i have 2 MT linked wirelessly , i want to give the second MT a public IP so I can reach it from any place outside my network , what method i have to follow ?
there are 2 ways as in the manual which one is suitable for me ?
1- action = srcnat / dstnat
or
2- action = netmap
??
this so I can enter the 2nd MT by winbox from any place in the world ..
You can assign different Public IP Pool to the second MT and route the same with existing.
ok , can I assign a static public IP to the other MT , and put these rules in the first MT :
ip firewall nat add chain=dstnat dst-address=(public IP) action=dst-nat
to-addresses=(local IP)
ip firewall nat add chain=srcnat src-address=(local IP) action=src-nat
to-addresses=(public IP)
and as I understood from the manual i have to assign a public IP to the interface which connected to the other MT ..
is that correct and working ?
Ok Now Please explain me your setup, let me understand it. I will give your final solution.
its like that :
internet ---- main MT ----AP ===== AP ----- 2nd MT ------ clients
i just want to access 2nd MT from the internet anywhere …
of course main MT have a public IP …
yes, frens
you can use map public address to local one method. put public address and broadcase itself than use dst-nat and src-nat on First MT.
you can commucation first MT to 2nd MT over local address.
i mean everything rules on First MT is enough.
try to find at wiki page is available. i used like you want.
Use PPTP server on main MT. Make ppp user, connect as PPTP user using PPTP dailer.
Rafiq…
yes,
as abab_rafiq suggestion is better controlling them over VPN [PPTP]
coz with VPN you have more securities. i did do that too.
well i havent use pptp before so i have to read about it , but what securities i need in my link ? i just dont want to complicate it , i just want to give the remote MT a public address so i can control it from outsude my local network ..
Ok, You can have following solutions.
1.Public IP to ether1–> incoming from your ISP. (1st IP Pool) WAN IP - 202.160.x.x
2.Public IP Pool to AP → Out Going IP Pool to 2nd AP-LAN IP POOL - 202.165.x.x/30
OPP SITE
Now You are able to ping 202.165.x.x1 from your master MT. add route in master
dst-address = 202.166.x.1/27 gateway=202.165.x.x1.
Now what will happen, the traffic of your customers will affect up to OPP AP. If you create bridge, it will affect your network also, i mean the whole traffic will come to your network directly.
TRY this. If your need any help please let me know
i would go with PPTP tunnel, that way - when you need access any other router there, you will be able to do that, if your network is properly configured).
so, you will be like inside that network.
also security reasons - it is more secure to send passwords ans logins through encrypted channel like PPTP not a plain text over the internet, as anyone in the middle could sniff your packets and get your login information and that is highly undesirable situation for network administrator.
thanks alot it was very important replies ..
my AP’s are not RB’s they are standalone bridge .. so should i put public IP’s on them ?
about pptp , pptp will be secure connection for the wirless bridge ,between MT! - MT2 , which is not important to be that secure ..
so guys help me with this and correct me if i’m wrong :
my public IP given by my ISP = aa.bb.cc.17/28
MT1 public interface IP = aa.bb.cc.20
MT1 local interface (which is connected to standalone AP bridge) = 192.168.2.250
MT2 wan interface (which is connected to standalone AP bridge) =192.168.2.251
at MT1 NAT :
ip firewall nat add chain=dstnat dst-address=aa.bb.cc.21 action=dst-nat \
to-addresses=192.168.2.251
ip firewall nat add chain=srcnat src-address=192.168.2.251 action=src-nat \
to-addresses=aa.bb.cc.21
i tried the example in wiki on a client pc :
http://wiki.mikrotik.com/wiki/How_to_link_Public_addresses_to_Local_ones
1- yahoo messenger disconnected , and never reconnected.
2- when i tried to (find my ip) by who is my ip and other tools it returns the main server pubplc IP .
whts wrong ??
yes,
you can add ip public one on public interface and broadcase as itself. but becareful with this Network Address Translation code, cause your second Mikrotik will accessing from public networks or adding secure at first mikrotik.
simple check your ip address you can goto my website, you will see your own ip address. http://www.hasbullah.com/ at bottom site
/ip add add aa.bb.cc.21/32 interface=[your_public_interface_name]
ip firewall nat add chain=dstnat dst-address=aa.bb.cc.21 action=dst-nat \
to-addresses=192.168.2.251
ip firewall nat add chain=srcnat src-address=192.168.2.251 action=src-nat \
to-addresses=aa.bb.cc.21
i think its ok now , couse its reply ping from outside my network , but it still show the main MT ip address , not the client public ip , the client is natted to aa.bb.cc.21 and at any test of my ip even from your site it says aa.bb.cc.20..
hai again..
ofcourse, because aa.bb.cc.21 lacated 192.168.2.251 device for, not clients
sorry for missunderstanding , i’m testing on a client pc not on the second MT ..
so its from the client pc where i’m finding my IP..and it shows the MT public not the public ip which is natted to this client ..
its ok with 1:1 NAT , but now we dont want use NAT , i want to assign public IP to the 2nd MT wan interface ,..
ashish , your way needs lots of public IP’s as i see , but i have only 16 public IP with the same subnet , is it possible in this case ???
please its urgent ..
i did assign public ip to remote MT by bridge and by dst-nat rule , but i’m now facing a serious trouble with msn and yahoo connect-disconnect !!! all the time !!!
samsoft08 -
A few tips - using the VPN mode is much more secure - but if you’re not worried then let’s go…
I see your network as this (by your description);
Internet – Main MT – MT AP(1) – MT AP(2) – clients…
Is this correct?
If it is then how are you connecting to MT AP(2) - hard wired via switch or is this a wireless backhaul to MT AP(2) and then MT AP(2) or what? Your description leads me to believe that there is something between AP(1) and AP(2) but I don’t know what it is and it is important as it will determine how we apply dst-nat vice using a VPN connection.
Answer back and I’ll help guide you through with a little more precise information.
Thom