Postrouting Masquerade

Sharkec · January 13, 2016, 1:06pm

Hi guys,

I am new to ROS and need some advice. I made routed OpenVPN site-to-site between site A (server side 192.168.1.0/24) and site B (client side 192.168.2.0/24). Site A is reachable from site B and vice versa. Also all computers are pingable.

As site B is on 3G connection and ISP has closed incoming ports I made port forwarding in router on site A (incoming connection on site A on port 8000 to site B IP 192.168.2.10 which is my webcams IP). With that config I would like to acces my webcam on site B but if I open in my webbrowser http://siteAwanIP:8000 I do not reach my webcam.

I have made some research and I think I would have to enter in firewall this line:
iptables -t nat -A POSTROUTING -j MASQUERADE

My question is how to implement this line to routerOS?

ZeroByte · January 13, 2016, 2:25pm

Mikrotik’s interface is simplified - the nat table only has two chains: dstnat and srcnat.
So this would be in the srcnat chain, because MASQUERADE is a source nat action.

The equivalent command line would be:
/ip firewall nat add chain=srcnat action=masquerade

Although, a blanket “masquerade everything in all directions” rule is something to be avoided in most cases.
perhaps you could add a couple of qualifiers such as requiring that the camera is the target IP address…
you would add dst-address=192.168.2.10 for this behavior… or if you need this for the whole remote site, then use dst-address=192.168.2.0/24

Sharkec · January 14, 2016, 6:45pm

Tnx, it works.