Address collision, inaccessible webfig, hairpin NAT, and mismatch port routing,

RouterOS Beginner Basics
1

I recently upgraded from my old Buffalo wireless box to a Mikrotik setup so I can make my life more complicated. I would like to configure a network topology that I plan to grow with time. I have been playing with my new toys, and I have run into newbie questions, since this is my first serious foray into homelabs. I don’t know what I’m doing, but I am excited to learn.

Network Hardware:
ARRIS NVG589 Modem/Gateway
Mikrotik RB3011UIAS
Mikrotik hAP ac3

Primary computer for config:
Ubuntu laptop with QHD display - important to note because winbox is painful to use with Wine as I can’t zoom in on the super tiny text, making webfig the preferred option (contrary to the pervasive ethos of oldtimers on this board based on my reading)

Network Topology:
I have positioned the RB3011 to act as my primary router. The hAP is acting solely as an AP (overkill I know, but I will likely want to use the hAP elsewhere later with a cheaper Gb AP in this position).

                    [W. Users] [Wless Users]     
                       |         |  
[Internet]--[Arris]--[RB3011]--[hAP]--[IOT devices]
      |               | |   |
  [DNS/URL]        [Pihole] |
                           [Server]

As you can see in my little doodle here, there is a lot going on. End user devices will connect to both the RB3011 and hAP, including some misc IOT junk I have in my project pile. I intend to use a PiHole to intercept and scrub calls at the RB3011, but that is a project for another day. Importantly, there is a server wired into the RB3011. This server is accessed through external URLs which point to my dynamic public IP (with a cron script to update the URL) so I can access files through a few ports on the server.

Q1: Address Collision - [FIXED]

Since I have both the RB3011 and the hAP which default to 192.168.88.1, what is the proper way to resolve this address collision? I’ve already discovered how to change the default IP of Mikrotik devices through the quickset basics, but which one should I change, the AP or the Router? What is the numbering convention I should use here? I’ve seen some posts where the router uses something like 10.0.0.x. Is that what people usually do?

Is Bridge mode on the hAP good enough for now? If so, how will I access the hAP to change it to router mode later?

Q2: Inaccessible Webfig - [FIXED]

When I first tested the collision avoidance from Q1 with the two Mikrotik devices on my network, I suddenly found that I could not access webfig! This persisted after I disconnected one device and only connected through the other on both devices. I cannot connect to it from any computer on the network either. I can still connect to the device through ssh and winbox using both MAC addresses and the default IP. Chromium gives me Err timeout and Firefox gives me temporarily unavailable errors. What gives?

Q3: Hairpin NAT - [FIXED]

If my reading is correct, I think I need a hairpin NAT for the serve because I want to access the server from inside and outside the network. For my server which has a static lease at 192.168.88.140 on my firewall, I have added:

/ip firewall nat 
add action=dst-nat chain=dstnat comment="Internal Chain" \
    dst-port=80 protocol=tcp src-port="" to-addresses=192.168.88.140

which allows me to access the server from the LAN. I then added:

/ip firewall filter
add action=accept chain=forward comment=External dst-address=\
    192.168.88.140 dst-port=80 in-interface=ether1 protocol=tcp

just below the “drop all not coming from LAN” rule. I thought this would let me access the server from the WAN, but that is not the case. Did I mess this up?

Q4: Mismatch Port Routing - [FIXED]

I want to open another port externally to access ssh on my server. Obviously, I want to keep blocking external ssh on my router. So I want to point anything coming from some nonsense port like 66622 at port 22 on the target server. How would I do that in Router OS? Is there a more correct term I need to use to google that myself?



EDITS:
Applied [FIXED] tag to Q2, see post 2 in this thread.
Applied [FIXED] tag to Q1, see post 3 in this thread.
Applied [FIXED] tag to Q3 and Q4, see posts #16 and #13, respectively, in this thread for details of the fix.

2

Q2: Inaccessible Webfig - FIXED

I pulled a hard reset on the RB3011 with default config, and I can now access Webfig again. I still don’t know what caused that problem though.

3

Q1 Address Collision

I solved what I termed an “address collision” by setting up the hAP as a wired/wireless bridge using this (http://forum.mikrotik.com/t/mikrotik-ap-without-dhcp-integrate-in-existing-subnet/154983/2) as the initial template. I really had to hunt around for that thread. The Mikrotik use-case examples are not exactly newbie-friendly. I feel like this should be one of the more common examples given in their knowledge base.

