Port forwarding a DVR

RouterOS General
1

I have a 450 behind an ActionTech router. The 450 has an address of 192.168.1.232 which is nated to a public ip in the ActionTech. I am confident about how to setup the ActionTech, it is simple and straightforward.

I have a customer on 10.10.2.61 with a DVR and it is set to port 8100. If I am inside the network I can access the DVR at 10.10.2.61:8100.

I have tried all kinds of firewall rules and Nat rules so that I can access the DVR from the outside but have not been able to get anything to work. My thinking is that I should be able to access the DVR at publicip:8100 or 192.168.1.232:8100 but have not been able to make it work.

I don’t do command line, only winbox so any help would be appreciated.

2

The ActionTech has a public ip assigned on one interface (wan), and 192.168.1.1/24 on another interface (lan)?

The RB450 is connected on that localnet (ether1?) with 192.168.1.232/24, and another network (ether2?) where the 450 has 10.10.2.1/24. It is on this second network that your client is on?

Is all that correct?

3

yes I think that you have it correct. 13 public ips and the 450 is on one of them.

4

Then it shouldn’t be hard to do. I’m not familiar with ActionTech, so that will be your part.

Remove any srcnat or masquerade in the 450.

Enter this route in the ActionTech router.
dst-address=10.10.2.0/24 gateway=192.168.1.232

Now the ActionTech router will know what to do with the 10.10.2.x ip addresses.

5

That did not work. When I removed the masquerade of Src 0.0.0.0/0 Dst 0.0.0.0/0 I could no longer get on the Internet. The ActionTech does not do /24 so I made the netmask 255.255.255.0.

Keep in mind that I think that I want to be able to goto publicip:8100 and end up with 10.10.2.61:8100.

Isn’t this a filter or Nat rule???

6

It’s a dst-nat and a route, all done in the ActionTech router.

7

I may need an ActionTech Guru. I made a route

Destination 10.10.2.0
netmask 255.255.255.0
gateway 192.168.1.232
metric 0

but I still don’t get anything when I try publicip:8100

8

Do you have any devices on the 192.168.1.x net to try pinging 10.10.2.61? I would get the route working first, then start on the dstnat.

9

check the tcp port of the router. u need to forward the tcp port along with the http port to access ur device thru the 450. i guess all u have been forwarding is the http port. it works forwarding the http port only on SOHO routers but not with mikrotik.
i hope u will have luck i tried the same and succeeded.
or consider enabling DMZ on the actiontech. some SOHO routers can only work when DMZ enabled.

10

ip fire nat add chain=dstnat action=dst-nat to-ports=8100 protocol=tcp dst-address=192.168.1.232 to-addresses=10.10.2.61 dst-port=8100

That will work assuming the information you provided is correct and there is already a static NAT in place from the first non-mt box to the mt box.

11

Thank you but it still doesn’t work. Not sure what’s going on. I have a static nat to port 8192 and can winbox into the tik from outside. Also have a static nat to ports 8100-8200 but I still can’t get to the DVR on publicip:8100 or on 192.168.1.232:8100. If I’m in the network I can get to the DVR on 10.10.2.61.

I guess I should also add that I have 2 network cards in my computer one is on the ActionTech as 192.168.1.222 and the other is in the Tik as 10.10.2.249 if this helps at all. I may just be getting faked out of my shoes here.

12

What purpose does the Actiontech router serve? Can you get rid of it?

13

I guess I should also add that I have 2 network cards in my computer one is on the ActionTech as 192.168.1.222 and the other is in the Tik as 10.10.2.249 if this helps at all.

Then that computer will have no trouble accessing either localnet, despite any errors in the ActionTech routing.