IP-Cloud Dynamic IP WAN Behind Nat

omadasms · June 11, 2020, 3:17pm

We use Router OS for remote wifi hotspot portals in our business to log on customers to free WiFi. They are a combination of routers and APs. I’m stuck on how to configure IP-Cloud with a dynamic IP behind NAT to reach the routers or APs in the field. I’ve searched here endlessly, tried many, many different lines of code and just can’t figure it out. IP-Cloud is active with DDNS enabled, I have the dynamic IP TT.UUU.VV.17, use local address is checked. DNS name IP-Cloud is RouterSN.sn.mynetname.net. I can connect to it thru the LAN but not the WAN (Ether1).

Eventually we think we want to use cloud staticIP CHR. The Mikrotiks would still be behind a NAT. At the same customer location, we would configure bridged APs behind a HEX router for instance using RoMan. We assume we could then log onto the HEX and RoMan into the APs?

Basically, we want to be able to get to all the devices in the remote field. Will our plan work?

For now, how do I get IP-Cloud to work? Below is our typical configuration. Obviously, I removed all the details of IP addresses, radius, etc. Please forgive me for asking for help as I am not a network professional. Thank you professionals all in advance!

/interface bridge add name=bridge1-LAN_WAN_BRIDGE priority=0xFFFF
/interface bridge add name=bridge2-LAN_SPLASH priority=0xFFFF
/interface bridge port add bridge=bridge1-LAN_WAN_BRIDGE interface=ether1
/interface bridge port add bridge=bridge2-LAN_SPLASH interface=ether2
/interface bridge port add bridge=bridge2-LAN_SPLASH interface=ether3
/interface bridge port add bridge=bridge2-LAN_SPLASH interface=ether4
/interface bridge port add bridge=bridge2-LAN_SPLASH interface=ether5
/interface bridge port add bridge=bridge2-LAN_SPLASH interface=wlan1
/ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=bridge1-LAN_WAN_BRIDGE
/ip hotspot profile add hotspot-address=XX.Y.ZZ.1 name=ABC
/ip pool add name=hs-pool-3 ranges=XX.Y.ZZ.2-XX.Y.ZZ.254
/ip dhcp-server add address-pool=hs-pool-3 disabled=no interface=bridge2-LAN_SPLASH lease-time=1h name=dhcp1
/interface sstp-client remove Company_Management-SSTP
/interface sstp-client add connect-to=mt1-usb.Company.com max-mtu=1400 max-mru=1400 name=Company_Management-SSTP user=Mac password=Mac profile=default-encryption disabled no
/user add name=Companywifi password=password comment=Company-Management group=full
/system scheduler add disabled=no interval=15m name=schedule1 on-event="/delay delay-time=565s\r\n/tool fetch url=\"https://api-usb.Company.com/routeros/check-in\\?mac=Mac\"" start-date=jan/01/1970 start-time=00:00:00
/ip hotspot add address-pool=hs-pool-3 disabled=no interface=bridge2-LAN_SPLASH name=radius profile=radius
/ip address add address=XX.Y.ZZ.1/24 comment="Company WiFi Network" interface=bridge2-LAN_SPLASH network=XX.Y.ZZ.0
/ip dhcp-server network add address=XX.Y.ZZ.0/24 comment="Company WiFi network" gateway=XX.Y.ZZ.1 dns-server=185.228.168.168,185.228.169.168
/ip firewall nat add action=masquerade chain=srcnat comment="Company WiFi hotspot network" src-address=XX.Y.ZZ.0/24
/ip hotspot user add name=admin
/ip cloud set ddns-enabled=yes
/ip cloud advanced set use-local-address=yes
/system clock set time-zone-autodetect=yes
/ip cloud set update-time=yes
/interface wireless set wlan1 mode=ap-bridge ssid="Company Free WiFi" default-forwarding=no disabled=no
/interface wireless set 0 default-forwarding=no
/ip hotspot profile set radius use-radius=yes
/ip hotspot profile set radius login-by=http-pap,http-chap,https
/radius add service=hotspot address=F.GGG.HH.I secret=radius timeout=3000ms
/radius add service=hotspot address=F.KK.LLL.JJ secret=radius timeout=3000ms
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ip hotspot walled-garden ip add dst-address=F.GGG.HH.3
