I am attempting to set up remote management for a netgear(N300) router that is behind a mikrotik (with the default NAT settings).
I set up this rule for port forwarding:
/ip firewall nat add chain=dstnat dst-port=8080 action=dst-nat protocol=tcp to-address=192.168.0.253 to-port=8080
However, netgears with more recent firmware return the error “can’t be managed from outside the network”.
How can I set up a rule to make it seem like a computer from a particular IP address (outside the mikrotik) is actually local?
Setup a srcnat for the same target as well. You can use src-nat or masquerade. But make sure you match the dst-address so it won’t start srcnatting EVERYTHING.
I figured that was the case, but have been having trouble setting it up correctly.
192.168.0.192: address of the remote computer
192.168.0.127: address of the mikrotik
192.168.12.253: dhcp leased address of the local netgear router (connected to the mikrotik)
192.168.12.5: where I want the netgear to think the remote computer is
Here are my rules (just first one brings me to the netgear error page, adding second one makes it so no response at all):
I took your suggestion and tried setting destination address to the netgear ip, but it still doesn’t work. Details below.
Here’s the nat rules
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1
1 ;;; test port forward
chain=dstnat action=dst-nat to-addresses=192.168.12.253 to-ports=8080
protocol=tcp dst-port=8080 log=no log-prefix=“”
2 ;;; source nat test
chain=srcnat action=src-nat to-addresses=192.168.12.5 protocol=tcp
dst-address=192.168.12.253 dst-port=8080 log=yes log-prefix=“”
Still can’t connect using 192.168.0.127:8080 from computers on external network (ex: 192.168.0.192). When the srcnat rule added, don’t even get the netgear error page.
Can connect fine using 192.168.12.253:8080 from computers inside the mikrotik network.
i’d say it is generally not a good idea to set a dst-nat rule w/o specifying the dst-address/interface to match the traffic on. this can get you in unwanted situations as the router wants to rewrite all packets in the forwarded traffic with DST IP that is heading to port 8080/TCP.
192.168.12.5: where I want the netgear to think the remote computer is
in ethernet networks you can’t do this. your “second” attempt does the right thing (adding second one makes it so no response at all).
the situation is the following. your netgear box will see the incoming TCP SYN packet, and tries to answer with a SYN-ACK, as the src address is right (it is allowed on the netgear side to manage the router from this address)
now as it tries to respond to 192.168.12.5, it first needs to figure out how to send a packet to this address, and it will recognise that this address is “connected” to the LAN, so it needs to be first looked up, what is the MAC address for this IP (ARP lookup), that can be used as the DST MAC of the ethernet frame. but no one on this subnet (between the mikrotik and the netgear) will claim this IP for itself, and the ARP request times out, e.g. the netgear cannot answer. from your side it will seem as “there’s no response”.
you can work this around ny 3 different ways:
= by adding a 192.168.12.5/32 ip entry to the mikrotik’s outoing inteface statically, so it will respond to the ARP request with its own MAC
= by adding a static route for 192.168.12.5/32 ponting to the mikrotik’s IP to the netgear, so the netgear will know where to send the packet [this is just half-baked, though]
= leaving as it is, and use masquerade on the mikrotik towards the netgear so the mikrotik’s outside IP will be shown to the netgear
or probably forget NAT/masquerade at all, and insert a /24 static route for the network behind the mikrotik into the netgear pointing to the mikrotik’s “outside” IP
Ah, I had assumed that 192.168.12.5 is the address of the MikroTik router on that network. This is of course required.
I use this scenario to manage some remote equipment that is connected to a MikroTik on a local address that is not routed, and it works fine for me.
(e.g. VDSL modem, 4G stick, Ubiquiti link equipment that sometimes forget the default route)