old configs don't work

blackt1ger · Sat Jan 04, 2025 1:30 am

We bought tons of old MikroTik routers running RouterOS 4.14. These had 3 ports and we used 1 for admin and the other two for routing.
I now have the RB5009UG+S+ running RouterOS 7.11.3

We have systems that are all configured at 192.168.10.100 and we used IP Firewall Filters to do nat-dst and nat-src to move it to 192.168.20.x

Example: System 1 - 192.168.10.100 ==> 192.168.20.10
System 2 - 192.168.10.100 ==> 192.168.20.20
System 3 - 192.168.10.100 ==> 192.168.20.30

But I'm having a bit of difficulty setting the new 8 port up.

this is the complete scripts we used (for one particular Mikrotik):

# Basic setup to NAT/to/from 192.168.20.0 <==> 192.168.10.0 RouterOS 4.14
# software id = RU21-118P

/system identity
set name=router-20-10

# ether1 is the 'command' port
# ether2 is the internal 'gauge' network.
# ether3 is the external 'public' network.

/ip address
add address=10.10.10.1/24   	interface=ether1  	comment="Router"  

add address=192.168.10.1/24 	interface=ether2  	comment="Internal Gateway" 
add address=192.168.20.10/24 	interface=ether3 	comment="External MEC" 
add address=192.168.20.11/24 	interface=ether3 	comment="External LINK" 
add address=192.168.20.12/24 	interface=ether3 	comment="External REMOTE"

add address=192.168.20.19/24   	interface=ether3  	comment="External Router"  

#
# Set default gateway route
#
/ip route
add comment="Default gateway" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.20.1 scope=30 target-scope=10


#
# Add nat rules here
#
#
/ip firewall nat
add action=dst-nat chain=dstnat comment="To MEC" disabled=no dst-address=192.168.20.10 to-addresses=192.168.10.100
add action=src-nat chain=srcnat comment="From MEC" disabled=no src-address=192.168.10.100 to-addresses=192.168.20.10

add action=dst-nat chain=dstnat comment="To Link" disabled=no dst-address=192.168.20.11 to-addresses=192.168.10.110
add action=src-nat chain=srcnat comment="From Link" disabled=no src-address=192.168.10.110 to-addresses=192.168.20.11

add action=dst-nat chain=dstnat comment="To Remote" disabled=no dst-address=192.168.20.12 to-addresses=192.168.10.200
add action=src-nat chain=srcnat comment="From Remote" disabled=no src-address=192.168.10.200 to-addresses=192.168.20.12

add action=dst-nat chain=dstnat comment="To Somewhere else" disabled=no dst-address=192.168.20.15 to-addresses=192.168.10.150
add action=src-nat chain=srcnat comment="From Somewhere else" disabled=no src-address=192.168.10.150 to-addresses=192.168.20.15


#
# Add Service ports for maintaining
#
/ip service
set telnet 	address=0.0.0.0/0 	port=23
set ftp 	address=0.0.0.0/0 	port=21
set www 	address=0.0.0.0/0 	port=80
set winbox	address=0.0.0.0/0	port=8291

And this is what I've got so far --- can't make it work. Something is missing. I really want 192.168.20.10 to go to port 1, 192.168.20.20 to go to port 2, .... 192.168.20.70 to port 7 and use port 8 as the external port

# 1970-01-02 02:00:03 by RouterOS 7.11.3
# software id = VN5D-CB7D
#
# model = RB5009UG+S+
# serial number = 

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=gauge-10

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface bridge settings
set use-ip-firewall=yes

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ipv6 settings
set disable-ipv6=yes

/interface list member
add interface=ether8 list=LAN
add interface=ether1 list=gauge-10

/ip address
add address=192.168.20.80/24 interface=ether8 network=192.168.20.0
add address=192.168.10.100/24 interface=ether1 network=192.168.10.0

/ip firewall nat
add action=dst-nat chain=dstnat comment=mec-10 dst-address=192.168.20.10 \
    to-addresses=192.168.10.100
add action=src-nat chain=srcnat comment=mec-10 src-address=192.168.10.100 \
    to-addresses=192.168.20.10

/ip route
add distance=1 gateway=192.168.20.1

/system note
set show-at-login=no

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

lurker888 · Sat Jan 04, 2025 7:07 am

Hi!