One of the additional challenges here was recognition that I could ONLY use Winbox instead of Webfig to access neighbors. As mentioned in the OP, Wine-ing into Winbox with a powerful screen makes it very hard to use. I only just recently found the zoom in the portable exe.

4

Read linked Item E. here - https://forum.mikrotik.com/viewtopic.php?t=182373 wrt information for Port Forwarding…
Your dst-nat rule is incomplete!

In terms of Ports and dealing with your ssh server…
Just use port translation and then you can come in on any port and the router will change that to port 22.
In dst-nat rules, if the to port is the same as the dst-port, then one does NOT need to actually put in the to-port!
If you need port translation then simply put the dst-port as 61611 and the to-port=22 for example.

Depending upon whether or not your ISP public IP is dynamic or static, from the link above!!
paras 1A. 1B. show what the DST NAT RULE should look like.
para 6. shows you the single firewall rule needed.

5

Quote from Anav: “either have something useful to assist the OP or bug off”

6

I hope this is not the level of Stewpid, one should expect from all Dutch people???
Sad msatter, spamming posts now…

7

I don’t know if it has some problem with Wine or if you just missed it, but WinBox on Windows has Tools->Zoom In/Out (in loader) and Settings->Zoom In/Out (when connected to router).

8

@ADMIN - Please approve my posts so folks can see my updates. Thanks.

===============================

I originally tried that using the keybind in the menu, but Wine was not forwarding my keystrokes for whatever reason. I assumed it was broken. It seems like it works fine if use the mouse to click through the zoom each time.

===============================

Thanks for pointing me there. I read through that thread originally, and I was still having problems. I'm tackling them now. It appears that the WAN-list was not populating. Trying the script you link from @Sob in section 1.b.iii, but it does not appear to work. I assume I have something different in my DHCP Client config. It seems like replacing

/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] address=$"lease-address" disabled=no

with

/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] address=[:put [/ip cloud get public-address]] disabled=no

works with the default router config in my case, which uses a sticky-Dynamic WAN IP supplied by the ISP.

Anyway, I attempted to add some rules to access my box from outside. I added:

\ip firewall filter add chain=forward action=accept connection-nat-state=dstnat comment="any traffic with destination ports identified in DST NAT rules will be allowed through firewall"

and moved this rule to the 5th position on the default filter list (just prior to "drop all not coming from LAN". Next I added:

/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="things coming from WAN"
/ip firewall nat add chain=dstnat action=dst-nat dst-port=80 protocol=tcp in-interface-list=WAN to-addresses=192.168.88.140 comment="forwards traffic on 80 to .140"

When I attempt to access my server through the URL (on my cell phone with WIFI disabled so I'm not on the LAN), I get a "connection reset" error. Poking around at my DHCP client, not everything matches the public IP address, since the gateway has its own IP (192.168.1.xxx). To my knowledge, this should not matter, because the gateway does not block ports and it routes everything though to the next device in the network which is now the RB3011. I had no problems forwarding on my previous router.

I'm not even attempting the hairpin yet, just simple port forwarding. What's going wrong?

\



@anav and @msatter - keyboard fights in the newbie area are never a good look

9

You wrote that RB3011 is your primary router, but is it really? Does it have the public address, or does Arris have it and you’re just forwarding everything from there to RB3011 (sometimes they call it DMZ)? So far it seems like the latter to me. If that’s the case, then don’t bother with any script and just use this:

/ip firewall address-list
add list=portfwdaddrs address=192.168.1.X comment="what RB has on WAN"
add list=portfwdaddrs address=your-ddns-hostname.domain.tld
/ip firewall nat
add chain=dstnat dst-address-list=portfwdaddrs protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.140
add chain=dstnat dst-address-list=portfwdaddrs protocol=tcp dst-port=66622 action=dst-nat to-addresses=192.168.88.x to-ports=22
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade comment="hairpin NAT"
10

If you paid attention, I didnt start the comment, neither will I ignore such comments.
You gave the perp legitimacy by including him in the same brustroke, on equal footing so to speak.
Not acceptable to my standards thus not inclined to participate.
UR in good hands with Sob!

11

As far as your question about which device should have the IP address changes, that is completely up to you. Personally none of my Mikrotik devices have a 192.168.88.1 address for more than about a minute after the first time they are powered up.

Also regarding QuickSet. You will quickly find that need more configuration capabilities than QuickSet gives you. Once you make ANY change to the router, NEVER EVER TOUCH QUICKSET AGAIN! It will overwrite your changes for you.

