Izvini, I forgot that to be able to remove the addresses, you have to set arp=proxy-arp on the interface to which the public addresses were previously attached.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ivugrinec
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Thu Feb 17, 2011 11:43 am

Re: How to allow two devices with same IP access internet

Wed Jun 13, 2018 11:32 am

Is it possible to extend this setup (export attached in previous posts) to allow communication with host (firmware server) that each unit could establish connection?

Example:
Unit1 is on port1 and has an IP 192.168.0.100
Unit2 is on port2 and has an IP 192.168.0.100
....
UnitX is on portX and has an IP 192.168.0.100
...
Server22 is on port22 and has an IP 192.168.0.22

Is there a way so every unit could establish UDP connection with ServerX? ( is server could be on e.g 192.168.33.222, this would work fine and would not be a problem, but i need it on the same subnet).
Src-NAT? 1:1 NAT? Any other idea, mangle, hack??
 
sindy
Forum Guru
Forum Guru
Posts: 9097
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to allow two devices with same IP access internet

Wed Jun 13, 2018 1:16 pm

So you want each of the IoT devices to see the server in its own subnet, i.e. reachable for it on L2, right?
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ivugrinec
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Thu Feb 17, 2011 11:43 am

Re: How to allow two devices with same IP access internet

Wed Jun 13, 2018 2:55 pm

Yes!
 
Sob
Forum Guru
Forum Guru
Posts: 8387
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to allow two devices with same IP access internet

Thu Jun 14, 2018 12:29 am

So just UDP or full L2?

I can't test it right now, but UDP shouldn't be hard. Connect server to port 22:
/ip address
add address=192.168.0.1/24 interface=ether22
Make server visible on client ports with proxy arp:
/ip arp
add address=192.168.0.22 interface=ether2 published=yes
add address=192.168.0.22 interface=ether3 published=yes
...
Tell router where to look for server:
/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.22/32 table=main
And masquerade anything going to server (to avoid need for proxy arp for reverse direction):
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether22
I think it should work.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.

Who is online

Users browsing this forum: Ahrefs [Bot], germarsh, liebenjj and 45 guests