Thank you all very much for your time, problem is solved by application of DST and SRC nat rules as suggested by lurker888's last post with modification from ether2 to bridge, plus enabling proxy-arp on bridge (ether2-5).
NodeRED running on desktop can access the PLC in Mikrotik Machine LAN, via 10.0.80.201 (NAT to 192.168.250.1).
NodeRED OMRON FINS settings need to be according to Machine LAN. Important part being DA1 = last octet of IP address of PLC (in this case .1, not .201) and SA1 = last octet of who is asking (here .51, since as far as PLC is concerned, packets come from Mikrotik directly)After this, Read request from A642, length 2 (= read two analogue inputs of the PLC) works perfectly, as seen in bottom right of this image.
![Image]()
For OMRON PLC CP1L-E it is NOT possible to set a gateway. Now I do not need it anymore, but in case someone is searching for this, the OMRON suggested workaround is to use "IP router table" in Ethernet settings and add 0.0.0.0 -> IP_OF_ROUTER/GATEWAY there.
I am happy here, since internal PLC settings stay at 192.168.250.1, but I am able to set CX-Programmer to talk to PLC at 10.0.80.201, so basic of networking are working at least. Not so lucky with some Chinese PLCs and HMIs which I sadly have in production too. But that is OK, since I can always use OVPN for programming needs.
![Image]()
![Image]()
My full router config attached:
NodeRED running on desktop can access the PLC in Mikrotik Machine LAN, via 10.0.80.201 (NAT to 192.168.250.1).
NodeRED OMRON FINS settings need to be according to Machine LAN. Important part being DA1 = last octet of IP address of PLC (in this case .1, not .201) and SA1 = last octet of who is asking (here .51, since as far as PLC is concerned, packets come from Mikrotik directly)
Code:
{ "host": "10.0.80.201", "port": 9600, "protocol": "udp", "DNA": 0, "DA1": 1, "DA2": 0, "SNA": 0, "SA1": 51, "SA2": 0}
For OMRON PLC CP1L-E it is NOT possible to set a gateway. Now I do not need it anymore, but in case someone is searching for this, the OMRON suggested workaround is to use "IP router table" in Ethernet settings and add 0.0.0.0 -> IP_OF_ROUTER/GATEWAY there.
I am happy here, since internal PLC settings stay at 192.168.250.1, but I am able to set CX-Programmer to talk to PLC at 10.0.80.201, so basic of networking are working at least. Not so lucky with some Chinese PLCs and HMIs which I sadly have in production too. But that is OK, since I can always use OVPN for programming needs.
My full router config attached:
Code:
[admin@RouterOS] > export # 2025-04-19 17:23:37 by RouterOS 7.18.2# software id = 1E6V-AUYV## model = RB750Gr3# serial number = ************/interface bridgeadd arp=proxy-arp name=bridge port-cost-mode=short/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface lte apnset [ find default=yes ] ip-type=ipv4 use-network-apn=no/ip pooladd name=ovpn-pool ranges=192.168.250.200-192.168.250.220/ip smb usersset [ find default=yes ] disabled=yes/ppp profileadd bridge=bridge dns-server=192.168.250.51 local-address=192.168.250.51 name=VPN-Profile remote-address=ovpn-pool use-encryption=yes/routing bgp templateset default disabled=no output.network=bgp-networks/routing ospf instanceadd disabled=no name=default-v2/routing ospf areaadd disabled=yes instance=default-v2 name=backbone-v2/interface bridge portadd bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10/ip firewall connection trackingset enabled=yes udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=LAN/ipv6 settingsset disable-ipv6=yes max-neighbor-entries=8192/interface list memberadd comment=defconf interface=bridge list=LANadd comment=defconf interface=ether1 list=WAN/interface ovpn-server serveradd auth=sha1 certificate=server-cert cipher=aes256-cbc default-profile=VPN-Profile disabled=no mac-address=************ name=ovpn-server1 require-client-certificate=yes/ip addressadd address=192.168.250.51/24 interface=ether2 network=192.168.250.0add address=10.0.80.200/24 interface=ether1 network=10.0.80.0add address=10.0.80.201 interface=ether1 network=10.0.80.201add address=10.0.80.202 interface=ether1 network=10.0.80.202add address=10.0.80.203 interface=ether1 network=10.0.80.203/ip dhcp-serveradd address-pool=ovpn-pool interface=bridge lease-time=10m name=defconf/ip dnsset allow-remote-requests=yes/ip dns staticadd address=192.168.250.51 comment=defconf name=router.lan type=A/ip firewall filteradd action=accept chain=input disabled=yesadd action=accept chain=forward disabled=yesadd action=accept chain=input dst-port=1194 protocol=udpadd action=accept chain=input dst-port=1194 log=yes protocol=tcpadd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yesadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN/ip firewall natadd action=dst-nat chain=dstnat dst-address=10.0.80.201 to-addresses=192.168.250.1add action=dst-nat chain=dstnat dst-address=10.0.80.202 to-addresses=192.168.250.100add action=dst-nat chain=dstnat dst-address=10.0.80.203 to-addresses=192.168.250.99add action=src-nat chain=srcnat out-interface=bridge to-addresses=192.168.250.51/ip ipsec profileset [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5/ip routeadd disabled=no dst-address=0.0.0.0/0 gateway=10.0.80.1/ip smb sharesset [ find default=yes ] directory=/flash/pub/ppp secretadd name=maintenance profile=VPN-Profile service=ovpn/routing bfd configurationadd disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5/system clockset time-zone-name=Europe/Belgrade/system identityset name=RouterOS/system noteset show-at-login=no/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LANStatistics: Posted by chaosinc — Sat Apr 19, 2025 5:31 pm