Access to modem behind Mikrotik router

grmihel2 · August 1, 2014, 10:45pm

Hi guys,

I think this is very basic, yet I’m stucked to figure out how to get it work.
I’m having an DSL modem in front of my mikrotik, and a bunch of computers behind my mikrotik of cause.
Since my shitty modem doesn’t allow me to make it into bridge mode, I have to bind a static IP for my MT on the modem, and place that IP in DMZ to get past the modem without any blocks on that.
My modem is running wih (just an example) 10.0.0.1/24 as DHCP scope, and assigned to my MT is 10.0.0.10 placed in DMZ. The gateway of the modem’s DHCP is 10.0.0.1.

Now, how does I create access to the modem on 10.0.0.1, from a computer connected to my MT router?? I want my computer to be able to access the modem interface, by connection to 10.0.0.1 via a browser.

Any help is appriciated

sonny · August 2, 2014, 6:10am

On the modem you have to set a route to your local net behind your tik.

Gesendet von meinem HTC Flyer P510e mit Tapatalk 2

Rudios · August 2, 2014, 8:46pm

Or masquerade Nat on the outgoing interface of your mikrotik.

grmihel2 · August 3, 2014, 8:08pm

Sine the suggestion that Sonny made, can’t be done, sine I don’t have access to that feature on the modem, the suggestion that Rudios creamene Mighty be the Way.
Rudios, could you please pass an example of that masq. code?

Rudios · August 4, 2014, 1:13pm

/ip firewall nat
add chain=srcnat action=masquerade out-interface=

kgninfos · August 4, 2014, 1:25pm

This rule is correct but i guess it should be there already as without this users after the mikrotik should not be able to access the internet

so the page at 10.0.0.1 should load without any extra config

spippan · November 12, 2014, 11:16am

i got the same issue on two RB951Ui-2HnD

both modems before the Tik are in “single user” or “bridge” mode
one is a Technicolor TG788A1vn (single user mode), the ohter is a ComTrend Vi3223u Multi IAD
internet and LAN is all working fine … i just can’t reach the HTTP interface of either modem on the setups

TG: 10.0.0.138 (setup A)
Comtrend: 192.168.1.1 (setup B)
note that these are 2 seperate networks (logically and geographically), i just mention it, because i got same issue on both setups

Setup A:
DSL → TG788A1vn (bridge mode) → (ether1)RB951(bridge_local) → LAN (and stuff )
PPTP Session on RB951 for internet access working fine and NAT and routing are working also fine (even L2TP+IPsec VPN)
[usr@RB951] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; default configuration
192.168.88.1/24 192.168.88.0 bridge-local
1 10.0.0.140/24 10.0.0.0 ether1-gateway
2 ;;; sp-private-LAN
192.168.1.1/24 192.168.1.0 bridge-local
3 D 91.xxx.x.xxx/32 88.xxx.xx.xxx PPTP_A1_DSL[usr@RB951] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mm$
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 88.117.95.254 1
1 ADC 10.0.0.0/24 10.0.0.140 ether1-gateway 0
2 S 10.0.0.0/24 ether1-gateway 1
3 ADC 88.xxx.xx.xxx/32 91.xxx.x.xxx PPTP_A1_DSL 0
4 ADC 192.168.1.0/24 192.168.1.1 bridge-local 0
5 ADC 192.168.88.0/24 192.168.88.1 bridge-local 0[usr@RB951] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=PPTP_A1_DSL log=no log-prefix=“”

and some port forwarding stuff here which all are working fine…

Setup B:
DSL → ComTrend Vi3223u (bridge mode) → (ether1)RB951(bridge_local) → LAN
PPPoE Session on RB951 for internet access working fine and NAT and routing are working also fine (even L2TP+IPsec VPN)

adresses and routes are mostly the same and set correctly

on both setups i can reach the designated modem via ping from each RB951 but i CANNOT access the webinterface of the modems neither can i even ping them behind the Tik(s)
please, if anyone could help… i guess i’m forgetting or missing something…

spippan · November 12, 2014, 3:22pm

found a solution!!

bit weird but working stable and fast

to keep it short:
modem = 10.0.0.138 (bridge mode)
tik eth1 = 10.0.0.140 (<-- the gateway interface)
tik bridge_local = 192.168.1.0/24 (<-- LAN, obviously^^)

now i never was able to access the webinterface of the BRIDGED modem (for e.g. DSL stats,etc.) via http://10.0.0.138

ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; default configuration
192.168.88.1/24 192.168.88.0 bridge-local
1 10.0.0.140/24 10.0.0.0 ether1-gateway
2 ;;; sp-private-LAN
192.168.1.1/24 192.168.1.0 bridge-localfound a workaround:
i just added the following to IP > Firewall > NAT
add action=masquerade chain=srcnat dst-address=10.0.0.0/24 out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=8138 protocol=tcp src-address=192.168.1.0/24 to-addresses=10.0.0.138 to-ports=80if you don’t add “src-address=192.168.1.0/24” to the NAT rule, you could even access the modem interface from the internet → [WAN IP address]:138 (for that example)

and YES i needed BOTH NAT entries (tried to access with only the MASQUARADE → no success → needed the port forward though)

so now i’m able to access the bridged modem via http://192.168.1.1:8138
(first i used port 138 but i want to be sure to not mess with NetBIOS services )

hope this could help!