/ip hotspot walled-garden ip add dst-address=F.KK.LLL.JJ
/ip hotspot user profile set 0 keepalive-timeout=00:45:00
/system clock set time-zone-autodetect=no time-zone-name=manual
/system clock manual set time-zone=gmt dst-delta=+00:00
/system ntp client set enabled=yes server-dns-names=pool.ntp.org
/ip hotspot user profile set default shared-users=5
/ip service set api disabled=no
/system identity set name=radius
/system script 
add name=hs_wg_ip_update owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
:global ListName devassets-swp;\r\n\
:global Servers dashboard.mysplash.net,mysplash.net,assets.Companywifiplatform.com;\r\n\
:global Done;\r\n\
:if ([:typeof \$Done] != \"boolean\") do={\r\n\
  \t:set Done true;\r\n\
}\r\n\
:while (!\$Done) do={\r\n\
  \t:nothing;\r\n\
}\r\n\
:set Done false;\r\n\
:foreach aListItem in=[/ip firewall address-list find list=\$ListName] do={\r\n\
  \t/ip firewall address-list remove \$aListItem;\r\n\
}\r\n\
:foreach aServer in=\$Servers do={\r\n\
  \t:resolve \$aServer;\r\n\
  \t:local strAserverArecordIP \"\";\r\n\
  \t:foreach dnsRecord in=[/ip dns cache all find where (name=\$aServer)] do={\r\n\
    \t\t:if ([/ip dns cache all get \$dnsRecord type]=\"CNAME\") do={\r\n\
      \t\t\t:local cname;\r\n\
	    \t\t\t:set cname [/ip dns cache all find where (name=\$aServer && type=\"CNAME\")];\r\n\
      \t\t\t:foreach aRecord in=[/ip dns cache all find where (name=[/ip dns cache all get \$cname data] && type=\"A\")] do={\r\n\
		    \t\t\t\t:local aRecordIP [/ip dns cache all get \$aRecord data];\r\n\
		    \t\t\t\t:local rule [/ip hotspot walled-garden ip find comment=\"\$aServer|\$aRecordIP\"];\r\n\
		    \t\t\t\t:set strAserverArecordIP (\$strAserverArecordIP . \",\$aServer|\$aRecordIP\");\r\n\
		    \t\t\t\t:if (\$rule = \"\" ) do={\r\n\
		      \t\t\t\t\t/ip hotspot walled-garden ip add dst-address=\$aRecordIP comment=\"\$aServer|\$aRecordIP\";\r\n\
        \t\t\t\t}\r\n\
      \t\t\t}\r\n\
      \t\t\t:local arrAserverArecordIP [:toarray \$strAserverArecordIP];\r\n\
	    \t\t\t:foreach rules in=[/ip hotspot walled-garden ip find comment ~ \"^\$aServer\\\\|[0-9 \\\\.]*\\\$\"] do={\r\n\
        \t\t\t\t:foreach rule in=\$rules do={\r\n\
          \t\t\t\t\t:local thisrem [/ip hotspot walled-garden ip get \$rule comment];\r\n\
          \t\t\t\t\t:if ([:find \$arrAserverArecordIP \$thisrem -1] >= 0) do={\r\n\
          \t\t\t\t\t} else={\r\n\
            \t\t\t\t\t\t/ip hotspot walled-garden ip remove \$rule;\r\n\
          \t\t\t\t\t}\r\n\
		    \t\t\t\t}\r\n\
      \t\t\t}\r\n\
    \t\t}\r\n\
  \t}\r\n\
}\r\n\
:set Done true;";
/system scheduler
add disabled=no interval=10m name=hs_wg_ip_update on-event=\
    "/system script run hs_wg_ip_update" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=00:00:00
add disabled=no interval=0s name=hs_wg_ip_update-onboot on-event=\
    "/delay delay-time=12s\r\
    \n/system script run hs_wg_ip_update" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/
:if ([:len [/file find name=flash]] > 0) do={/ip hotspot profile set html-directory=/flash/hotspot;/tool fetch url=https://mysplash.net/MikroTik/login.php dst-path=/flash/hotspot/login.html mode=http;/tool fetch url=https://mysplash.net/MikroTik/alogin.php dst-path=/flash/hotspot/alogin.html mode=http;} else={/ip hotspot profile set html-directory=/hotspot;/tool fetch url=https://mysplash.net/MikroTik/login.php dst-path=/hotspot/login.html mode=http;/tool fetch url=https://mysplash.net/MikroTik/alogin.php dst-path=/hotspot/alogin.html mode=http;}

omadasms · June 17, 2020, 1:29am

I figured out how to get IP-Cloud to work behind nat.
1 - set static IP for Mikrotik router in NAT router in front of it
2 - virtual port forward from NAT router to Mikrotik on 8291

Run below script.

