Access to my LAN from external network.

RouterOS Beginner Basics
1

Hi!

I need to give an access to my local network to my neighbor. He is from the same ISP subnetwork.

Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; defconf
10.1.0.1/24 10.1.0.0 ether2-master
1 D 10.33.92.196/24 10.33.92.0 ether1

The remote router has 10.33.92.205. I made a static route to 10.1.0.0/24 via 10.33.92.196.
On my side I simple have added a rule, but that’s not enough.
[root@gw1] /ip firewall nat> print
4 chain=dstnat action=accept src-address=10.33.92.205 src-mac-address=remote_mac_addr log=no log-prefix=“”

I know that this is very easy, but just stuck :frowning:
Thank you in advance.

2

You need “action=dst-nat” not “action=accept”.

3

Thank you for the reply, but it doesn’t work :frowning:



chain=dstnat action=dst-nat to-addresses=10.1.0.0/24 src-address=10.33.92.205 src-mac-address=mac_addr log=no log-prefix=""

Webfig says that I have to specify to-addresses or to-ports.

4

Are you src-nating? Or does the ISP do that for you?
If you’re on the same subnet and have a src-nat, you’ll may need to exclude his subnet in your dst-address, as well as having your static routes on both routers.

Otherwise you may just need to put an accept of the neighbors subnet into your filters above any blocks from WAN that are there. I wouldn’t think you’d need or want any dst-nat if you’re routers are on the same subnet, let the static routes take care of it.

All this needs to be set up both routers.

5

This how I understood you. Obviously, something is missed or just wrong.



[root@gw1] > /ip firewall nat print   
Flags: X - disabled, I - invalid, D - dynamic 
      ;;; 105 Subnet
      chain=srcnat action=src-nat to-addresses=10.1.0.0/24 src-address=10.33.92.205 log=no log-prefix="" 

[root@gw1] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
      ;;; 105 router
      chain=input action=accept src-address=10.33.92.205 in-interface=ether1 log=no log-prefix="" 

[root@gw1] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 6 A S  ;;; 105 Subnet
        192.168.0.0/24                     10.33.92.205              1

No luck. I think I’m misunderstanding the basics.

6

Danila, do you speak russian? Can you ping ip address of your neighbor?

7

Yes, I do speak Russian and yes, I can ping neighbor’s router.

8

Если вы с соседом действительно в одной сети, то nat в принципе не нужен.
Нужно на обоих маршрутизаторах исключить внутреннюю сеть из src-nat правила для интернета (если есть) и прописать маршруты на внутренние подсети за маршрутизаторами (ваша это 10.1.0.1/24) с gateway=ip_противоположного_маршрутизатора, т.е. как-то так:
ip rou add dst-address=%подсеть_у_соседа% gateway=10.33.92.205 check-gateway=ping

И цепочка фаервола input не имеет отношения к вашему случаю, вот тут есть диаграмма и небольшое пояснение:
https://vikilpet.wordpress.com/2017/09/16/mikrotik-routeros-ip-firewall-diagram/

9

Мы действительно в одной подсети, но у него простой TP-LINK Archer(прошивать не хочет) и как на нем исключить мою внутреннюю сеть я хз.

Спасибо!

10

Please DO use English on this forum.

11

May be you actually dont need that setting in TP-Link. Just try to add routes as i said.

12

I’m new to ROS, could you point me how I have to exclude internal networks from src-nat?
Thank you.

What I have now on my side.

[root@gw1] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
 1    chain=srcnat action=masquerade out-interface=ether1

[root@gw1] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.33.92.1                1
 1 ADC  10.1.0.0/24        10.1.0.1        bridge                    0
 2 A S  ;;; 105 Subnet
        192.168.0.0/24                     10.33.92.205              1

Neighbor’s router just has a route to my 10.1.0.0/24 via 10.33.92.196

13

As far as I see, you’ve never stated the neighbors internal IP subnet. If must be different than yours.

