How to acces my wireless repater from lokal network

imaljko4 · March 24, 2013, 12:38am

I have following scenario
network copy.png
RB133(main router)
Lokal network: Eth1 192.168.5.3/24 (Internet gateway is 192.168.5.1)
Hotspot is running on: wlan1 10.0.5.1/24 (wds enabled)

rb411 (wireless repeater)
wireles (hotspot from WDS): wlan1 10.0.5.2/24 (wds enabled)

So how can i acess my rb411(wireless repeater) via winbox , from my local network(192.168.5.0/24)?

I tried some nat examples from the forum, but didn’t really succeed in my aim.

Thank you very much for help

edit:
i have try the following

/ip address add interface=ether1 address=192.168.5.4/24
/ip firewall nat add chain=dstnat dst-address=192.168.5.4 action=dst-nat to-addresses=10.0.5.2

But still it doesnt work
From the main router (rb133) i am able to ip ping the repeater at 10.0.5.2

imaljko4 · March 25, 2013, 5:57pm

Please can somebody help me?

I am still stuck and cannot solve it..

thanks

Engitech · March 25, 2013, 6:36pm

Did you configure that 10.0.5.2 can bypass the hotspot? Can you ping from 10.0.5.2 outside of his range (like 8.8.8.?
Do you have a default route configured in this repeater?

imaljko4 · March 25, 2013, 8:55pm

Yes bypass is configured for 10.0.5.2
Yes now i have configured the default route on the repeater ( i tought i have to configure it only on the main router..)
Yes I am able to ping from 10.0.5.2 outside (8.8.8.8 )

So i am able to access the repeater at adress 10.0.5.2 only if i connect to the hotspot with my laptop,
But if i try to access it from out my lokal network(192.168.5.0/24) at the adress 192.168.5.4, it doesnt work, the ping also doesnt work.

So i guess i have configured the NAT somehow not correctly…

Engitech · March 25, 2013, 9:24pm

Can you do an export /compact of firewall rules on 10.0.5.2?

imaljko4 · March 25, 2013, 10:50pm

There are no firewall rules created on 10.0.5.2
All firewall rules are at the main router 10.0.5.1

( i tought i dont need to setup firewall on the repeater, because all is configured on the main router, I did all the setup on the 10.0.5.1; hotspot, firewall, nat.. etc)

Engitech · March 26, 2013, 8:51am

can you export the config of the 2 mikrotik (10.0.5.1 and 10.0.5.2)?

imaljko4 · March 26, 2013, 8:23pm

After I have added " protocol=tcp" and "to-ports=0-65535 " to the dst-nat rule so now it looks like:

chain=dstnat action=dst-nat to-addresses=10.0.5.2 to-ports=0-65535 
     protocol=tcp dst-address=192.168.5.4

Now I am able to ping at 192.168.5.4., but still I am not able to connect with winbox, telnet or ssh.
When i try to connect wit winbox i see that the connections state is “syn-sent”, but it is not “established”:

 
telnet from 10.0.5.1 to 10.0.5.2
/ip firewall connection> print
Flags: S - seen reply, A - assured 
 #    PROTOCOL SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT    
 0 SA tcp      10.0.5.1:43359        10.0.5.2:23           established 4m57s      
1    tcp      192.168.5.245:57609   10.0.5.2:8291         syn-sent    2s

Here is my prints and export from the network:

MAIN ROUTER: 10.0.5.1 :

/ip address
add address=192.168.5.3/24 broadcast=192.168.5.255 comment="" disabled=no \
    interface=bridge1 network=192.168.5.0
add address=10.0.5.1/24 broadcast=10.0.5.255 comment="" disabled=no \
    interface=bridge2 network=10.0.5.0
add address=192.168.5.4/24 broadcast=192.168.5.255 comment="" disabled=no \
    interface=bridge1 network=192.168.5.0


interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE              BRIDGE              PRIORITY PATH-COST  HORIZON   
 0    ether1                 bridge1             0x80     10         none      
 1    ovpn                   bridge1             0x80     10         none      
 2    wlan1                  bridge2             0x80     10         none      
 3    wds1                   bridge2             0x80     10         none     

 /ip route> print
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.5.1        1       
 1 ADC  10.0.5.0/24        10.0.5.1        bridge2            0       
 2 ADC  192.168.5.0/24     192.168.5.3     bridge1            0       
 3 ADC  192.168.5.245/32   192.168.5.252   bridge1            0       