12

@anav: Is it just me, or are you perhaps a bit touchy? Given the kind of persona you project otherwise, to me it seems unexpected. :wink:

13

Aahh, that makes sense. I do remember it with a DMZ configuration. I was not thinking of the gateway as a router too. I followed most of your steps and added a few. First, I set up a DDNS link. Running

/ip cloud print

yields:

ddns-enabled: yes
ddns-update-interval: 10m
update-time: yes
public-address: 8.8.8.8
dns-name: DDNS.sn.mynetname.net
status: updated

. Note that

public-address

and

dns-name

have been obfuscated in this post. I noted that the internal WAN address from the Arris box was 192.168.1.96. Then I input your posted code into the terminal, although I omitted the 66622/22 port line since I want to focus on one thing at a time.

/ip firewall address-list
add list=portfwdaddrs address=192.168.1.96 comment="what RB has on WAN"
add list=portfwdaddrs address=DDNS.sn.mynetname.net
/ip firewall nat
add chain=dstnat dst-address-list=portfwdaddrs protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.140
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade comment="hairpin NAT"

Using the code above, I had mixed results. While the port 80 access from the outside still fails, the hairpin works. How interesting. I decided to poke at my Arris box some more. Then it clicked, I did not have the passthrough enabled!

On the terrible AT&T infrastructure, users are no longer allowed to set the device as a bridge or use a DMZ. Instead, you have to create an IP Passthrough. This is what I had in my notes from the previous router setup. BUT, this passthrough is tied to the mac address of the router it is configured for. To put it another way, my old setup worked with a passthrough tied to the old router ID. Now that I have a new router, I have to completely reconfigure the messy AT&T config.

On the AT&T side, I worked based on this older post: https://forums.att.com/conversations/att-internet-features/how-do-i-put-my-nvg589-in-bridge-mode/5defbfc1bad5f2f606a80ba6 So on the Firewall > IP Passthrough screen, I selected the following:

  • Allocation Mode: Default Server
  • Default Server Internal Address: 192.168.1.96/Mikrotik (chosen from list)
  • Passthrough Mode: DHCPS-Fixed
  • Passthrough Fixed MAC Address: [self populated MAC address of Mikrotik router]
  • Passthrough DHCP Lease: 10minutes

With this, the other code from @Sob works. This fixes Q3.

14

Thanks for the suggestion on LAN IPs. Frankly, personal choice is code for me to be lazy and leave the 88 configuration. If there was some standard that was “best practice” I would love to know about it for learning purposes at the very least.

I’m finding QuickSet is a much maligned tool as I read more. I can see why since it royally borks your config. I still like having it there as a reference though. What was the default gateway set to? QuickSet knows!

Nice callsign, Charlie Charlie Charlie.

15

Free hint, best practice:
On production never use overused IPs like 0.x 1.x 2.x 88.x etc. or if someone put another 0.1, 2.1, 88.1, etc. on network…

16

Fixing Q4:

I wanted to make a separate post in this thread to mention the SSH port translation (thanks for the term @anav) that @Sob suggested rather than get it swamped by the IP Passthrough talk. This still requires the IP Passthrough to work, but it still requires it.

The following works to forward the port with translation:

/ip firewall nat
add chain=dstnat dst-address-list=portfwdaddrs protocol=tcp dst-port=66622 action=dst-nat to-addresses=192.168.88.x to-ports=22

Using my phone data connection, I was able to SSH into the device using my domain name.

=================================

Thanks everyone for your help. Sorry if I ran anyone off. I hope my detailed and keyword loaded responses help other newbs Google their way out of trouble.

17

Hi!
I think the problem here is the Winbox Zoom feature is not scaling enough. On very high resolution, but physically small displays (modern laptop), you cant zoom in enough.
The solution is to start winecfg, goto the Graphics tab and set higher dpi screen resolution.
Just restart winbox then.

Woland

18

This “IP Passthrough” is nothing special, it’s just different term for dstnat. If Arris had RouterOS, it would have:

/ip firewall nat
add chain=dstnat dst-address=<public address> action=dst-nat to-addresses=192.168.1.96

That’s it. You have regular double NAT.

19

Somewhat OT but zoom works fine with wine. ;- )

20



Zoom worked fine after a restart. Wine always adds a layer of frustration to any project.

========================


Thanks for the knowledge.