How to pass through to router via public IP

taihuynh · May 20, 2020, 3:17pm

Hi All,

My router dial PPPoE with ethernet1 to ISP fiber converter.
Once pppoe established, interface has local address: 100.91.214.57 and remote address: 100.123.1.62.
The dynamic public ip: 183.80.67.230
My Lan ip: 192.168.100.0/24

Would need help for any setting so that I can see my router webconfig login when I use the public ip via internet.

The real reason is that I would need to configure VPN but the router is not “visible” when access from internet by public ip.

Thanks for any idea and comment.

mutluit · May 20, 2020, 6:30pm

Which device? You have to configure it first in LAN. By default access is permitted only from LAN. In the config you can specify access from WAN too.

taihuynh · May 21, 2020, 1:27am

It is RB 3011 UiAS-RM.

In LAN, it’s accessible. But from Internet, it’s not. I have no idea, seems no route from public ip to router ip.

Once the public ip link with pppoe ip, I think my router can be accessible from internet with VPN. Would need your advice.

mutluit · May 21, 2020, 4:05am

Just read what I wrote: you have to configure it to allow access (also) from WAN (Internet). Consult the product documentation.

solar77 · May 21, 2020, 10:42am

Greetings to Mikrotik user from Ho Chi Minh City!

Once pppoe established, interface has local address: 100.91.214.57 and remote address: 100.123.1.62.
The dynamic public ip: 183.80.67.230

looks like you don’t have a public IP, the one you are using, is shared between a number of users on your ISP’s network. so when a VPN connection from the Internet reaches 183.80.67.230, it reaches your ISP’s router, which will not forward the traffic to your router and will reject the request or just drop it.

of course you can request ( and most likely to have to pay for) an public IP from your ISP, then it will be assigned to your pppoe connection.

mutluit · May 21, 2020, 12:22pm

Yeah that could indeed be the case here.

Here’s some more info https://networkengineering.stackexchange.com/a/49262 :

RFC6598 defines 100.64.0.0/10 as prefix for Shared Address Space. If you get an address from this prefix you are very likely behind a provider based NAT. Same is true for addresses from RFC1918 prefixes (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Providers may also use public address for shared addressing.
You can test if you are behind a NAT by using websites like this
http://ip.bieringer.de/cgn-test.html > (click the button “Test supported protocols” and then see what’s in the Status field)
https://tools.ietf.org/html/rfc6598
https://tools.ietf.org/html/rfc1918

.

$ ipcalc 100.64.0.0/10
Address: 100.64.0.0 01100100.01 000000.00000000.00000000
Netmask: 255.192.0.0 = 10 11111111.11 000000.00000000.00000000
Wildcard: 0.63.255.255 00000000.00 111111.11111111.11111111
=>
Network: 100.64.0.0/10 01100100.01 000000.00000000.00000000
HostMin: 100.64.0.1 01100100.01 000000.00000000.00000001
HostMax: 100.127.255.254 01100100.01 111111.11111111.11111110
Broadcast: 100.127.255.255 01100100.01 111111.11111111.11111111
Hosts/Net: 4194302 Class A

taihuynh · May 22, 2020, 3:32am

How would I say thanks to all of you mutluit and solar77 for your kind support.

I already called ISP to set public ip the same with wan ip/pppoe ip. Now, webfig/router is accessible with public ip via internet.

P/s: seems unable to select multiple posts for SOLVED marks

solar77 · May 22, 2020, 9:21am

thank you for letting us know it’s working. Many poster won’t feedback on our suggestions which is a shame.
not important to vote a solution, it’s not like we would get paid for it

mutluit · May 22, 2020, 10:21am

You are welcome. Glad to see it’s solved now.
The credit goes to @solar77, so you should mark posting #5.

AidasA · May 25, 2020, 12:31pm

Sorry guys for interruption. But where I can set WAN parameters in order to connect to wAP LTE device from remote ?

mutluit · May 27, 2020, 12:47am

Is your device already operational? Do you have access to WAN/Internet?
Do you mean admin access to your device from WAN? (a very bad idea in respect to security)
Or do you rather mean port forwarding?

See also:
https://www.youtube.com/watch?v=E03gh1huvW4

AidasA · May 27, 2020, 8:43am

Hello.

No my device is not optional yet. I have access to WAN/Internet definitely:)).
What I’VE done I set up firewall rule: Tcp, dst port…
As well as DDNS was enabled.
My task is to reach a device by remote in secure way.
I will share a picture with you in order to make it more clear. Take a look please.

My plan is to use a router as primary connectivity for Base Station (IoT solution ). Router will retrieve internet from SIM card which one is inserted in the device.

If you have any further question ask I will try to explain you.
Looking forward a response from you

Kinds.
Screenshot 2020-05-27 at 10.50.06.png

mutluit · May 27, 2020, 10:42am

Via the DDNS address you can connect to your WAN router.
Do you already know how you will connect? Using which application, protocol and port?
Normally, one should use VPN to access the LAN from WAN.
As said, you can also use port-forwarding if you want connect to a single service running in your LAN, like a ssh server etc.:
dst port 22 → forward to LAN-IP port 22
(of course you can also use some different port numbers)

AidasA · May 27, 2020, 11:34am

I have no idea mutluit. Please, could you be so kind and do me a favour in choosing a secure method?
I have no idea where I should apply port forwarding and which one port I shall use.

Sorry for inconvenience.

Please, assist me:)..

Aidas

mutluit · May 27, 2020, 12:59pm

It is still unclear what exactly you want: do you want to access your whole LAN from Internet?
Or do you want to access from Internet just a single service like a web-server, ftp-server, ssh-server etc. that is running inside your LAN?
Shall this access be for you only, or for your friends, or for anybody?
As first you should make a simple drawing of your LAN/WAN, and specify what services are running in your LAN, and what you want to achieve.
But, maybe there is some misconception, maybe you mean something very different than WAN-to-LAN access.

solar77 · May 27, 2020, 1:04pm

Please read my previous suggestion, in this very post!
before we get into the practical method of accessing the router, either by VPN or port-forwarding, do you have a public accessible IP address? It does not seems to be the case by the look of it.
from your post: 84.15.182.234, belongs to ISP:Bite Lietuva which is an wireless ISP.
please first speak to your ISP and establish this IP address is assigned to you, before continue.

mutluit · May 27, 2020, 1:15pm

Right. He seems to be using the local IP in DDNS. “/ip cloud” has such an option, I read somewhere.
“use-local-address” → https://wiki.mikrotik.com/wiki/Manual:IP/Cloud

$ nslookup 84.15.182.234
234.182.15.84.in-addr.arpa name = IN-84-15-182-234.bitemobile.lt.

$ nslookup ae850bba6de8.sn.mynetname.net
Name: ae850bba6de8.sn.mynetname.net
Address: 10.1.84.70

solar77 · May 27, 2020, 1:57pm

indeed, the screen capture shows he is behind NAT and the last line gives the answer: “remote connection may not work”
looks like he’s got an private IP from the ISP, normal for mobile network.

mutluit · May 27, 2020, 7:10pm

No, “use-local-address” means to assign the local IP instead of the public IP to the DDNS record, ie. in DNS.
In that case the dns name can of course be used only in LAN, ie. behind the NAT border.

solar77 · May 28, 2020, 9:19am

good to know. but in this case, even he assign local IP to DDNS record, he still won’t be able to access his wAP LTE remotely (from the internet)
the simple way to get this to work, is that you need to buy a public IP from the ISP