Hellow I have a connection router board uses sector antennas (ubnt) to route the internet and I have got ubnt nanostation m series stations and now I have got a nanobridge M and it gets the signal everything is ok but I don't wont to have an interface for this antenna all of the clients on this nanobridge M shouldn't see any interface they must directly go to the internet how can I do it ? I tried ip bindign but as I did it before this time i cant I also tried to set e router after bridge but again not

whyyyy noone answers my questionss!!!??? isn't here any administrator on this website? :S:S there isn't support at all so why should we use mikrotik ?? please answer me

this is not a support forum! your question is chaotic, has no punctuation, and mostly talks about competing products.

to get answers, read this: http://forum.mikrotik.com/viewtopic.php?f=2&t=45259

Ok,so now.I want to give an internet connection to a static known which is a UBNT Nanobridge antenna how can I do it ?

there isn't support at all so why should we use mikrotik ??

So if nobody gives you support about how to eat, you'll probably finish not eating at all.
And in your case, where is needed support from mikrotik users since you are trying
to connect ubnt devices. You're description is pretty vague and nowhere there I read about
a mikrotik device.

ethernet or wireless?

wireless

there isn't support at all so why should we use mikrotik ??

So if nobody gives you support about how to eat, you'll probably finish not eating at all.
And in your case, where is needed support from mikrotik users since you are trying
to connect ubnt devices. You're description is pretty vague and nowhere there I read about
a mikrotik device.

My antennas are ubnt devices my router boards are all mikrotik and there isn't mikrotik antennas sold at anywhere if you can provide I get

http://routerboard.com/RBSEXTANT5HnD
http://routerboard.com/product/108

http://routerboard.com/RBSEXTANT5HnD
http://routerboard.com/product/108

Also http://www.mikrotik.com/mfm

@boldness
the point is not only on the product you are using, but as I said, you are not providing a detailed information.
What is the config on AP, what is the config on CPE, IP addresses, firewall rules, what are you trying to achieve?
And yet, you shouldn't complain why nobody is helping you.

Ok im explaining the situation,

ISP(MY REAL IP:31.x.x.x)
|
v
RB450->192.168.88.x->UBNT Devices(SECTORS)->192.168.1.x <-wireless clients 192.168.1.x --and some of them are in bridge mode
-- some of them are in router mode(192.168.254.x)

so everyone gets a hotspot interface when they login they can use the internet but I want the nanobridge antenna(192.168.1.72) which routs (192.168.254.x)block to it's inrernal block to not to get any interface and all the clients which will connect to that antenna by switch should be able to go to the internet directly

So I think I can do it by using the queue in mikrotik but I dont know how to do.

so who is going to answer now ?

by your description i do not understand what is the connection between the router you are using, networks you are using and one 3rd party device where you want some configuration that is unrelated to the RouterOS or RouteBOARD.

draw an network schema and check what is you want to do. Check out some documentation of the products you use, maybe answer is already there.

by your description i do not understand what is the connection between the router you are using, networks you are using and one 3rd party device where you want some configuration that is unrelated to the RouterOS or RouteBOARD.

draw an network schema and check what is you want to do. Check out some documentation of the products you use, maybe answer is already there.

Ok I see just tell me this I did research a lot but I couldn't do

just tell me I have a router board ok and a ubnt device is used as an acces point and another ubnt device is in station mode and gets the internet from that accespoint so I don't want the clients which will connect to that ubnt device which is in station mode to see an interface I want them to go to the internet directly I tried to make an ip binding but it's not possible I couldn't what can I do else

If I understand you, you dont want some clients to see hotspot page. If yes, cont...

Option1. Use PPPoE by setting up a pppoe server on your existing mikrotik router running hotspot. That way the internet will always be on as the nanostation at the clients place will do the authentication thereby bypassing the clients from seeing the hotspot page. This is your best bet if you want to effectivly control their speed (bandwidth).

Option2. Use the ip-binding option under the ip/hotspot/ip binding to bypass the clients mac address or ip address. this will however give the clients total access to your bandwidth except if you are using a mikrotik cpe or if the nanostation has the features for limiting their bandwidth from their radio.

Let us know if this solve your problem.

Thankkk youuu fourtanetely one understand me firstly thank you a lot I understund everything you told me I will now try to make a ppoe to do it but u should know a thing that I tried to do it by bypassing a mac adress using the ip binding section but I couldnt do it I can do it when I use a router connectod to the ubnt device and bypassing the mac adress of that router but I try to bypass the ubnt device the connection disconnect itseflf I dont know why anyway thank you very much I will try ppoe now but if you can solve my other problem also I will thank you much much more.. by the way ubn devices have got bandwidth limitations so it's not a problem but controling it on the radius is the only problem anyway thanks a lot again

go with the binding option, that way you will not add any overhead to your devices. And while following manual, there should not be any problems adding bindings.

p.s. you finally wrote something that other could actually understand

I think when Set the ubnt device to the router mode that time we can not do ipbinding I don't know why but it disconnects and I have got another questions I want to ask them also I don't want to make a lot of posts in the form

