Access ADSL Modem stats page through Internet behind Mikrotik

RouterOS Forwarding Protocols
1

I have an RouterBoard, that is the PPPoE Client to access the internet

The ADSL Modem is on the interface ether5

Lan Network: 192.168.21.0
Modem network: 192.168.1.0
Modem IP: 192.168.1.1
PPPoe Client name: velox

This Mikrotik has a failover Internet. It has 2 internet connections. One in ether5 (ADSL PPPoE) and other in ether4 (FIXED IP)


i added the IP 192.168.1.150/24 to the ether5 interface

I would like to be able to access the modem stats webpage from the internet.
I’ve tried to the following:

0 ;;; Mascara Velox PPPoE
chain=srcnat action=masquerade out-interface=velox log=no log-prefix=“”

1 ;;; Mascara Acessa
chain=srcnat action=masquerade out-interface=ether4 log=no log-prefix=“”

2 ;;; Camera
chain=dstnat action=dst-nat to-addresses=192.168.21.20 to-ports=8081
protocol=tcp dst-port=8081 log=no log-prefix=“”

3 ;;; Masquerade Modem Velox
chain=srcnat action=masquerade out-interface=ether5 log=no log-prefix=“”

4 ;;; NAT VELOX
chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=80
protocol=tcp dst-port=8888 log=no log-prefix=“”

5 ;;; WebProxy
chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80
log=no log-prefix=“”

I want to be able to access the ADSL modem stats page typing the PUBLICIP:8888

However, then i try to access the page, the browser replaces the PUBLICIP with the modem LOCALIP.
Exemple: I type 200.201.200.2:888, then the browser redirects to 192.168.1.1/wizardoi
That is a local IP from the modem. It shoud keeps the public IP on the address, but i doesnt.

I dont know what is happening.

Can anyone help me?
I am not good with NAT and routing.

2

Router doesn’t do that, it must be done by modem. When you open http://200.201.200.2:8888 in browser, your dstnat rule makes it connect to 192.168.1.1:80, but Host header in http request contains original 200.201.200.2:8888. That’s correct. But modem probably doesn’t like it and decides to redirect you to correct address (at least it thinks so).

3

You may try doing a packet capture to verify that the redirect URL is an absolute URL (i.e. http://192.168.1.1/wizardoi) and not a relative URL (i.e. /wizardoi )

If it’s an absolute URL, then unfortunately there’s no way around this problem with dstnat/srcnat because the modem is including the IPv4 literals in the redirect message. Your browser is being instructed to explicitly go to 192.168.1.1.

What happens if you go to http://200.201.200.2:8888/wizardoi initially?
If that redirects again, then you’re pretty much out of luck w/o using a VPN back to your home router.

4

It redirects again to 192.168.1.1/wizardoi

If I try to telnet the 8888 port, it connects, so the rules are working somehow.

Some time ago I already made that access work, but I lost the configurations. So I know it is possible.
Now I dont know what I am doing wrong :frowning:

5

If you like to play with telnet, then connect and enter (followed by few newlines):

GET / HTTP/1.1
Host: 200.201.200.2:8888

And you’ll get reply with code 301 or 302 and header “Location: http://192.168.1.1/wizardoi”. There’s nothing a router can do with it, you’d have to somehow convince modem to not do this redirection. You can also test this with “curl --head http://200.201.200.2:8888”, or using browser development tools, etc…

6

IMHO you should add second rule

The first rule which makes DST NAT redirects public IP to modem LOCAL IP with PUBLIC IP in the header so the modem tries to answer directly to PUBLIC IP which breaks the traffic flow.
Try to add the second SRC NAT rule which replaces public IP with router’s one before it sends http request to the modem.
Please read this for explanation: http://forum.mikrotik.com/t/port-forwarding-problem/93224/14
or full thread here: http://forum.mikrotik.com/t/port-forwarding-problem/93224/1

7

It’s there already:

3 ;;; Masquerade Modem Velox
chain=srcnat action=masquerade out-interface=ether5 log=no log-prefix=“”

And it doesn’t change packet content anyway.