I have recently installed a wifi mesh system, the new mesh network came with a new network, prior to that I had a network 192.168.1.XXX, the mesh came with a new network 192.168.68.XXX, the mesh network and the original network operate together for now, some devices are on XXX.XXX.1.XXX and others on XXX.XXX.68.XXX. I have two devices (both raspberry pi’s) with the same port number on both networks, i.e. 192.168.1.126:8123 and 192.168.68.105:8123, I want to port forward both of them so that I can access them via duckdns away from home.
The first one works, the NAT setup is:
device 1: chain: dstnat, protocol: tcp, dst port: 8123, action: dst-nat, to address: 192.168.1.126, to port: 8123
The second one has identical settings but different to address:
device 2: chain: dstnat, protocol: tcp, dst port: 8123, action: dst-nat, to address: 192.168.68.105, to port: 8123
this creates no distinction for access via duckdns as secret.duckdns.org:8123 always accesses device 1.
I hope the question is clear, the main router from service provider is mikrotik, and the other router is tp-link (XXX.XXX.1.XXX), the mesh network is connected via the tp-link router and it has the network xxx.xxx.68.xxx. It also looks like the addresses for the mesh network (..68.) are not visible from the DHCP server list.
Technically you would need one to one mapping for additional connections for that service/ports. How else would the router know which Server to forward the traffic to inbound to the router???
However my understanding is that via port translation that may not be true…
In the following scenario we had two servers and two groups of users (those that have fixed static wanip so we can lump them into trusted source and a second server for those possibly with dynamic and thus unknown IPs but have requirements for access. We ship them to server 2. The difference is the untrusted group uses a non-standard port to access the router, perhaps providing some miniscule amount of security (less likely to be hammered).
/ip firewall nat
add action=dst-nat chain=dstnat comment=“HTTP from trusted source goes to server 1” dst-port=80 in-interface-list=WAN src-address-list=WAN_trusted protocol=tcp to-addresses=<IP of server 1>
add action=dst-nat chain=dstnat comment=“HTTP from rest of internet goes to server 2” dst-port=999 in-interface-list=WAN protocol=tcp to-addresses=<IP of server 2> to-ports=80
This is very similar to the OPs question. We have two devices that at the device face have the same port! However the destination port arriving at the router is different.
I will go out on a limb here and say as long as connection tracking etc can differentiate between the different groups of users traffic, those that had the translated port and those that didnt inbound to the router, then its very possible!!
Reading the above again perhaps it takes a single naunce or perhaps both naunces to affect this possibility.
Perhaps simply by identifying Users we can provide same port but a viable path to two devices???
a. We differentiate and identify known users (thus all these users coming in on a port) should go to device A
b. All other users coming into the router on this same port should go to device B.
Perhaps simply by using port translation we can utilize the same port at the cold face of two different devices???
a. We differentiate and identify the standard path for access to one device using the same port inbound and forwarded - should go to device A
b. All other users coming into the router on a different port inbound but translated to the same part as a. should go to device B.
Thanks, I managed to port from the mesh ..68. Network to the mikrotik ..1. Network and from the mikrotik to to WAN. So it was done in two stages, so from outside I use secret.duckdns.org:8123 and secret.duckdns.org:4000. When I ported from the mesh I used 4000 as an external port, everything working now.