/ip firewall filter add chain=input protocol=tcp dst-port=8291 dst-address=192.168.50.145 action=accept disable=no comment=IPCLoud
/ip firewall nat add chain=dstnat protocol=tcp dst-port=8291 dst-address=192.168.50.145 action=dst-nat to-address=192.168.50.145 to-ports=8291 disable=no comment=IPCLoud
/ip cloud set ddns-enabled=yes

The provider is managing to tunnel into it somehow as our provider platform connects to it and we can run command line on it. Also it it does not seem possible to run winbox other than via IP-Cloud - is this correct? I can’t run Winbox through the provider platform. They still won’t tell me how they are connecting to it. What I do know from packet sniffing is SSLv3 thru TLS12.

Ideas? : Thanks

martinclaro · June 17, 2020, 1:46am

I usually prefer SSTP Tunnel to a public VPN concentrator (i.e. CHR on AWS) so you can access the entire network through a VPN.

Of course , there are many other options to achieve similar results.

Jotne · June 17, 2020, 6:56am

I do agree with @martinclaro.
I use a L2TP/IPsec tunnel from the remote router to a sentral VPN. This way I can reach the router and configure it even if it behind some other NAT.
Also VPN is one of the most secure way to configure a remote router over internet.

Since SNMP can not sent trough NAT that I can not control I also use Syslog from Router to sentral site to monitor the router. See my signature.

This way all goes out from the router and no need for contacting external ISP NAT to open holes.

omadasms · June 18, 2020, 8:38pm

usually prefer SSTP Tunnel to a public VPN concentrator (i.e. CHR on AWS) so you can access the entire network through a VPN.

That is really where we would like to end up on CHR with tunnel. If I understand corrrectly can’t winbox be run from there as well?

Would you please expand on the SSTP to a VPN concentrator so this dummy (me) can understand? I have this as a starting place https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP and CHR of course.

I am not a coder and a Mikrotik beginner. I’m not totally helpless, I have gotten this far so I can work thru the CLI. If you have any help full SSTP & VPN lessons learned CLI to pass on, I would be appreciative.

Thanks!

Jotne · June 18, 2020, 9:32pm

See my post here:
http://forum.mikrotik.com/t/remotewinbox-review/140626/1

alibakhtiari · February 11, 2022, 3:54pm

rextended:

I figured out how to get IP-Cloud to work behind nat.
1 - set static IP for Mikrotik router in NAT router in front of it
2 - virtual port forward from NAT router to Mikrotik on 8291

Run below script.

/ip firewall filter add chain=input protocol=tcp dst-port=8291 dst-address=192.168.50.145 action=accept disable=no comment=IPCLoud
/ip firewall nat add chain=dstnat protocol=tcp dst-port=8291 dst-address=192.168.50.145 action=dst-nat to-address=192.168.50.145 to-ports=8291 disable=no comment=IPCLoud
/ip cloud set ddns-enabled=yes

The provider is managing to tunnel into it somehow as our provider platform connects to it and we can run command line on it. Also it it does not seem possible to run winbox other than via IP-Cloud - is this correct? I can’t run Winbox through the provider platform. They still won’t tell me how they are connecting to it. What I do know from packet sniffing is SSLv3 thru TLS12.

Ideas? : Thanks

Hi Dear,
i have the same problem as yours , i have a TD-LTE modem which doesn’t have static public IP , the router does the NAT itself and my Mikrotik router is behind NAT so i can not use the ip cloud feature
as i understood , i have to set an static ip on my ether3-internet interface and activate the feature , then on my ISP router do the port forwarding on 8291 and my mikrotik ip addr.

am i right?!
Did it work for you behind NAt?!
BR