First on firewalls. I gather that this is some sort of industrial/control system. Yes, in these scenarios proper firewall configuration was often historically not done or entirely neglected. This may be acceptable for you currently. However best practice is to use proper firewalls and access controls even in these situations, and depending on the country/jurisdiction and industry, sooner or later there WILL be a requirement for these, so you are best off tackling it sooner rather than later (just my opinion.) But your question is about routing, so enough about this.

(Ok, just a tip: if everyone suggests doing it some specific way - and I've been reading the ones taking the time to reply to your question are actually quite knowledgeable - at least consider it.)

The config that you posted for v4 is actually quite reasonable. The only quibble I would have with it is that src-nat and dst-nat actions are intended for situations where a many-to-one (or a 100 to 4, etc. - so dissimilar number or ip addresses are mapped) relationship, and for one-to-one mapping the action netmap is the intended one. But src/dst-nat should work - as indeed it does.

The v4 config should work without issue on v7. (There might be some slight syntax change...)

The v7 config that you posted does not at all resemble the v4 config, and from your description it is totally unclear what you want to accomplish.

So... if you want help then describe (possibly with the aid of a diagram) the compete intended operation of the network. Neither is you initial description complete (but I could at least see what the behavior is from the config), but what you intend for v7 is totally and fully unclear.

Sat Jan 04, 2025 9:03 am

( thread cleaned up so it's back on topic, everyone behave please)

blackt1ger · Sat Jan 04, 2025 10:56 pm

yes. This is an industrial control system. Most of the hardware have embedded ip addresses that can only be changed to 1 of 4 available addresses. Regardless, they are all on 192.168.10.x. We don't allow external network connections, it would be a violation of meeting minimum spec, if anything goes wrong and they waste millions, we don't accept responsibility if connected externally and got stalled due to network traffic.

Changing the firmware for all the systems would mean custom firmware packages, and make field replacements untenable.

The problem appears to be after natting to/from 192.168.10.100, in a particular case, the packet doesn't know which physical interface to send the packet, as I have 7 possible destinations for x.x.10.100.

So, I'm investigating prerouting and adding a packet mark, so if I get 192.168.20.30, I mark it to "30". There used to be a way to set a route that has a packet mark as a condition, but I can't find it.

We have been doing this at the factory using the old RouterOS 4.0 with great success, but only two interfaces were used, one incoming and one outgoing, so there was no ambiguity.

We now have a customer that want to connect 4 systems together to work in parallel --- once again, as an isolated network island.

lurker888 · Sun Jan 05, 2025 3:58 am

Okay. Now I see. So while until now you had a Mikrotik router per system/device, now you want one router to handle multiple systems. This is entirely doable.

This doesn't answer your question directly, but have you considered using a cheaper router (the hEX refresh for example) and retain the one system - one router design? This would allow you to retain the old config, and considering that you can (almost-kind of) buy 4 hEX devices for the price of one rb5009, would not increase price dramatically.

Even for the multiple systems - one router way, I would still consider the hEX. This would allow 4 systems/router. (In these low volume industrial settings, this router is an ideal fit in many settings.)

Alternatively, if you have more than 7 systems, you could (depending on traffic volume) you could use a CRS device with the appropriate number of ports... Or if you need higher routing power, than a switch with the appropriate number of ports + rb5009 and VLANs.

What I really can't understand is that while asking for help, and considering that there are people here that actually want to help you, you do your best to carefully guard any insight into what is that you actually want to do.

Describe the problem. Fully!!!

As to your question directly: yes in case you have more than one system on a given router with the same IP range, you have to have some way of separating them. VRFs are the usual weapon of choice. (While in your case it is not strictly necessary, look into the use of connection marks.) To do this successfully, while not especially hard, requires a solid understanding of networking. I'm sorry to say, but while I have done several such configs before (they are quite common in certain industrial systems,) I am not aware of any good online guide/tutorial on the subject.

But *if* you write down your problem *fully* and don't leave me guessing I'm can at least give you some pointers.

