Hello,
I’m newbie when it comes to microtic and networking. I would like to configure an access to IP camera recorder using public IP by port forwarding on microtic hex S, also I’ve changed my ISP and now I have Internet access through PPPoE. I’ve managed to configure access to camera recorder device using my Public IP but only when I connect from LAN. The problem is that i need to conect to this device from outside location. But i can’t see any packet coming into microtic nor can’t connect to the camera device. I guess the problem is that microtic has “private range” IP addresses in its PPPoE status. Also if I check the public IP on any website ex. https://whatismyipaddress.com/ i can see that the IP is diffrent than that showing by the microtic. Could you give me any tips on how to solve this problem? IP Recorder address in config is 10.150.1.9/24
config.txt (4.37 KB)
Connecting to your camera from the outside is a security risk.
Suggest you wireguard in to the router and then access the camera, much safer.
What is the purpose of your opvn setup?
I’m planning to allow access only from one public IP. The openVPN is irrelevant, it’s for another devices in the network. I know i could make connection to the camera through OVPN but in this specific case it has to be through port forwarding.
(1) What the heck are you doing.
If you assign an address to the bridge and then assign the etherports to the bridge then WHY.
/ip address
add address=10.125.1.254/24 interface=ether2 network=10.125.1.0
add address=10.125.1.254/24 interface=bridge network=10.125.1.0
add address=10.150.1.254/24 interface=ether3 network=10.150.1.0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
(2) This can be shortened… to
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=bridge list=LAN
(3) Can be removed,
/ip dns static
add address=10.150.1.254 name=router.lan
(4) MUST BE disabled or removed as your dhcp is handled by pppoe.
/ip dhcp-client
add comment=defconf interface=ether1
+++++++++++++++++++++++++++++++++++++++++++
Clearly you know dickus about the MT config and RoS, much copy and paste without knowledge.
++++++++++++++++++++++++++++++++++++++++++
(5) For NAT rules lets keep it simple… KEEP!!
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
and remove all the other garbage…
(6) For destination nat rule, I see no evidence of the single public IP you were going to limit the connection to??
So either lying or just forgot. In addition the format is not correct…
something like.
add action=dst-nat chain=dstnat comment=Rejestrator in-interface–list=WAN dst-port=8080 log=yes protocol=tcp
to-addresses=10.150.1.9 to-ports=8080 src-address=???
Now if the public IP address you are talking about (coming into the router) is a static IP the above works fine. However, if its a dynamic WANIP then you will need to identify by a dyndns type name/url.
In this case create the firewall address entry and the MT router will resolve the address for you.
/ip firewall address-list
add address=dyndns_name/url list=ServerAccess
And Rule becomes.
add action=dst-nat chain=dstnat comment=Rejestrator in-interface–list=WAN dst-port=8080 log=yes protocol=tcp
to-addresses=10.150.1.9 to-ports=8080 src-address-list=ServerAccess
Clearly you know dickus about the MT config and RoS, much copy and paste without knowledge.
And? You think I don’t know that? That’s why I’m here - to learn something. Every person on this forum in order to achieve something needed to start from some “dickus” level knowledge. Even you 
. Beside that of course I’m really grateful for the rest of your feedback. It will definietly help me understand MT config. Unfortunately the solution to my problem was to contatct my ISP, because my public IP address wasn’t useful when it comes to NAT and it needed to be changed. But of course thanks for trying to help.
True dat, learning the hard way LOL