Port forwarding across Nat'd network

Arpanet · May 1, 2014, 4:22pm

Below my network map. I’m trying to access ip camera outside lan.
As you can see everything is behind NAT.
Should I bridge one layer instead of NAT layer?
I don’t know how to set port forwarding.
All hardware (except for the camera) is based on routerOS

Egate · May 1, 2014, 9:06pm

Forwarding port 80 is almost always a bad idea, because there is so many things using port 80, not least of all web pages. In this case you would create a firewall rule in access point firewall dst-nat with dst ip 192.168.6.1 and action dst-ip = 192.168.0.100 This will route all traffic coming in on 192.168.6.1 to 192.168.0.100. Would probably be a good idea to create rule with masquerading on the interface going from AP to camera. Would be better to change camera ip to, as example port 808, in which case you would change firewall rule to include dst-port 808.

Arpanet · May 2, 2014, 9:16am

The problem is not the port, but how to set routing and forwarding.
I could use another port instead of 80.

@egate I did not understand what you told…so confusing

Egate · May 2, 2014, 8:57pm

Add this to firewall nat, should function if you enter 192.168.6.1:808 in browser. Read explanation again.

add action=dst-nat chain=dstnat comment="Publick IP" \
disabled=no dst-address=192.168.6.1 dst-port=808 protocol=tcp \
to-addresses=192.168.0.100 to-ports=80
add action=masquerade chain=srcnat disabled=no dst-port=808 out-interface=\
ether1 protocol=tcp

Arpanet · May 2, 2014, 9:30pm

sorry for my ignorance, I am newbie…
so you suggest to forward all traffic comin on modem 192.168.6.1 to 192.168.0.100 through port 808?
Rules you posted are to be set into modem?
Where do I run dynamic dns client?
Is ip routing involved with port forwarding?

Egate · May 3, 2014, 8:22am

Ok, my bad. Assumed equipment was mikrotik equipment. Which make modem and what mikrotik gear do you have?

Caci99 · May 3, 2014, 11:03am

There are too many nodes (NAT) involved in that map which is not good. If you can I would recommend to bridge them until you serve the final network.
Anyway, there are two ways to reach to your camera. First is by doing a nat rule on every node:

/ip firewall nat
add chain=dst-nat dst-address=modem address protocol=tcp dst-port=8080 action=dstnat to-addresses=192.168.6.10 to-ports=8080

this rule is placed on modem and will forward the request on port 8080 to the access point with address=192.168.6.10. Obviously the syntax for the modem is different, but you get the idea

/ip firewall nat
add chain=dst-nat dst-address=192.168.6.10 protocol=tcp dst-port=8080 action=dstnat to-addresses=192.168.10.60 to-ports=8080

this rule is placed on the access point and will forward the request to the other router

/ip firewall nat
add chain=dst-nat dst-address=192.168.10.60 protocol=tcp dst-port=8080 action=dstnat to-addresses=192.168.88.200 to-ports=8080

/ip firewall nat
add chain=dst-nat dst-address=192.168.88.200 protocol=tcp dst-port=8080 action=dstnat to-addresses=192.168.0.100 to-ports=80

this the final dstnat on the last router reaching at your IP Camera.

The other method would be adding static routes on each node and only one dstnat rule on the first node which is the modem:

/ip routes
add dst-address=192.168.0.0/24 gateway=192.168.6.10

/ip routes
add dst-address=192.168.0.0/24 gateway=192.168.10.60

/ip routes
add dst-address=192.168.0.0/24 gateway=192.168.88.200

These rules, each one placed on the respective nodes (modem, access point, next one) are basically telling the modem where to find the network 192.168.0.0/24 where your IP Camera is. Once the modem finds the camera, just add a dstnat on the modem with destination 192.168.0.100

Arpanet · May 3, 2014, 1:33pm

now it’s very clear caci99..thanks
but how about dynamic dns client? Shouldn’t I run it?
Which way is better between forwarding and ip routing?
I’d like to keep my current configuration, I feel safe with NAT…

Caci99 · May 3, 2014, 6:08pm

You mean dhcp client? What about them? If you mean that tey do have a dynamic IP because of the dhcp server, then you can force the dhcp server to give them the same IP by setting the client as static in the lease table of dhcp server.

Basically is just the same. I would have used static routing because it might come at hand for future configurations.

Arpanet · May 3, 2014, 6:13pm

Dynamic dns client, I’m talking about public ip from my isp is dymanic
http://en.wikipedia.org/wiki/Dynamic_DNS

Caci99 · May 3, 2014, 6:20pm

Oh, I see. Well that depends on the modem, what kind of dyndns it supports, since it the modem who gets the dynamic public IP.

Arpanet · May 3, 2014, 6:23pm

So it should be run into the modem?
Correct?

Caci99 · May 3, 2014, 6:27pm

Yes.