All traffic from a single port should go to one single IP

RouterOS General
1

Hi,

short question:
We have the ubiquiti-Aircontrol-Plattform in use.
To use the Software from outside, we have to pass the port 9080 through our RB450G.

Working part:
passing port 9080 from outside to the server

Non-working part:
the aircontrol software can only supply one ip adress, so also the internal antennes uses the external IP-Adress for a connection to the AC-Server.
What we can see is, that the counter from the dest-nat-rule increase, while we get a timeout from the browser. There is a possibility to use /heatbeat after the IP to test.

So its a little bit strange, everythink ok from outside, nothing ok from inside :slight_smile:

I´m a little bit config-blind, as i´m looking around for a few hours…

Should I post a part of the config?

Thanks a lot


/Dom

2

Post your configuration from ip filter…

Sent from my SCH-I545 using Tapatalk

3

Maybe also a diagram… I’ll have to lookup how aircontrol works

Sent from my SCH-I545 using Tapatalk

4

Hi,

thanks a lot,
here is the requested export:

 ;;; aircontrol
     chain=forward action=accept protocol=tcp dst-address=111.222.222.111 dst-port=9080 

 1   ;;; ALLOW remote access from HQ
     chain=input action=accept src-address-list=Fernwartung in-interface=pppoe-to-core 

 2   ;;; ALLOW-Speedtest
     chain=input action=accept src-address-list=Speedtest in-interface=pppoe-to-core 

 3   ;;; PPTP-VPN-allow
     chain=input action=accept protocol=tcp in-interface=pppoe-to-core dst-port=1723 

 4   chain=input action=accept protocol=gre in-interface=pppoe-to-core 

 5   ;;; default configuration
     chain=input action=accept protocol=icmp 

 6   ;;; default configuration
     chain=input action=accept connection-state=established 

 7   ;;; default configuration
     chain=input action=accept connection-state=related 

 8   ;;; default configuration
     chain=input action=drop in-interface=pppoe-to-core

And here the NAT-Part:

 0   ;;; AirControl
     chain=dstnat action=dst-nat to-addresses=172.16.0.200 to-ports=9080 protocol=tcp dst-address=111.222.222.111 
     dst-port=9080

 1   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=pppoe-to-core 

 2   ;;; Mikrobill-NAT
     chain=dstnat action=dst-nat to-addresses=172.17.0.1 to-ports=22 protocol=tcp dst-address=111.222.222.111
     src-address-list=Fernwartung in-interface=pppoe-to-core dst-port=22 

 3   chain=dstnat action=dst-nat to-addresses=172.17.0.1 to-ports=80 protocol=tcp dst-address=111.222.222.111 
     in-interface=pppoe-to-core dst-port=8

Now I have to draw a diagram :slight_smile:

cu

5

I think I get what your talking about, but the diagram will help. I suppose I have a few questions

  1. The “airControl” server is behind the “mikrotik” right?
  2. Where are the access points connecting to the aircontrol server? What about your clients? What connects to port 8090?

I think what you may need to setup is hairpin nat… but I’m still trying to figure out what is where.

6

Hi,

Hairpin-NAT enabled, function ok :slight_smile:
Karma +1

Kr

Dom