First:I'm trying to set a nat to acces the internal router board by handling this

Add rule allowing access to the internal server from external networks:

/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
to-addresses=192.168.0.109

this is in the mikrotik manual I did everything correct but it doesn't forward me to the ip I wanted im writing it in details
My real ip:31.209.110.x
my internal:192.168.88.x

ip firewall nat add chain=dstnat dst-address=31.209.110.x action=dst-nat \
to-addresses=192.168.88.100


and I also set the dst port:100 and source port :80 so is this ok ? when I write 31.209.110.x:100 to the browser it should open the page of 192.168.88.100 isn't this ok ? it doesn't work

and the second question is

I usually get some attacks from some real ips out the network How can I prevent my server against them ? the attacks are like this for ex :

system error critical login failure for user verwalter from 210.71.234.65 and it's always shown on my log

for NAT to work you should have a rule like this: So if you send a request to IP=31.209.110.x to port=8888, you should be able to access
your internat IP=192.168.88.x on port=80

As for the attacks from outside, have a look at these filters rules:
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

for NAT to work you should have a rule like this:

Code: Select all

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.x to-ports=80 protocol=tcp
dst-address=31.209.110.x dst-port=8888

So if you send a request to IP=31.209.110.x to port=8888, you should be able to access
your internat IP=192.168.88.x on port=80

As for the attacks from outside, have a look at these filters rules:
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

thank you very much I prevented the attacks but even i did the dst nat it doesnt work

[quote] the dst nat it doesnt work [quote]

can youpost your masquerade rule?
I have seen cases when the masquerade rule would interfere with nat rules.
If your masquerade rule has out-interface specified, try to leave it blank.

the dst nat it doesnt work

can youpost your masquerade rule?
I have seen cases when the masquerade rule would interfere with nat rules.
If your masquerade rule has out-interface specified, try to leave it blank.

are you completely sure about your statement?

i extensively use masquerade rules like this:

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1-wan

and the usual dst-nat rules that forward traffic inwards w/o problems

are you completely sure about your statement?

Yes, I have seen a couple of NAT rules which were not working when out-interface
was specified. These were routers with PCC configuration, I guess the routing rules
of PCC were overriding the default routes. But I didn't bother myself to go through the config
and see what was happening.

it's already blank I tried to set it ether1 but it still doesnt work

cl
Uploaded with ImageShack.us


I drawed a small diagram for my network you can now illusturate it and I'm explaining my problem much cleaner

As you can see above I can connect to my mikrotik router board with the real ip 31.209.110.x:(PORT)
and I want to connect to that security camera on all over the internet with real ip and using another port. for ex
when I try to connect 31.209.110.x:8888 that camera display will apear by forwarding the port by the way don't think that it's complicated because of that my forwarding rule doesnt work because when I try the port forward I always try to forward 31.209.110.x:8888 to one of my sectors because it's not that much complicated eventhough I did this still I can not connect.
Second thing:

I have a hotspot setup so that all of my clients see interface and they use the internet on that way but I want that 192.168.1.72 ip nanobridge to use hotspot server I don't want the clients which are connected to that nanobridge to see interface because that''s an internet cafe so I should give the internet directly as I told you I can normally do ip binding but when I set the mode of nanobridge router mode that time when I do binding only to mac address that time the client's can not connect to the internet at all
so what are your suggestionss Thank you..

From what I can understand (and it is quite difficult from your posts ) you are trying to access SecurityCAM behind a Router (NanoBridge M5).
And in earlier posts you mentioned that you use NanoBridge in Router MODE .. So NAT is enabled on NanoBridge I presume.

From Public IP you can get to NanoBridge (192.168.1.72)? If yes then You have enable PORT FORWARD on the NanoBridge to the Security Camera

Why is your Mikrotik on LAN site in network 192.168.88.x/24 and sectors and NanoBridges in 192.168.1.x/24 ??
It looks like a misconfiguration... but if it works for you ok

I would do it like this:
PublicIP:8888 -> DST-NAT to 192.168.1.72:8888 (NanoBridge) -> DST-NAT - 192.168.254.100:80

From what I can understand (and it is quite difficult from your posts ) you are trying to access SecurityCAM behind a Router (NanoBridge M5).
And in earlier posts you mentioned that you use NanoBridge in Router MODE .. So NAT is enabled on NanoBridge I presume.

From Public IP you can get to NanoBridge (192.168.1.72)? If yes then You have enable PORT FORWARD on the NanoBridge to the Security Camera

Why is your Mikrotik on LAN site in network 192.168.88.x/24 and sectors and NanoBridges in 192.168.1.x/24 ??
It looks like a misconfiguration... but if it works for you ok

I would do it like this:
PublicIP:8888 -> DST-NAT to 192.168.1.72:8888 (NanoBridge) -> DST-NAT - 192.168.254.100:80

I set some of the clients to static and router mode so that I could set the Ip I want to and I could connect to the antennas by changing the ip block of my computer But now I made A pppoe server and my nanobridge is now 192.168.88.102 sector is 192.168.1.81 but I don't think that it will make a problem because I can directly connect to that bridge anyway.