Questions:
* How many of these devices/systems do you have?
* Would you prefer a central (i.e. one router to handle all of them) or distributed (one router per system, one router per 4 systems, one router per 7 systems...) approach. Central is the easiest to manage, but a failure can take everything offline at once.
* What is the traffic direction - i.e. is it always a central "controller" that initiates connections to the "controlled" systems, or are connections initiated in both directions?
* What is the traffic volume/bandwidth?

blackt1ger · Sun Jan 05, 2025 4:28 am

Describe the problem. Fully!!!

Sorry if I'm not clear. I'm trying to make the situation simple. Try this, assume you have 7 devices for which you can not change the IP address and they all have the same IP address, in this case 192.168.10.100. Now, each device is connected to a single physical interface, leaving me with a single outgoing physical interface. So, I want to address each of them uniquely, say 192.168.20.10, 192.168.20.20, ......

NAT helps my rewrite the ip address, fine. But, in the incoming example, say 192.168.20.10 it gets natted to 192.168.10.100. Now which physical port does it go out?

Now, to FULLY describe the problem, it is not just a single IP I'm doing this for, but 3 and possibly 4.

No, have not looked at alternate products. Spent some time looking at many different routers, none of which even hinted at being able to be used in this way (read online manuals). However, we knew RouterOS has already demonstrated the ability. I guess I over estimated the difficult of using such and advanced product for such a trivial matter.

For what it's worth, another engineer spent a week on it with no success and then we sent it to out IT company and they spent a week on it with no success, so now I have it.

lurker888 · Sun Jan 05, 2025 5:37 am

Okay, the picture is clear now. As I've said this is entirely doable with Mikrotik devices, and I've done this sort of config for several systems. It does require a good understanding of networking in Linux. It is non-trivial in the sense that it is not usually done, and therefore a bit more than "copy from a cookbook" approach is required.

Roughly:
1. You set up VRFs:
* Let's assume ether1 will be used as the "controller" port. This we will put (leave) in VRF main. (No setting required for this.)
* The first device/system to be translated is then connected to ether2. We put this in VRF vrf1. The second device (ether3) we put in vrf2. You can figure out the rest

2. We add addresses to the main VRF (ether1.) These will be all the addresses that we wish to translate (192.168.20.10, 11, 12, etc.). Plus add an address for the router itself for configuration purposes.
3. We add a gateway address (192.168.10.1) into *all* device VRFs.
4. Add a route into *all* the device VRFs to 192.168.20.0/24 pointing to ether1
5. Add an address/route to 192.168.10.0/24 to the main table. This can be on lo, on a separate bridge, etc. This is needed for the routing adjustment part of the packet flow. (This is kind of counter-intuitive, and this is not meant as a full explanation of what is going on.)
6. Mark the packets that are from the controller to the devices (prerouting - mark routing action) - it is not necessary, but adding packet marks as well could result in more aesthetically pleasing nat chain
7. Use policy routing (routing rules) to direct packets appropriately.
8. Mark packets from the devices to the controller (prerouting - mark packet) (use these for src-nat)
9. Use dst/srcnat (or as I would prefer, netmap) to translate the addresses.

That's all there is to it

I would have suggested that you contract your local IT supplier, because while it seems a bit involved, actually for someone who knows what they are doing this config can be done in 2-3-4 hours. (And most of that is replicating your setup to be able to test it, the actual config should take at max. 2 hours for someone with experience.) But you have done that and it didn't work out

If you can't find someone locally, I'm willing to consult with you, and replicate your setup, etc. and send you a tested/labbed configuration.

If you rather want to learn, I'm still of course happy to help. Start by labbing up your setup (if you have not already done so.) I would suggest two devices, because that is then trivial to expand to more.

Amm0 · Sun Jan 05, 2025 5:48 am

So your have a Mikrotik router, it has one port going to some switch with 2+ devices with same IP and subnet? If each device with the same IP was connected to a different port on Mikrotik router, the duplicate IP/subnet is solved by adding an interface to route, in which case only a src-nat be needed. But if you really have same IP with multiple device on same segment+subnet, you may need to do some more sophisticated tricks with /ip/arp and/or bridge NAT/filter rules but this get complex/specific.

