Dear members,
I need help with a particular setup where one MT router CCR2004 needs to be connected with multiple switches where a local lan is present with a fix subnet. In specific there are many identical subnet (each in a dedicate VLAN) with same overlapping IP subnet 192.168.1.0/24 - let's call them the "devices (or dev) vlan".
There are also several device in each of the identical VLAN with same IP address that cannot be modified. On top there is a service vlan (say 10.2.4.0/24) where my PC will be localted that needs to access each individual VLAN with a distinct IP.
My understanding is that, to achieve a working setup, VRF must be used in order to isolate routing of each individual VLAN with overlapping IP. Then mangle should be used to allow traffic from service vlan to and back from each dev vlan. NAT should then do the trick of converting a public IP reachable from main table (where service vlan is located) to the dev vlan in each VRF.
So far I was able to emulate this scenario in a simple EVE-NG lab as follows: In this example:
- Router is a CHR with ROS 7.14.2
- Main is the serivce pc IP 10.2.4.10
- PC30 is one of the device PC with IP 192.168.1.10 (VRF30)
- PC40 is one of the device PC with IP 192.168.1.10 (VRF40)
This is the config of the CHR:I can get ping working from main PC to PC30 and PC40 if they are set on their "public IP" like 10.2.30.10 but cannot get it to translate if they are set to 192.168.1.10.
Any help would be of great assistance.
Thank you in advance.
A
I need help with a particular setup where one MT router CCR2004 needs to be connected with multiple switches where a local lan is present with a fix subnet. In specific there are many identical subnet (each in a dedicate VLAN) with same overlapping IP subnet 192.168.1.0/24 - let's call them the "devices (or dev) vlan".
There are also several device in each of the identical VLAN with same IP address that cannot be modified. On top there is a service vlan (say 10.2.4.0/24) where my PC will be localted that needs to access each individual VLAN with a distinct IP.
My understanding is that, to achieve a working setup, VRF must be used in order to isolate routing of each individual VLAN with overlapping IP. Then mangle should be used to allow traffic from service vlan to and back from each dev vlan. NAT should then do the trick of converting a public IP reachable from main table (where service vlan is located) to the dev vlan in each VRF.
So far I was able to emulate this scenario in a simple EVE-NG lab as follows: In this example:
- Router is a CHR with ROS 7.14.2
- Main is the serivce pc IP 10.2.4.10
- PC30 is one of the device PC with IP 192.168.1.10 (VRF30)
- PC40 is one of the device PC with IP 192.168.1.10 (VRF40)
This is the config of the CHR:
Code:
# 2024-04-03 13:15:19 by RouterOS 7.14.2# software id = #/ip vrfadd interfaces=ether2 name=vrf30add interfaces=ether3 name=vrf40/ip addressadd address=10.2.4.1/24 interface=ether1 network=10.2.4.0add address=10.2.30.1/24 interface=ether2 network=10.2.30.0add address=10.2.40.1/24 interface=ether3 network=10.2.40.0add address=192.168.1.1/24 interface=ether2 network=192.168.1.0/ip firewall mangleadd action=mark-connection chain=prerouting connection-state=new dst-address=\ 10.2.30.0/24 in-interface=ether1 new-connection-mark=from-main-to-vrf30add action=mark-routing chain=prerouting connection-mark=from-main-to-vrf30 \ in-interface=ether2 new-routing-mark=main passthrough=noadd action=mark-connection chain=prerouting connection-state=new dst-address=\ 10.2.40.0/24 in-interface=ether1 new-connection-mark=from-main-to-vrf40add action=mark-routing chain=prerouting connection-mark=from-main-to-vrf40 \ in-interface=vrf40 new-routing-mark=main passthrough=no /ip firewall nat ## possibly wrongadd action=netmap chain=dstnat dst-address=10.2.30.0/24 to-addresses=\ 192.168.1.0/24add action=masquerade chain=srcnat out-interface=ether2/ip routeadd dst-address=10.2.30.0/24 gateway=vrf30@vrf30add dst-address=10.2.40.0/24 gateway=vrf40@vrf40Any help would be of great assistance.
Thank you in advance.
A
Statistics: Posted by alexioma — Wed Apr 03, 2024 4:18 pm