Now I have a nanobridge in router mode

Chain PORTFORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 192.168.88.102 0.0.0.0/0 tcp dpt:8888 to:192.168.254.253:80

this is my portforward setting so is this ok ? when I try to connect with 192.168.88.102:8888 I want to see the camera interface but it doesn't work :S do I need to set another rules ?

Hi,

PPPoE Server is better less confusing and simpler for administration.

I attached the picture of one of my NanostationM2, which is basicly the same as NanoBridge:
1. Go to Webconfig
2. Under Network youll find Port Forwarding.
3. Enable Port forwarding and clik Configure.

Attached is and example which makes port forward from public Nanostation IP (your case it would be 192.168.88.102) port 8888 to internal IP (in your case it should be 192.168.254.100) to port 80.

So from anywhere in the local network 192.168.88.x/24 your camera should be accesible on this address:
http://192.168.88.102:8888

If this is working then the NanoBridge part is set Correctly if not hen you have a problem on NanoBridge...

For Access from Internet to Camere you should make a Port Forward on main MK router (if i am not mistaken 192.168.88.1) as disccused above. dst-nat address should be 192.168.88.102.
Rule should be something like that:

Uploaded with ImageShack.us

this is my port forwward and I have nat enabled im trying to login by 192.168.88.102:8282 and the ip of the camera is 192.168.253.253 but it doestn work but I could do my normal forward as you can see upward I connect here but only to the ubnt interface with my real ip 31.209.110.x:8888 by my connectio but when I try it in my hotspot server it doesnt connect isn't it strange ? lool when I connect to the internet by usin pppoe I can do it but when Iuse hotspot connection it doesn't connect :S

YOu have set up Nanobridge that it forward packet comming from 192.168.88.102

Delete the sourceIP/mask field and it should work.
Leave it empty or put in the actual IP you are trying to login...
You can check your src address on the web page www.whatismyip.com

but I can not even connect there by using the ip "192.168.88.102:8282"
and another thing on my internal network when I try to cnnect that nanobridge by using my real ip I set a dst nat everything is ok but it only works on my pppoe connection when I try to connect there by an external network it doesn't work why could it be ?

It is really hard to understand you, because you dont use punctiations (., .. sentences).

I think you lack (are missing) fundamental knowledge of networking here:
1. SRC address is the address that you are trying to connect from.
2. From internal network (anywhere in 192.168.88.x) there is no MASQUERADING and you are accessing NanoBridge directly with internal IP. For Example lets assume you connect a laptop which gets an IP 192.168.88.200/24. And you are trying to connect to your NanoBridge on 192.168.88.102:8282 then your source IP would be 192.168.88.200. In your rule you have set NanoBridge to accept and portforward packets origination from 192.168.88.102. This in fact is the address of NanoBridge itself and therefore this RULE IS NOT WORKING. If you would leave it blank it would mean that ANY SRC Address would be permittet and thats OK (or not if you want to restrict access only to specific IP).
3. If you are accessing Nanobridge from Internet (outside 192.168.88.x/24). Then you use your Public IP which must be portforwarded on Mikrotik Firewall to Nanobridge and then NanoBrdige forwards again to WEBCAM.

The first thing you need is to correct the Nanostation Rule for port forwarding, then test it from internal network.
If it is working internaly then you have setup the NanoBridge correctly and you can proceed to test it from Outside (internet).
All the needed instructions were given in previous posts if you can not get it working I suggest to hire an expert...

First I thank you very much,

you are right,I have lack of some network because I'm not a professional,then I deleted from there 192.168.88.102 so now I can connect I see the interface of the camera but this time it says connection error when I try to login anyway,I hop I can do it I tried a lot

By the way I've done everything thank you but there is a small problem
I can use 31.209.110.x:8282 to connect the camera where 31.209.110.x is my real ip

everything works but when I try it on an external network from outside it doesn't work

Where did you assign that IP (31.209.110.x)?
If on the same device as PPPoE Server, then you have to make a port forward on that device/router..
Where X is your missing part of the IP address..
Put this rule as first rule just to be sure it is triggered.

Then try connecting from outside your network (outside 192.168.88.x) and see if it is working.
You can check if the rule is triggered if the packet count increases when you try to connect..
The above rule will forward port 8282 to the NanoBridge

I did exactly the same thing but there is such a problem that when I remove the dst address 31.209.110.x I can connect there inside the network second thing when I set the src address 31.209.110.x all of my clients can connect but when I put the dst address it doesn't connect at all .

I dont understand what you are saying.. It seems you still don't get the conpet of SRC and DST address. Also it seems you don't know what is INSIDE your network and what outside...
1. For the THIRD time From inside of the network use 192.168.88.102:8282. Or setup Hairpin NAT.. http://wiki.mikrotik.com/wiki/Hairpin_NAT
2. Where is this public IP 31.209.110.x located?
a) on main Mikrotik
b) on NanoBridge
c) on client behind NanoBridge