Most of time industrial device with the same IP are on different LAN/Layer2/ethernet segments (either via ports on Mikrotik or via VLANs coming from switch). If the device are all on the same LAN segment, you mention these device support 4 different subnet choices, so if you just switch each to a different subnet, then can all be on same L2/ethernet segment/"router port" & router would then use an 4 IP addresses, one for each of the devices unique subnets. And if you want to "renumber" them to a different subnet (like your 192.168.20.x), you can use "netmap" rule to remap the device subnet to something unique in your overall routing. This approach still mean your are limited to number of fixed subnets the device has per port/VLAN.

Also I'm not familar with specifics on RouterOS v4... but I'm still not sure why this would have worked there. The only thing is perhaps the route cache helped with maintaining the ARP table, but really IDK - but v7 does use a different routing engine while v6 be more similar to v4. Which begs the question have you considered trying your v4 config on v6 first? V6 is still supported, so if that worked that might be an option, or at least a worthwhile test to narrow the scope of problem. (oops, RB5009 only support V7)

blackt1ger · Sun Jan 05, 2025 8:34 am

.....
That's all there is to it
.....
If you can't find someone locally, I'm willing to consult with you, and replicate your setup, etc. and send you a tested/labbed configuration.

Let me check on Monday. A few billable hours may not be a problem. I had a sense the VRF stuff was going to peek up and show it's head. I've been reading up quite a lot lately. But, alas, I'm working at home this weekend and the router is on my desk.

I've been trying to digest this thread: viewtopic.php?t=182537 because it seems close.

lurker888 · Sun Jan 05, 2025 8:50 am

Basically it goes something like this:

/interface/bridge add name=dummy_target
/ip/address add address=192.168.10.1/24 interface=dummy_target

/ip/vrf add name=vrf2 interfaces=ether2
/ip/address add address=192.168.20.10/24 interface=ether1
/ip/address add address=192.168.10.1/24 interface=ether2
/ip/route add dst=192.168.20.0 gateway=ether1 vrf=vrf2
/ip/firewall/mangle add chain=prerouting dst-address=192.168.20.10 action=mark-packet new-packet-mark=to2
/ip/firewall/mangle add chain=prerouting packet-mark=to2 action=mark-routing new-routing-mark=to2
/ip/firewall/mangle add chain=prerouting dst-address=192.168.20.0/24 in-interface=vrf2 new-packet-mark=from2
/routing/rule add routing-mark=to2 action=lookup-only-in-table table=vrf2

... and you use the packet marks in the NAT rules.

It can be done in a less convoluted way and with fewer rules, but you lose some edge-case functionality/behavior - you only have to write out the basic config once and then change IPs around, so I tend to go with the more complicated approach if it yields fewer surprises in the future.

Please note that this config was not tested...

BTW the packet flow diagram needed to understand this is here:
https://help.mikrotik.com/docs/spaces/R ... n+RouterOS

jaclaz · Sun Jan 05, 2025 11:54 am

Unless I am missing something, it should be possible even without VRF's, the "generic" case being "access multiple devices with same fixed IP address connected to different ports/interfaces".

Here is a solved case for two devices (I don't see how it cannot be extended to more devices, one per used port/interface):
viewtopic.php?t=213056

Using VRF's may make the configuration more "linear" and easy to read in the future, though.
The referenced solution, adapted to ROS 7, would need explicitly declared routing tables (in /ip route the "routing-mark" would become "routing-table") so at the end it won't look very different from a VRF based solution.

lurker888 · Sun Jan 05, 2025 12:40 pm

Yep. And in v6 there is actually almost no difference, being that vrfs are implemented "in the background" as routing tables. VRFs in v7 bring some niceties because they are actual namespaces.

But both work so OP should pick his poison

The referenced thread is a nice discussion btw.

blackt1ger · Thu Jan 09, 2025 1:05 am

Got hit hard with snow - company shutdown for a few days.

So, I haven't given up. I still need to talk to someone about outsourcing this, but snow emergencies....

It appears that 'routing-mark' isn't supported anymore in 'ip route'.

