Can´t access to a Ubiquiti device on ether2

donsergio · April 27, 2020, 6:12pm

Hi, I´m trying to access to an airfiber connected on ether2 but it´s impossible… the airfiber has an ip 172.16.126.51 and if I try to ping no ping… I need to enable:

/ip address
add address=172.16.126.52/23 disabled=no interface=ether2 network=172.16.126.0

And I got ping…

How I can access to the ubiquiti device through WAN port (cloud xxxxxxx.sn.mynetname.net)

I tried opening ports with dstnat from a random external port to internals 80 and 443 ports but no lock… Say filtered port… in the Mikrotik I can see the packets count but can´t access to ubiquiti…

How I can do it? Thx!!

/interface bridge
add fast-forward=no name=loopback
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment="PTP"
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment="Local LAN"
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=wan
/ip pool
add name=dhcp_pool0 ranges=192.168.255.2-192.168.255.254
add name=VPN ranges=172.16.126.62-172.16.126.65
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether5 name=dhcp1
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=172.16.123.1 name=VPNSecurity only-one=yes remote-address=VPN
/queue type
add kind=pcq name=Descarga-20M pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=20M pcq-src-address6-mask=64
add kind=pcq name=Subida-20M pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=20M pcq-src-address6-mask=64
add kind=pcq name=Download-200M pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=200M pcq-src-address6-mask=64
add kind=pcq name=Upload-200M pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=200M pcq-src-address6-mask=64
add kind=pcq name=Download-50M pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=50M pcq-src-address6-mask=64
add kind=pcq name=Upload-50M pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=50M pcq-src-address6-mask=64
/queue simple
add name=Queue-LC queue=Upload-50M/Download-50M target=192.168.255.0/24
/snmp community
add addresses=0.0.0.0/0 name=SNMP
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set default-profile=VPNSecurity enabled=yes use-ipsec=yes
/ip address
add address=192.168.255.1/24 interface=ether5 network=192.168.255.0
add address=172.16.0.2/30 interface=ether2 network=172.16.0.0
add address=10.255.255.253 interface=loopback network=10.255.255.253
add address=172.16.126.52/23 disabled=yes interface=ether2 network=172.16.126.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.255.0/24 gateway=192.168.255.1
/ip dns
set cache-max-ttl=1d servers=8.8.8.8,8.8.4.4,62.42.63.52,62.42.230.24,208.67.222.222,208.67.220.220
/ip firewall filter
add action=accept chain=input disabled=yes protocol=udp src-port=500,1701,4500
add action=accept chain=input disabled=yes protocol=ipsec-esp
add action=accept chain=input disabled=yes protocol=ipsec-ah
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat in-interface=ether1 to-addresses=172.16.0.1
/ip firewall service-port
set sip disabled=yes
/ip route
add distance=20 gateway=172.16.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=80
set ssh disabled=yes
set api disabled=yes
set winbox port=8291
set api-ssl disabled=yes
/ppp secret
add name="user" profile=VPNSecurity service=l2tp
/system identity
set name=Border
/system ntp client
set enabled=yes primary-ntp=176.31.53.99 secondary-ntp=84.43.191.4
/system routerboard settings
set enter-setup-on=delete-key silent-boot=no

sindy · April 27, 2020, 7:17pm

I assume you get a public IP from your ISP on ether1?

The only action=dst-nat rule in your /ip firewall nat doesn’t match on any protocol or port, which means that it redirects incoming connections on any protocol (TCP, UDP, …) and towards any dst-port (where applicable) that arrive via ether1 to its to-addresses (which is 172.16.0.1). Hence you have to place a selective action=dst-nat rule before (above) that generic one, such as chain=dstnat protocol=tcp dst-port=8443 action=dst-nat to-addresses=172.16.126.51 to-ports=443. The order of rules in firewall chains matters - when a packet is processed by a firewall chain, it is handled by the first rule whose match conditions are all met. Hence if it meets the existing rule first, it never reaches the more selective one.

donsergio · April 28, 2020, 5:52am

Hi, no, the rule that I use is :

add action=dst-nat chain=dstnat comment=“Ubiquiti redirect ports” disabled=yes dst-port=12345 protocol=tcp to-addresses=
172.16.126.51 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=12346 protocol=tcp to-addresses=172.16.126.51 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=12347 protocol=tcp to-addresses=172.16.126.51 to-ports=18888

Finally I found the trouble , or that I did worked… On the ubiquiti device the gateway are in remote site, give a gateway from local mikrotik and I can access now from outside.

Thanks!!