One public IP to many private IP’s through differe

RouterOS General
1

First of all, is this possible ???

I have a modem router I can not touch. The only thing it does is FULL forward all the ports of one public IP to the WAN port of the Mikrotik.
What I want to do , is that:
I have 3 IP camera’s and I want to be able to reach them from outside thfough different ports.

Lets say my real IP address is 78.34.20.91 (don’t try it its obviously fake..)

This modem-router foully NATs the real IP to 192.168.100.3

Mikrotik WAN IP 192.168.100.3
LAN IP 192.168.11.1/24

Cameras 1 IP 192.168.11.10
2 IP 192.168.11.20
3 IP 192.168.11.30

So I want to enter to any browser
the IP 78.34.20.91:91 and be able to connect to cam1
the IP 78.34.20.91:92 and be able to connect to cam2
the IP 78.34.20.91:93 and be able to connect to cam2

this is my configuration (for 1 of the cameras)


3 ;;; Access to the internal cam3 192.168.11.30 PORT 93 from 192.168.100.3
chain=dstnat dst-address=192.168.100.3 protocol=tcp src-port=93 action=dst-nat
to-addresses=192.168.11.30 to-ports=80

4 ;;; Allow internal IP 192.168.11.20 to talk to outside through 192.168.100.3 PORT 93
chain=srcnat src-address=192.168.11.30 action=src-nat to-addresses=192.168.100.3 to-ports=93

it is not working. I get a message Access Denied meaning that its reaching the mikrotik. And then what???

2

Forget about src-address, src-address can potentially be the entire internet.

/ip firewall nat add chain=dstnat in-interface="WAN Interface" protocol=tcp dst-port=93 action=dst-nat to-addresses=192.168.11.30 to-ports=80 comment="CAM3" disabled=no

You also don’t need the src-nat I believe… IF translation is required (which I doubt), rather use masq instead. The ‘access denied’ is also not coming from Mikrotik, I’m rather sure about that… Check for additional access-lists on your additional hardware… Moer than likely the webcams

\

C

3

the above solution looks very elegant…
but, it is not working, i get the same message exaxtly, access denied
if o disable the above roule and i ask for the WAN IP without any specific port , i get to the http interface of the mikrotik.. that is why i said that it is propably the mikrotik not letting me in…

Any other ideas?? i have a very ugly solution for the moment (i forward the WAN IP to a PC i open terminal services and then i open the browser to see the cameras.. its very very bad…)

4

3 ;;; Access to the internal cam3 192.168.11.30 PORT 93 from 192.168.100.3
chain=dstnat dst-address=192.168.100.3 protocol=tcp src-port=93 action=dst-nat
to-addresses=192.168.11.30 to-ports=80

You should not be specifying src-port since it will be random from the client machine. You should specify dst-port=93.

Sam

5

Nevermind, now I’m not thinking at all… LOL -deleted-