/ip route
add distance=1 dst-address=10.1.1.0/24 gateway=ether2 routing-mark=via-ether2

So, for RouterOS 7, I can't do one of the options. It seems more options available via RouterOS 6.

So, the 'src-nat' and 'dst-nat' is part of the Routing Decision and should be okay, ie src-nat/dst-nat rules shouldn't change.
The Firewall mangle rules have a 'mark-routing' that let's me choose a routing table from 'main', 'vrf1', 'vrf2'.
It appears that all I need, then are correct routing tables in 'vrf1' and 'vrf2'......

Been trying it without luck.

jaclaz · Thu Jan 09, 2025 1:39 am

In 7 you need to explicitly add the routing tables and the routing-mark becomes routing-table in /ip route, as already hinted.

Like:

/routing table
add fib name=via-ether2
add fib name=via-ether3

and then:

/ip route
add distance=1 dst-address=10.1.1.0/24 gateway=ether2 routing-table=via-ether2

in mangle It remains
new-routing-mark=via-ether2

Check:
viewtopic.php?p=1110759#p1110759

blackt1ger · Sat Jan 11, 2025 3:06 am

Well, finally got something working .....

I brought in a bunch of Raspberry PI's to set them up because I can change THOSE ip addresses to test jaclaz's solution. And it works fine.
Been trying to convert them over to the ip addresses I need, but typo's being typo's haven't got it done yet.

I'll mark this as 'closed' or 'solved' come Monday/Tuesday, if all goes well (and it should) - and post the solution I ended up with.

I want to thank everybody, especially lurker888 and jaclaz.

Oh, the code I used was mostly from viewtopic.php?p=1110759#p1110759

jaclaz · Sat Jan 11, 2025 11:30 am

Good.

Now that you have the general idea/basic setup working, you should check the post by Sindy right after that:
viewtopic.php?p=1110759#p1111163
as his version is more elegant, and compare with the "final" version on the other already mentioned thread:
viewtopic.php?t=213056
Just as the OP there you might need the blackhole rules for when one or more of the devices are offline.

blackt1ger · Mon Jan 13, 2025 9:48 pm

thanks, will check. Here's my 'cleaned up' script. It is saved onto the Mikrotik, so it actually includes instructions for future me in years from now.

# 1970-01-02 05:09:45 by RouterOS 7.11.3
#
# model = RB5009UG+S+
#
#
#  THIS IS NOT SECURED
# --------------------
#  only use when using an up-stream firewall,  
#  blocking all 192.168.20.0/24 and 192.168.10.0/24
#  by default
#
#
#  eth1 - upstream interface - management port - 192.168.20.80
#
#
#  eth2 - device port, hosting 192.168.20.10 - 192.168.20.12
#  eth3 - device port, hosting 192.168.20.20 - 192.168.20.22
#  eth4 - device port, hosting 192.168.20.30 - 192.168.20.32
#  eth5 - device port, hosting 192.168.20.40 - 192.168.20.42
#  eth6 - device port, hosting 192.168.20.50 - 192.168.20.52
#  eth7 - device port, hosting 192.168.20.60 - 192.168.20.62
#  eth8 - device port, hosting 192.168.20.70 - 192.168.20.72

#  each device port runs 
#	192.168.10.100
#	192.168.10.110
#	192.168.10.200
#
#  To add a new device ip, say 192.168.20.13 to 192.168.10.51
#
#
#  1)  Add the external address, 
#
#	/ip address add 192.168.20.13 network 192.168.20.0 interface=eth1
#
#
#  2)  Add the internal ip to the firewall address list.  note each device port has a different list
#
#       /ip firewall address-list add address=192.168.10.51 list=external-10
#
#  3)  Add to the firewall NAT mapping the internal to the external
#
#       /ip firewall nat add action=netmap chain=dstnat dst-address=192.168.20.13 to-addresses=192.168.10.51
#
#


/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip vrf
add interfaces=ether8 name=vrf8
add interfaces=ether7 name=vrf7
add interfaces=ether6 name=vrf6
add interfaces=ether5 name=vrf5
add interfaces=ether4 name=vrf4
add interfaces=ether3 name=vrf3
add interfaces=ether2 name=vrf2

