Hello,
we are using "CCR2004-16G-2S+” and need to configure 1:1 NAT (bi-directional) from 8x internal device to 8x external IP address.
Our setup is like this:
What would be the best way to configure this on Mikrotik CCR2004-16G-2S+? Should we do 8x 172.29.10.101-108 on WAN interface and then use netmap which seems exactly to have been created for such a use case. (I have seen this here: https://help.mikrotik.com/docs/spaces/R ... 211299/NAT - table very and of page)
Below is some cobbled together code that kind of illustrates the idea. Will this work/is this a practical solution for RouterOS?
We are very much looking forward to your suggestions set this up. Many thanks in advance! Jürgen
we are using "CCR2004-16G-2S+” and need to configure 1:1 NAT (bi-directional) from 8x internal device to 8x external IP address.
Code:
+-------------------------------+ | Linux Edge Device (Client) | | IP: 172.29.10.10/24 | +---------------+---------------+ | | +---------------------+--------------------------+ | | | | | | | |172.29.10.101 .102 .103 .104 .105 .106 .107 .108 | (eth all "virtual" IPs are e.g. 172.29.10.x) +---------------------+----------------------+ | MikroTik | | IP: 172.29.10.1/24 | +---------------------+----------------------+ | | | | | | | Eth1 Eth2 Eth3 Eth4 Eth5 Eth6 ... Eth8 | | | | | | | | | | | | | |+----+--+ +--+----+ +--+----+ +--+----+ +--+----+ +---+---+| PLC1 | | PLC2 | | PLC3 | | PLC4 | | PLC5 | | PLC8 || IP: | | IP: | | IP: | | IP: | | IP: | | IP: ||192.168.0.2 (same IP for all PLCs) |+------------+ +-------+ +-------+ +-------+ +--------+Our setup is like this:
- we have 8 PLC; each PLC has same IP address 192.168.0.2
- we cannot change IP address of PLC or modify network settings of PLC
- each PLC will be connected to a dedicated ethernet port Eth1, Eth2, etc. on Mikrotik CCR2004-16G-2S+
- we also have one Linux PLC edge device; this edge device needs to access each PLC individually
- plan is to use IP address range 172.29.10.0/24 for “outside” network: edge device will have IP address 172.29.10.10; Mikrotik CCR2004-16G-2S+ will e.g. have 172.29.10.1
- Mikrotik CCR2004-16G-2S+ will route access to 172.29.10.101 (=outside / NAT IP address for PLC1) to PLC1 connected to Eth1 (PLC1 has IP address 192.168.0.2)
- Mikrotik CCR2004-16G-2S+ will route access to 172.29.10.102 (=outside / NAT IP address for PLC2) to PLC2 connected to Eth2 (PLC2 has also IP address 192.168.0.2) for all 8x PLC
- only IP addresses for PLC are fixed to 192.168.0.2 - for everything else we are free to do as we see fit
- only ports 102 and 80 and 443 need to be mapped/accessible
What would be the best way to configure this on Mikrotik CCR2004-16G-2S+? Should we do 8x 172.29.10.101-108 on WAN interface and then use netmap which seems exactly to have been created for such a use case. (I have seen this here: https://help.mikrotik.com/docs/spaces/R ... 211299/NAT - table very and of page)
Below is some cobbled together code that kind of illustrates the idea. Will this work/is this a practical solution for RouterOS?
