Allow access to devices from other network

costasppc · October 10, 2019, 9:49am

Hello,

Maybe this is stupid, but no clear head now… I have a hAP mini with default setup. Port 1 is WAN (192.168.0.x), port 2 and 3 are bridged LAN.

I need to connect a device with static IP from the WAN network (192.168.0.x) to a port of the LAN network (192.168.88.x) and be able to access it.

Best regards

K

Anumrak · October 10, 2019, 10:19am

Hey. Just configure a static routing on device behind WAN port. Also make sure that you have reverse route on hAP router.

dmitris · October 10, 2019, 10:22am

It’s very simple use dst-nat on router with subnet 192.168.88.0/24

/ip firewall nat add chain=dstnat in-interface=ether1-WAN to-addresses=192.168.88.100 to-ports=80

costasppc · October 10, 2019, 10:43am

Thank you, both.
Dmitris, you mention one IP: 192.168.88.100, which one is that?

Best

K

dmitris · October 10, 2019, 1:44pm

In particular situation it’s just for example. Basically this rule will make dst-nat from WAN network to host 192.168.88.x and port 80, you can modify host and port as you need it.

Also as “Anumrak” said, you can use static routes on both ends to achieve net to net connection.

On router with subnet 192.168.0.0/24

/ip route add dst-address=192.168.88.0/24 gateway=192.168.0.x

On router with subnet 192.168.88.0/24

/ip route add dst-address=192.168.0.0/24 gateway=192.168.0.x

costasppc · October 10, 2019, 2:19pm

Thank you,

yes I got that this is an example.
In my case, I need a Unifi access point to assign DHCP addresses from the LAN pool (192.168.88.x), but to be able to check on the UniFi controller residing on WAN network (192.168.0.x).
So, I added this: chain=dstnat action=accept to-addresses=192.168.88.246 protocol=tcp dst-address=192.168.88.246 in-interface=ether1 src-port=8080
dst-port=8080 log=no log-prefix=“” and the unifi device (192.168.88.246) can be visible in the controller.
The example you mentioned throws an error: mikrotik failure: to-ports valid only for tcp/udp/sctp/dccp

I cannot add route to the WAN net, so I have to work only on my side.

Best regards

K

dmitris · October 10, 2019, 2:44pm

Good, so you problem is solved? Please mark this thread as solved.

costasppc · October 11, 2019, 7:31am

Will try it on the actual scenario, and if no other issues occur, I will mark the thread as solved.

Best regards

K

dmitris · October 11, 2019, 8:40am

I just checked your rule and i think it will not work, correct one is:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8080 dst-address=192.168.88.246 in-interface=ether1 protocol=tcp to-addresses=192.168.88.246 to-ports=8080