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ipv6 settings
set disable-ipv6=yes

/interface list member
add interface=ether1 list=LAN


/ip address
add address=192.168.20.80 interface=ether1 network=192.168.20.80 
add address=192.168.20.10 interface=ether1 network=192.168.20.0
add address=192.168.20.11 interface=ether1 network=192.168.20.0
add address=192.168.20.12 interface=ether1 network=192.168.20.0
add address=192.168.20.20 interface=ether1 network=192.168.20.0
add address=192.168.20.21 interface=ether1 network=192.168.20.0
add address=192.168.20.22 interface=ether1 network=192.168.20.0
add address=192.168.20.30 interface=ether1 network=192.168.20.0
add address=192.168.20.31 interface=ether1 network=192.168.20.0
add address=192.168.20.32 interface=ether1 network=192.168.20.0
add address=192.168.20.40 interface=ether1 network=192.168.20.0
add address=192.168.20.41 interface=ether1 network=192.168.20.0
add address=192.168.20.42 interface=ether1 network=192.168.20.0
add address=192.168.20.50 interface=ether1 network=192.168.20.0
add address=192.168.20.51 interface=ether1 network=192.168.20.0
add address=192.168.20.52 interface=ether1 network=192.168.20.0
add address=192.168.20.60 interface=ether1 network=192.168.20.0
add address=192.168.20.61 interface=ether1 network=192.168.20.0
add address=192.168.20.62 interface=ether1 network=192.168.20.0
add address=192.168.20.70 interface=ether1 network=192.168.20.0
add address=192.168.20.71 interface=ether1 network=192.168.20.0
add address=192.168.20.72 interface=ether1 network=192.168.20.0
add address=192.168.10.1 interface=ether2 network=192.168.10.1
add address=192.168.10.1 interface=ether3 network=192.168.10.1
add address=192.168.10.1 interface=ether4 network=192.168.10.1
add address=192.168.10.1 interface=ether5 network=192.168.10.1
add address=192.168.10.1 interface=ether6 network=192.168.10.1
add address=192.168.10.1 interface=ether7 network=192.168.10.1
add address=192.168.10.1 interface=ether8 network=192.168.10.1


/ip dns
set allow-remote-requests=yes

/ip firewall address-list
add address=192.168.20.10 list=external-10
add address=192.168.20.11 list=external-10
add address=192.168.20.12 list=external-10
add address=192.168.20.20 list=external-20
add address=192.168.20.21 list=external-20
add address=192.168.20.22 list=external-20
add address=192.168.20.30 list=external-30
add address=192.168.20.31 list=external-30
add address=192.168.20.32 list=external-30
add address=192.168.20.40 list=external-40
add address=192.168.20.41 list=external-40
add address=192.168.20.42 list=external-40
add address=192.168.20.50 list=external-50
add address=192.168.20.51 list=external-50
add address=192.168.20.52 list=external-50
add address=192.168.20.60 list=external-60
add address=192.168.20.61 list=external-60
add address=192.168.20.62 list=external-60
add address=192.168.20.70 list=external-70
add address=192.168.20.71 list=external-70
add address=192.168.20.72 list=external-70

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=external-10 new-connection-mark=port2 passthrough=yes
add action=mark-connection chain=prerouting dst-address-list=external-20 new-connection-mark=port3 passthrough=yes
add action=mark-connection chain=prerouting dst-address-list=external-30 new-connection-mark=port4 passthrough=yes
add action=mark-connection chain=prerouting dst-address-list=external-40 new-connection-mark=port5 passthrough=yes
add action=mark-connection chain=prerouting dst-address-list=external-50 new-connection-mark=port6 passthrough=yes
add action=mark-connection chain=prerouting dst-address-list=external-60 new-connection-mark=port7 passthrough=yes
add action=mark-connection chain=prerouting dst-address-list=external-70 new-connection-mark=port8 passthrough=yes

add action=mark-routing chain=prerouting connection-mark=port2 new-routing-mark=vrf2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port3 new-routing-mark=vrf3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port4 new-routing-mark=vrf4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port5 new-routing-mark=vrf5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port6 new-routing-mark=vrf6 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port7 new-routing-mark=vrf7 passthrough=no
add action=mark-routing chain=prerouting connection-mark=port8 new-routing-mark=vrf8 passthrough=no