We are very much looking forward to your suggestions set this up. Many thanks in advance! Jürgen
Code:
# WAN interface (Edge device connection)/ip address add address=172.29.10.1/24 interface=ether9 comment="Outside Edge Network"# Create separate bridge for each PLC to isolate networks/interface bridgeadd name=bridge-plc1 comment="PLC1 Network"add name=bridge-plc2 comment="PLC2 Network"add name=bridge-plc3 comment="PLC3 Network"add name=bridge-plc4 comment="PLC4 Network"add name=bridge-plc5 comment="PLC5 Network"add name=bridge-plc6 comment="PLC6 Network"add name=bridge-plc7 comment="PLC7 Network"add name=bridge-plc8 comment="PLC8 Network"# Assign physical interfaces to bridges (one port per bridge)/interface bridge portadd bridge=bridge-plc1 interface=ether1add bridge=bridge-plc2 interface=ether2add bridge=bridge-plc3 interface=ether3add bridge=bridge-plc4 interface=ether4add bridge=bridge-plc5 interface=ether5add bridge=bridge-plc6 interface=ether6add bridge=bridge-plc7 interface=ether7add bridge=bridge-plc8 interface=ether8# Assign same IP to each bridge (router will have 192.168.0.180 in each isolated network)/ip addressadd address=192.168.0.180/24 interface=bridge-plc1 comment="Gateway for PLC1"add address=192.168.0.180/24 interface=bridge-plc2 comment="Gateway for PLC2"add address=192.168.0.180/24 interface=bridge-plc3 comment="Gateway for PLC3"add address=192.168.0.180/24 interface=bridge-plc4 comment="Gateway for PLC4"add address=192.168.0.180/24 interface=bridge-plc5 comment="Gateway for PLC5"add address=192.168.0.180/24 interface=bridge-plc6 comment="Gateway for PLC6"add address=192.168.0.180/24 interface=bridge-plc7 comment="Gateway for PLC7"add address=192.168.0.180/24 interface=bridge-plc8 comment="Gateway for PLC8"# 1:1 NAT rules using netmap for bidirectional NAT/ip firewall nat# Destination NAT (incoming traffic from Edge device to PLCs)add chain=dstnat dst-address=172.29.10.101 action=dst-nat to-addresses=192.168.0.2 to-ports=0-65535 in-interface=ether9 out-interface=bridge-plc1add chain=dstnat dst-address=172.29.10.102 action=dst-nat to-addresses=192.168.0.2 to-ports=0-65535 in-interface=ether9 out-interface=bridge-plc2add chain=dstnat dst-address=172.29.10.103 action=dst-nat to-addresses=192.168.0.2 to-ports=0-65535 in-interface=ether9 out-interface=bridge-plc3add chain=dstnat dst-address=172.29.10.104 action=dst-nat to-addresses=192.168.0.2 to-ports=0-65535 in-interface=ether9 out-interface=bridge-plc4add chain=dstnat dst-address=172.29.10.105 action=dst-nat to-addresses=192.168.0.2 to-ports=0-65535 in-interface=ether9 out-interface=bridge-plc5add chain=dstnat dst-address=172.29.10.106 action=dst-nat to-addresses=192.168.0.2 to-ports=0-65535 in-interface=ether9 out-interface=bridge-plc6add chain=dstnat dst-address=172.29.10.107 action=dst-nat to-addresses=192.168.0.2 to-ports=0-65535 in-interface=ether9 out-interface=bridge-plc7add chain=dstnat dst-address=172.29.10.108 action=dst-nat to-addresses=192.168.0.2 to-ports=0-65535 in-interface=ether9 out-interface=bridge-plc8# Source NAT (outgoing traffic from PLCs to Edge device)add chain=srcnat src-address=192.168.0.2 action=src-nat to-addresses=172.29.10.101 to-ports=0-65535 in-interface=bridge-plc1 out-interface=ether9add chain=srcnat src-address=192.168.0.2 action=src-nat to-addresses=172.29.10.102 to-ports=0-65535 in-interface=bridge-plc2 out-interface=ether9add chain=srcnat src-address=192.168.0.2 action=src-nat to-addresses=172.29.10.103 to-ports=0-65535 in-interface=bridge-plc3 out-interface=ether9add chain=srcnat src-address=192.168.0.2 action=src-nat to-addresses=172.29.10.104 to-ports=0-65535 in-interface=bridge-plc4 out-interface=ether9add chain=srcnat src-address=192.168.0.2 action=src-nat to-addresses=172.29.10.105 to-ports=0-65535 in-interface=bridge-plc5 out-interface=ether9add chain=srcnat src-address=192.168.0.2 action=src-nat to-addresses=172.29.10.106 to-ports=0-65535 in-interface=bridge-plc6 out-interface=ether9add chain=srcnat src-address=192.168.0.2 action=src-nat to-addresses=172.29.10.107 to-ports=0-65535 in-interface=bridge-plc7 out-interface=ether9add chain=srcnat src-address=192.168.0.2 action=src-nat to-addresses=172.29.10.108 to-ports=0-65535 in-interface=bridge-plc8 out-interface=ether9Statistics: Posted by juwalter — Mon Mar 24, 2025 5:48 pm