 1   ;;; masquerade hotspot network
     chain=srcnat action=src-nat to-addresses=192.168.5.3 
     src-address=10.0.5.3-10.0.5.254 

 2   chain=dstnat action=dst-nat to-addresses=10.0.5.2 to-ports=0-65535 
     protocol=tcp dst-address=192.168.5.4


 /ip hotspot ip-binding> print
Flags: X - disabled, P - bypassed, B - blocked 
 #   MAC-ADDRESS       ADDRESS                         TO-ADDRESS      SERVER  
 0 P XX:XX:XX:XX:XX:XX 10.0.5.2                        10.0.5.2        hotspot1

REPEATER: 10.0.5.2:

/ip address
add address=10.0.5.2/24 disabled=no interface=bridge1 network=10.0.5.0

/interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                         BRIDGE                         PRIORITY  PATH-COST    HORIZON
 
 0    wireles                            bridge1                            0x80         10       none
 1    wds1                              bridge1                            0x80         10       none


/ip route> print

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  10.0.5.0/24        10.0.5.2        bridge1                   0


/ip firewall nat> print 
Flags: X - disabled, I - invalid, D - dynamic 
(no rules...)

Engitech · March 26, 2013, 10:04pm

you have no default-route on 10.0.5.2. Add a route to 0.0.0.0/0 with gateway 10.0.5.1.
this configuration is wrong:

2 chain=dstnat action=dst-nat to-addresses=10.0.5.2 to-ports=0-65535
protocol=tcp dst-address=192.168.5.4

you must remove it .

if you want nat 1 port of your router 192.168.5.4 to 10.0.5.2, it will be something like this:

chain=dsnat action=dst-nat to-addresses=192.168.5.4 to-ports=8291 protocol=tcp dst-address=10.0.5.2

After you can winbox to 192.168.5.4 and this will connect your second router.

imaljko4 · March 27, 2013, 11:58am

route added to 10.0.5.2( i did have it in the first place but had removed the route for testing reasons):

 /ip route> print

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          10.0.5.1                  1
 1 ADC  10.0.5.0/24        10.0.5.2        bridge1                   0

Changed the dstnat rule to:

 0   ;;; masquerade hotspot network
     chain=srcnat action=src-nat to-addresses=192.168.5.3 
     src-address=10.0.5.3-10.0.5.254 

 1   chain=dsnat action=dst-nat to-addresses=192.168.5.4 to-ports=8291 
     protocol=tcp dst-address=10.0.5.2

But now when i connect with winbox to 192.168.5.4, it connects me to the main Router(10.0.5.1),
So the dstnat rule is not forwarding(rerouting) the request to 10.0.5.2

Having a look here http://wiki.mikrotik.com/wiki/NAT_Tutorial and here http://forum.mikrotik.com/t/hotspot-ip-binding-one-to-one-nat/36572/1 shouldn’t I change the dstnat rule to:

chain=dsnat action=dst-nat to-addresses=10.0.5.2 to-ports=8291 protocol=tcp dst-address=192.168.5.4

?

edit:
Now no matter how i write the dstnat rule, i am constantly being connected to the 10.0.5.1 router(main router) if i access the address 192.168.5.4. .. very strange.

P.s. I am using RouterOS 4.17 (because i like the old User Manager) so is this a bugg of the old RouterOS versions?

Edit:
I tried to upgrade to v5.24, but the problem is still there…- downgrading again to v4.17

Engitech · March 27, 2013, 9:19pm

you are right for the nat … it was a bit late yesterday when i write my post. sorry.

chain=dstnat action=dst-nat to-addresses=10.0.5.2 protocol=tcp dst-address=192.168.54.4 dst-port=8291

is the right syntax.

But if you add the route you don’t need it . Disable this nat rule. If you ping 10.0.5.2 from a pc in subnet in 192.168.54.x it must work.
(Don’t forget to add a route in your pc to use gateway 192.168.54.3 for subnet 10.0.5.0/24)

Can you try?

imaljko4 · March 29, 2013, 10:42am

OK. Thank you very much for your help.
I finally managed to solve it:
So the key solution was:

I had following firewall entry which was somehow also blocking the access:

add action=drop chain=forward comment="" disabled=no dst-address=192.168.5.0/24 src-address=10.0.5.0/24

I dont know why it was blocking, because this entry is only to block hotspot users from being able to access our private(lokal) network,
and not the other way around.
But anyways, so i added another entry which has solved the issue:

add action=accept chain=forward comment="" disabled=no dst-address=10.0.5.1-10.5.0.2 src-address=192.168.5.0/24