Accessing multiple devices from lan via external IP

Good morning!

I have the following configurations on my mikrotik:
dhcp 192.168.100.0/24
With a camera system on IP 192.168.100.18 (uses port 37779 for external access) and another one 192.168.100.8 (uses port 37779 for external access).

For his own reason, my customer wants to access both of these using his static external IP. (i.e x.x.x.x:3779 while being inside the lan 192.168.168.100.0/24)

I’ve done a hairpin configuration that allows the user to access one of his camera system but the second one does not work, if I change the order in which it is configured, then the other equipment works. (If hairpin A is #1 and hairpin B is #2, then B does not work, if I change hairpin B to be #1, then it works and A stops working).

Is there any way to fix this situation?

Instead of such port forwarding and NAT mess, exposing devices like DVRs or IPCams to the internet, with the potential threat of them being hacked (they’re one of the first intrusion vectors nowadays) you could setup the customer router to act as a VPN server, and access their network via VPN.

No dstnats, no nats, no device exposure, and doesn’t matter if user is onsite or remote… will always access the DVRs or IP Cams as if they were local.

More cams or more DVRs? with this approach no worries either, no overlapping ports etc.

Concur, ask the customer if he wants his cameras to be exposed to the internet (easy pickings).
The only safe way really is to vpn to his network.
Perhaps he could also do something like team viewer or logmein to access a PC on his network and then from the PC login to view the camera ???

As for your configuration its probably in error.
Please post the config
/export hide-sensitive file=anynameyouwish

Thanks anav and pukkita for the VPN suggestion, I will bring this issue up with the client, but I’d also like to know if the current setup he wants is do-able.
I’ve exported NAT rules, is this enough to help me debug this issue?
dvrproblem2.rsc (2.11 KB)

In first post, you had the same external port 37779 for both cameras. That of course can’t work, because each port can be forwarded to only one internal device. How could the router know which one an incoming packet is for, if they’d be the same, right?

In posted config you have two different ports, and that’s ok and should work, as long as cameras have each same internal port as external one (but that’s not requirement, they can be different, you just need rules with dst-port= to-ports=. But what comments say are hairpin NAT rules, in fact are not, it should be srcnat, you have dstnat, so it can’t work from inside at all.

One more thing, you don’t need to overcomplicate it, separate dstnat rules for access from outside and inside are not needed. You can have common ones:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=37779 dst-address=<public address> protocol=udp to-addresses=192.168.100.18
add action=dst-nat chain=dstnat dst-port=37779 dst-address=<public address> protocol=tcp to-addresses=192.168.100.18
add action=dst-nat chain=dstnat dst-port=37777 dst-address=<public address> protocol=tcp to-addresses=192.168.100.8
add action=dst-nat chain=dstnat dst-port=37777 dst-address=<public address> protocol=udp to-addresses=192.168.100.8

And then one universal hairpin NAT rule for everything, these two ports and any other forwarded ports you may add in future:

/ip firewall nat
add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.100.0/24 action=masquerade

source nat rules… fixed…
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.100.0/24 {the required hairpin sourcenat rule}
add action=masquerade chain=srcnat out-interface=pppoe-out1 {standard source nat rule}

In terms of destination NAT rules, if the WANIP is fixed then one simply uses dst-address=WANIP.
However if the WANIP is dynamic then one cannot obviously rely on the above as the rule will need to change everytime the WANIP changes.
Also the standard dst nat rule for dynamic WANIPs wont work either in-interface-list=WAN or in-interface=ether1, as they dont include internal access.

Thus one needs to use alternate methods. One method is to simply use the IP Cloud on the router and use that dyndns URL as a firewall address list. such that
add address=mynetnamexxxxx list=mycurrentwanip

Then the dst nat rule would look like…
add chain=dstnat action=dst-nat dst-address-list=mycurrentwanip dst-port=xxxx protocol=tcp/udp
to-addresses=IP of Server to-ports=yyyy (note: to-ports is not required if dst port and to ports are the same).

So to answer another question, You can have many rules pointing to a single port on the same server but they need to be coming in on a different port.
So users can come in on ports AA, BB, CC, DD, EE, FF as the destination port and the to-ports could be all 4545.
The router will keep track.

What you cannot do is port AA to server A and port AA to server B, as the router will not know which server to send the incoming packets to!!
ONE incoming port can only be associated with ONE dst nat rule.

Taking a look at your rules… (MISSING WANIP designation)
add action=dst-nat chain=dstnat comment=TELEFONE dst-port=60080 protocol=tcp
to-addresses=192.168.100.54 to-ports=60080 dst-address-list??? or in-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=60081 protocol=tcp to-addresses=
192.168.100.55 to-ports=60081 dst-address-list or in-interface=pppoe-out1???

Note. The dst-address-list usage is only required if LAN users are also accessing the server via the WANIP …

Thanks sob and anav for the suggestions, I will be trying everything next Monday with my user, but I believe everything should work using the fixes provided

Happy holidays and happy new year !

Quick question, if I use port forwarding and NAT mess, does that mean I am exposing devices IPCams to the internet?

Exactly. And they are also highly sought-after devices (embedded linux) for botnets etc… bad practice.