MikroTik

Greetings,
Let me start by saying I have probably read every post concerning RouterOS NATTing and for some reason I cannot get it to work. I have been at this for like 4 days now and finally decided to post a request for some help.

I am a process control guy, I love route-able IP ranges, so much easier for me. Unfortunately I need to make "172.16.4.52" look like "10.20.8.9". so in my head I say ok no sweat google will get me through... lol so wrong..

Here is what I am trying to accomplish I have a Modbus Gateway-"172.16.4.52" I want to be able to poll "10.20.8.9", and act the same as if I was polling 172.16.4.52 directly. I am thinking I need to NAT the two IP addresses together. Well i have tried multiple config's and here is my latest ones- any thoughts, criticisms, or anything is more than welcome.

# jan/02/1970 01:26:20 by RouterOS 6.7
# software id = xxxx-xxxx
#
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n l2mtu=2290
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
/ip neighbor discovery
set ether1 comment=WAN
set ether2 comment=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=43F0023C82EB \
wpa2-pre-shared-key=43F0023C82EB
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip address
add address=10.20.8.9/32 interface=ether1 network=10.20.8.9
add address=172.16.4.240/24 interface=ether2 network=172.16.4.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=wlan1
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.20.8.9 in-interface=ether2 \
to-addresses=172.16.4.52
add action=src-nat chain=srcnat out-interface=ether1 src-address=172.16.4.52 \
to-addresses=10.20.8.9
/ip route
add disabled=yes distance=1 gateway=172.16.4.52
/system identity
set name="The Router"
/system leds
set 0 interface=wlan1

I just exported everything but I am not even going to use the wireless right now. I just had this hardware idle and wanted to utilize its routing ability.

I ran into some problems too. However, mine I got to work out after and responses/suggestion from the forum.

I did however, followed quite few YouTube videos to make sure my settings were correct. This is because I am very new to Mikrotik.
These are the links of videos I followed.

http://www.youtube.com/watch?v=PFXl9O08Kkk
http://www.youtube.com/watch?v=ulDefmf1ces

It isn't clear what the source of the polling is. A device with address 10.2.8.X? The IP address currently applied to ether1 is a /32 - i.e. a single IP number. Which IP range is this interface expected to talk to?

hopefully I am answering this properly, a PC with an address of 10.20.8.71 should poll -10.20.8.9- and expect the same results as if i was polling 172.16.4.52 directly on the same subnet.

thank you for the quick responses.

First you need to correct the entry:
The /32 setting means that this interface has no idea that there are other 10.20.8.x addresses available via this interface. Perhaps you meant to use 10.20.8.9/24 ?

add address=10.20.8.9/24 interface=ether1 network=10.20.8.0

so I made that change and I can now successfully ping 10.20.8.9 but the NAT rules still are not working.? and if I try 10.20.8.9 on port 80 it just brings me to the routers webGUI. Not to the 172.16.4.52 WebGUI.

So is the 172.16.4.52 the ISP IP? If it is, once you get into your system, in your broswer bar, enter the IP (192.168.0.1) of the DHCP from that modem.

It should bring up the device login screen.

IE>your ISP has assigned the 172 to your modem, your modem is assigning a 192.168.0.4 to your router, so there for you need to go to 192.168.0.1.

no there is no ISP..(all private network) 172.16.4.52 is the current ip of the "Modbus gateway" device. No DHCP as all ip defined are static. I just need to be able to type 10.20.8.9. in my browser and hopefully it should act as if i was on the 172.16.4.xx subnet. so..


"MY PC (10.20.8.71) --->(Router 10.20.8.9) ---->"Modbus Gateway"(172.16.4.52)..

Can you upload the config as it stands at the moment?

#
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n l2mtu=2290
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
/ip neighbor discovery
set ether1 comment=WAN
set ether2 comment=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=43F0023C82EB \
wpa2-pre-shared-key=43F0023C82EB
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip address
add address=10.20.8.9/24 interface=ether1 network=10.20.8.0
add address=172.16.4.240/24 interface=ether2 network=172.16.4.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=wlan1
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.20.8.9 in-interface=ether2 \
to-addresses=172.16.4.52
add action=src-nat chain=srcnat out-interface=ether1 src-address=172.16.4.52 \
to-addresses=10.20.8.9
/ip route
add disabled=yes distance=1 gateway=172.16.4.52
/system identity
set name="The Router"
/system leds
set 0 interface=wlan1

here you go

The in-address would be ether1 for traffic coming from 10.20.8.0/24.
On this one perhaps you want the device at 172.16.4.52 to see the requests coming from the router's IP address on 172.16.4.0/24? If so you need to have a SRC NAT rule with out-interface = ether2 and dst-address=172.16.4.52.

Still not working completely, but have to be making progress. I made the changes you suggested and now I can see packets hit both of the firewall rules. But when I look at the connections tab a tcp connection will never establish, it just says sync...

here is the changed code. Here are a couple of screenshots.

Try changing the DST NAT ruled as follows:

add action=src-nat chain=srcnat dst-address=172.16.4.52 out-interface=ether2 \
to-addresses=172.16.4.240

Finally!, that worked. I definitely have some reading to do, I still do not quite understand why that worked. But thank you very much for the help!

I guess it just seems confusing "out-interface" and "to-address" of the src-NAT. does not seem like a logical solution... but then again I am very new to the Microtik world.

Thanks again,
Cypress