# Reverse NAT to identicle IP addresses

## HuskyDog

Hello,

I have two commercial embedded devices connected to my network each with a fixed IP address and the addresses are the same!  So, to make it completely clear I have two devices and they are both 192.168.1.2.  Yes, I know that selling a device with a hard wired IP address is stupid and I have complained, but these are extremely specialised hydraulic control systems and I can't go to a more enlightened supplier.

So, if I have two devices on my LAN and they are both 192.168.1.2 how can I decide which one to send my control packets to.  I have two ethernet ports on my server, but that doesn't help, because I still can't see how to write a routing table.  The manufacturers suggest that I buy two NAT routers, put the devices on the inside of each one, let my DHCP server allocate their external addresses and set up reverse port mappings in each. Now, I have no doubt that this would work, but equally I feel sure that there must be a way of doing it entirely inside my server using IP tables if only I could figure out how.

As I say, I have two ethernet ports, so there is no problem of having both devices on the same physical segment, I just need some sort of crazy reverse NAT to send the right packets out of the right port.

All suggestions gratefully received.

Thanks

----------

## Hu

Since you describe this as specialized, I assume you are doing this through work rather than as a hobby project.  Raise the issue with your procurement folks that they inform the manufacturer that, in light of its inability to make their device even vaguely usable, the manufacturer should provide the NAT device they seem to believe is a prerequisite to using the hardware.  I have seen bad embedded systems before, but I have never heard of one this braindead.

Although you might be able to use the DNAT target to adjust the outbound IP address, I see no way to ensure packets go to the proper machine and that the other machine does not decide to step in and RST the connection.  If a solution can be found, it will likely involve some combination of iptables to rewrite the packets and rule based routing via sys-apps/iproute2.

----------

## HuskyDog

Thanks for your thoughts and let me assure you that I have forcibly expressed myself on the brain dead design.  I am sure that the manufacturers would supply the routers if we asked, and that may well end up being what we have to do, but I don't want more devices to manage on my LAN if I can avoid it and it just isn't 'neat'.  The manufacturers seem to assume that everyone will simply connect a single computer to a single device.

I don't see a problem with getting the packets mixed up when they are on the LAN.  As I said, I have two ethernet port and can dedicate one to each device so that I can have two completely isolated networks.  The issue is getting the right packets to go out of the right port when they all have the same to address.  Somehow I have to use NAT to say "packets addressed to 192.168.10.2 re-address to 192.168.1.2 and send out through eth0 and packets addressed to 192.168.11.2 re-address to 192.168.1.2 and send out through eth1" although I suspect this is far easier said than done!

----------

## Hu

I overlooked the mention of multiple ethernet ports.  Yes, if the devices are physically isolated and Linux is the only machine that is simultaneously aware of the issue, this might be a bit easier.  As I said, your best bet is probably policy based routing via ip rule.  You could use an iptables rule to mark the packet for special treatment, another rule to adjust the destination IP, and an entry in the routing policy table to ensure the proper interface is chosen based on the mark.  I have never tried this, so Linux might react badly to having two separate interfaces both claiming to own the IP and with different MAC addresses.

----------

## tcbounce

shorewall helps uses with policy routing. You could rtfm and try that.

iptables -t mangle --MARK or something like that and use policy routing. I didn't RTFM before typing but the last post is right.  :Smile: 

----------