/ip firewall nat
add action=netmap chain=dstnat dst-address=192.168.20.10 to-addresses=192.168.10.100
add action=netmap chain=dstnat dst-address=192.168.20.11 to-addresses=192.168.10.110
add action=netmap chain=dstnat dst-address=192.168.20.12 to-addresses=192.168.10.200
add action=netmap chain=dstnat dst-address=192.168.20.20 to-addresses=192.168.10.100
add action=netmap chain=dstnat dst-address=192.168.20.21 to-addresses=192.168.10.110
add action=netmap chain=dstnat dst-address=192.168.20.22 to-addresses=192.168.10.200
add action=netmap chain=dstnat dst-address=192.168.20.30 to-addresses=192.168.10.100
add action=netmap chain=dstnat dst-address=192.168.20.31 to-addresses=192.168.10.110
add action=netmap chain=dstnat dst-address=192.168.20.32 to-addresses=192.168.10.200
add action=netmap chain=dstnat dst-address=192.168.20.40 to-addresses=192.168.10.100
add action=netmap chain=dstnat dst-address=192.168.20.41 to-addresses=192.168.10.110
add action=netmap chain=dstnat dst-address=192.168.20.42 to-addresses=192.168.10.200
add action=netmap chain=dstnat dst-address=192.168.20.50 to-addresses=192.168.10.100
add action=netmap chain=dstnat dst-address=192.168.20.51 to-addresses=192.168.10.110
add action=netmap chain=dstnat dst-address=192.168.20.52 to-addresses=192.168.10.200
add action=netmap chain=dstnat dst-address=192.168.20.60 to-addresses=192.168.10.100
add action=netmap chain=dstnat dst-address=192.168.20.61 to-addresses=192.168.10.110
add action=netmap chain=dstnat dst-address=192.168.20.62 to-addresses=192.168.10.200
add action=netmap chain=dstnat dst-address=192.168.20.70 to-addresses=192.168.10.100
add action=netmap chain=dstnat dst-address=192.168.20.71 to-addresses=192.168.10.110
add action=netmap chain=dstnat dst-address=192.168.20.72 to-addresses=192.168.10.200
add action=netmap chain=dstnat dst-address=192.168.20.80 to-addresses=192.168.10.100
add action=netmap chain=dstnat dst-address=192.168.20.81 to-addresses=192.168.10.110
add action=netmap chain=dstnat dst-address=192.168.20.82 to-addresses=192.168.10.200

add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
add action=masquerade chain=srcnat out-interface=ether4
add action=masquerade chain=srcnat out-interface=ether5
add action=masquerade chain=srcnat out-interface=ether6
add action=masquerade chain=srcnat out-interface=ether7
add action=masquerade chain=srcnat out-interface=ether8


/ip route
add distance=1 gateway=192.168.20.1 comment="upstream gw"

add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=ether2@vrf2 pref-src="" routing-table=vrf2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=ether3@vrf3 pref-src="" routing-table=vrf3 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=ether4@vrf4 pref-src="" routing-table=vrf4 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=ether5@vrf5 pref-src="" routing-table=vrf5 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=ether6@vrf6 pref-src="" routing-table=vrf6 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=ether7@vrf7 pref-src="" routing-table=vrf7 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=ether8@vrf8 pref-src="" routing-table=vrf8 scope=30 suppress-hw-offload=no target-scope=10

add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=ether1 pref-src="" routing-table=vrf2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=ether1 pref-src="" routing-table=vrf3 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=ether1 pref-src="" routing-table=vrf4 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=ether1 pref-src="" routing-table=vrf5 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=ether1 pref-src="" routing-table=vrf6 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=ether1 pref-src="" routing-table=vrf7 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=ether1 pref-src="" routing-table=vrf8 scope=30 suppress-hw-offload=no target-scope=10



/system note
set show-at-login=no

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

old configs don't work [SOLVED]

old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work

Re: old configs don't work [SOLVED]