Enable Internal Access to IP from External Source

RouterOS General
1

HI Guys,

I am sure this is a stupid question but, basically I want to allow web access externally to me Access point located on my internal network, via port 88 or whatever.

Currently my confiq is:
3 x Interfaces:
1 x ADSL pppoe-client Interface (ADSL connected to 192.168.0. Interface_
2 x Ethernet Interfaces (192.168.1. & 192.168.0.)

I want to access 192.168.1.254:80 on my hotspot subnet, from the web via port 88, or 8080 or whatever.

I have been banging my head trying to get this to work, although I havent slept for a few days and I think its just cause I am tired.

Any help is appreciated.

2

use the hotspot bypass or ip-binding

3

I cant find any information on either of the methods you have specified, can you point me in the right direction?

4

how about dst-nat? action=dst-nat and chain=dstnat
http://www.mikrotik.com/docs/ros/2.9/ip/nat

5

I have tried that, I would have thought that would work as well bu tI cant seem to get it to work. I am sure thats it, but I am just not doing it right.

6

I’m guessing you are using the universal client and enabled-address methods for your hotspot clients. You need to specify a static hotspot user and universal client for the device:

/ ip firewall dst-nat
add dst-address=:8000 protocol=tcp \
action=nat to-dst-address=10.1.1.250 \
to-dst-port=80 comment="DNAT 8000 to internal client device 80"

/ ip firewall mangle
add src-address=10.1.1.250/32 mark-flow=hs-auth \
action=passthrough comment="Allow internal client device out"

/ ip hotspot user 
add name="AP" password="" address=10.1.1.250 \ mac-address=00:00:00:00:00:01 \
profile=default comment="" disabled=no

/ ip hotspot universal access 
add mac-address=00:00:00:00:00:01 \
address=10.1.1.250 to-address=10.1.1.250 \
interface=hotspot comment="" disabled=no

This works for me, probably some bits in there that aren’t required tho