Beginner Basics • Re: 1:1 NAT / DNAT configuration help

input does not match any value of new-routing-mark

add chain=prerouting in-interface=ether1 connection-mark=plc1-conn action=mark-routing new-routing-mark=to-plc1 comment="Mark route to PLC1"

# Identity for better management/system identity set name="PLC-Gateway"######################################## Interface Organization######################################## Create interface lists for better management/interface listadd name=PLC-PORTSadd name=WAN# Add interfaces to lists/interface list memberadd interface=ether1 list=WANadd interface=ether2 list=PLC-PORTSadd interface=ether3 list=PLC-PORTSadd interface=ether4 list=PLC-PORTS######################################## IP Configuration######################################## WAN interface (Edge device connection)/ip addressadd address=172.29.10.1/24 interface=ether1 comment="Edge Network Primary IP"# Add virtual IPs for each PLC on the WAN interfaceadd address=172.29.10.101/24 interface=ether1 comment="PLC1 External IP"add address=172.29.10.102/24 interface=ether1 comment="PLC2 External IP"add address=172.29.10.103/24 interface=ether1 comment="PLC3 External IP"# Configure IP addresses for each PLC interface - directly using Ethernet portsadd address=192.168.0.180/24 interface=ether2 comment="PLC1 Network"add address=192.168.0.180/24 interface=ether3 comment="PLC2 Network"add address=192.168.0.180/24 interface=ether4 comment="PLC3 Network"# Mark connections based on the external IP being accessed/ip firewall mangleadd chain=prerouting in-interface=ether1 dst-address=172.29.10.101 action=mark-connection new-connection-mark=plc1-conn comment="Mark PLC1 Connections"add chain=prerouting in-interface=ether1 dst-address=172.29.10.102 action=mark-connection new-connection-mark=plc2-conn comment="Mark PLC2 Connections"add chain=prerouting in-interface=ether1 dst-address=172.29.10.102 action=mark-connection new-connection-mark=plc3-conn comment="Mark PLC3 Connections"

/routing tableadd disabled=no fib name=to-plc1add disabled=no fib name=to-plc2add disabled=no fib name=to-plc3/routing ruleadd action=lookup-only-in-table routing-mark=to-plc1 table=to-plc1add action=lookup-only-in-table routing-mark=to-plc2 table=to-plc2add action=lookup-only-in-table routing-mark=to-plc3 table=to-plc3

# Convert connection marks to routing marks for policy routing - ONLY for packets coming from WANadd chain=prerouting in-interface=ether1 connection-mark=plc1-conn action=mark-routing new-routing-mark=to-plc1 comment="Mark route to PLC1"add chain=prerouting in-interface=ether1 connection-mark=plc2-conn action=mark-routing new-routing-mark=to-plc2 comment="Mark route to PLC2"add chain=prerouting in-interface=ether1 connection-mark=plc3-conn action=mark-routing new-routing-mark=to-plc3 comment="Mark route to PLC3"

# Policy routes for the entire PLC subnet (/24), not just the PLC (/32)/ip routeadd dst-address=192.168.0.0/24 gateway=ether2 routing-table=to-plc1 comment="Route to PLC1"add dst-address=192.168.0.0/24 gateway=ether3 routing-table=to-plc2 comment="Route to PLC2"add dst-address=192.168.0.0/24 gateway=ether4 routing-table=to-plc3 comment="Route to PLC3"# Destination NAT/ip firewall natadd chain=dstnat in-interface=ether1 dst-address=172.29.10.101 action=dst-nat to-addresses=192.168.0.2 comment="PLC1 Inbound"add chain=dstnat in-interface=ether1 dst-address=172.29.10.102 action=dst-nat to-addresses=192.168.0.2 comment="PLC2 Inbound"add chain=dstnat in-interface=ether1 dst-address=172.29.10.103 action=dst-nat to-addresses=192.168.0.2 comment="PLC3 Inbound"# Source NAT for replies (makes router appear as 192.168.0.180 to PLCs)add chain=srcnat out-interface-list=PLC-PORTS action=src-nat to-addresses=192.168.0.180 comment="Source NAT to PLCs"