To exclude from src-natting you could insert a src-nat rule above the other src-nats with an ‘accept’ statement and filtered for the neighbors subnet.

If your neighbor had 10.2.0.0/24 for instance:

add action=accept chain=srcnat dst-address=10.2.0.0/24 src-address=10.1.0.0/24

As long as it is above the other src-nat’s it would ‘short-circuit’ it before it got to your main src-nat masquerade.

14

Unfortunately, does not work :frowning:
proBagroff:~ danilabagroff$ traceroute 10.1.0.2
traceroute to 10.1.0.2 (10.1.0.2), 64 hops max, 52 byte packets
1 192.168.0.1 (192.168.0.1) 9.087 ms 6.816 ms 6.692 ms
2 10.33.92.196 (10.33.92.196) 6.655 ms 6.904 ms 11.720 ms
3 * * *

My network: 10.1.0.0/24
Neighbor’s network: 192.168.0.0/24

My router: 10.1.0.1, wan: 10.33.92.196
Neighbor’s router: 192.168.0.1, wan: 10.33.92.205

[root@gw1] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 10.33.92.1 1
1 ADC 10.1.0.0/24 10.1.0.1 bridge 0
2 A S ;;; 105 Subnet
192.168.0.0/24 10.33.92.205 1

[root@gw1] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; 105 Subnet
chain=srcnat action=accept src-address=10.1.0.0/24 dst-address=192.168.0.0/24 log=no log-prefix=“”
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
2 chain=srcnat action=masquerade out-interface=ether1

15

Do an ‘/ip firewall filter print’

Most firewalls default to blocking all incoming connections that aren’t initiated from inside your network.

AND all this needs to be checked an replicated (with the opposite IP’s and gateways) on the neighbors router. I don’t read Russian, but sounds like he has a TP-link and configuration may be a little different to remove src-nat, filters, etc.

Also, what kind of machine is the target of the ping? Windows 7’s (and probably up) in a non active-directory environment (home use) default firewall will not respond to a ping request unless it is on the same subnet.

16 



[root@gw1] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough
 1    ;;; 105 router
      chain=input action=accept src-address=10.33.92.205 in-interface=ether1 log=no log-prefix=""

 2    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 3    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 4    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related



AND all this needs to be checked an replicated (with the opposite IP’s and gateways) on the neighbors router. I don’t read Russian, but sounds like he has a TP-link and configuration may be a little different to remove src-nat, filters, etc.

Your internal translator is better than google ones :wink:
Yes, this is what I said to morituruz. Neighbor has TP-LINK Archer with default firmware. I could only add a static route to my(10.1.0.0/24) network via my WAN IP(10.33.92.196). Have no idea how to exclude from srcnat. Honestly, I doubt that there is something similar. In case I’m wrong there is a simulator http://www.tp-link.com/resources/simulator/Archer_C2/index.htm

Also, what kind of machine is the target of the ping? Windows 7’s (and probably up) in a non active-directory environment (home use) default firewall will not respond to a ping request unless it is on the same subnet.

This is NAS and firewall is off.

17

Doesn’t look like you have your firewall blocking any forwarding which is unsecure, but wouldn’t cause any problems with doing this.

The TP-LINK though would block any incoming connections with the SPI. Might be able to use the Access Control section to allow your network in, but I have no experience with TP-Links implementation.

The NAT on the TP-LINK doesn’t look very configurable, so any outgoing connections from him to you would probably look like it’s coming from the router itself. (Might be ok depending on what you need.)

18

I have disabled SPI, no pings in both directions.

Looks like I have no chance with this device&firmware.
Anyway, thank you very much.

19

Have your neighbor get a hAP-lite or mini. Or better yet, give one to him.

Set up a GRE tunnel between the 2 public IPs (with IPSEC), put a /30 on either side, then route your private subnets to the /30 address on the “other” side of the tunnel.

Done.

You just need to make sure that the 2 private subnets are not the same. Mikrotik is usually different so this is good.