MikroTik NAT

jrexrode

Member
Join Date
Mar 2005
Location
Upstate, South Carolina
Posts
106
I have a MikroTik wireless router that I want to set up as a low cost NAT device for our control equipment. I have the router working as a wireless bridge to our plant network and communicate to devices that have the same address structure, but so far I haven't been able to get the NAT portion of this to work. I know that a NAT rule needs to be setup, but so far, no way that I've configured the rule seems to work.

Hoping someone on the forum has set one of these up and can give me some pointers or maybe provide a configuration file I could use as a template.

Any help is greatly appreciated.
 
I know that the Routerboard OS is largely the same across products, but what exact device do you have ?

I happen to have an MikroTik hAP Lite wireless access point router handy, which I bought because my Ubiquiti AirRouter at home is flaky. I haven't used it for NAT yet.

What automation devices are you planning on using ?

Can you post an example of how you have the NAT rules set up now ?
 
Ken, I'm using a RB951Ui-2HnD model. Below is my exported configuration.

Particularly, this is the action that configures the NAT:
add action=dst-nat chain=dstnat protocol=tcp src-address=10.36.25.100 to-addresses=192.168.1.10



[admin@Cooper SAP nest] > /export
# dec/04/2019 06:46:37 by RouterOS 6.39.2
# software id = MSC1-EN70
#
/interface bridge
add name=Bridge
add admin-mac=64:D1:54:E7:52:83 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=CSD wpa2-pre-shared-key=Scannr@Prod
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country="united states3" disabled=no distance=indoors frequency=auto mode=station-pseudobridge security-profile=CSD ssid=CS-DATA wireless-protocol=802.11
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes out-interface=all-ethernet
add action=dst-nat chain=dstnat protocol=tcp src-address=10.36.25.100 to-addresses=192.168.1.10
/system clock
set time-zone-name=EST
/system identity
set name="Cooper SAP nest"
/system ntp client
set enabled=yes primary-ntp=192.168.104.69
/system routerboard settings
set init-delay=0s
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
 
Last edited:
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1


ether2 and wlan1 are part of a bridge, which means they are just like ethernet ports on the same switch, which means no routing between them just sending traffic based on MAC addresses - so no NAT is going to happen with your two networks bridged.



your office network is 10.36.25.0/24 and the plant network is 192.168.1.0/24?


change the DHCP client to assign the address to the WLAN inteface so the WLAN gets an IP address on your PLC network via DHCP when it connects, eg 192.168.1.125



assign an IP address on your office network to ether2 eg 10.36.25.253



tell your computer that to access the PLC network it needs to send traffic to the mikrotik, in the cmd window
route add 192.168.1.0 mask 255.255.255.0 10.36.25.253


no NAT is required unless your office network and plant network are using the same IP addresses.


To avoid having to add a route to each computer that wants to access the PLC network modify the routes on whatever router already exists.
 

Similar Topics

Hi Guys I am looking for some help to get communications going through a Stratix 5700 with a NAT rule in it. I did not set the stratix up but I...
Replies
2
Views
985
Hi All, I have set up a Moxa NPort serial server for an application. Unfortunately the environment requires NAT forwarding between 2 systems...
Replies
3
Views
780
We've been using Allen-Bradley's 1783-NATR and find it is easy enough to work with. Unfortunately, it only allows 5 ports to be opened per IP...
Replies
2
Views
732
I have developed a WinCC Flexible runtime in TIA V17 which is to display data from 7x S7-300 plc's and 1x S7-1500 plc. The runtime sits on a newly...
Replies
11
Views
2,275
Hi all, I had a Siemens Scalance S602 setup in the past that worked fine. But these are obsolete now and replaced by a Scalance SC632-2C. The...
Replies
5
Views
2,106
Back
Top Bottom