Hi All, I have a 951G-2HnD running 6.43.16 and I have a question, sorry for my noobness.
I have two devices, that require the same port forwarded to them.
I do realise this might be more of a thing to do on the external facing gateway router, but its worth an ask.
So basically for these devices to operate they need a port forwarded to them, lets use port 1000 as the example.
box 1 has the port forwarder out on the external facing router, its a wireless device.
Internet → External Router → Wireless (mikrotik) —> device
Is there any way I can configure the mikrotik box to router that port 1000 traffic to get to device two?
Its has the same setup as above:
Internet → External Router → Wireless (mikrotik) —> device
Thanks in advance, I do realise this might not be posssible.
That release is nearly two years old. In the v6 long-term channel, they’re up to 6.48.6 now.
Internet → External Router → Wireless (mikrotik) —> device
While there may be ways to use RouterOS to solve this problem, unless the LAN gateway router is absolutely brain-dead, it’ll be both overcomplicated and unnecessary to involve the MikroTik AP.
The solution is simple: use a different public port number for each internal host. 2000 → 1000 on host A, 3000 → 1000 on host B. Every port-forwarding (a.k.a. destination NAT) scheme I’ve encountered can do this. Then all you need to do is configure your client program to connect to port 2000 or 3000 instead of 1000 on the public IP to choose which internal host you connect to. Most software lets you change the port for this and related reasons.
If your gateway router cannot do this, I have to ask what clue you would have the network use to figure out which internal host you wanted the connection routed to? If not a difference in external port, then what instead?
tangent makes good points! most routers can port forward and can port translate.
what mode of router do you have??
The worst case scenario is double nat, where you run your MT like a router as well.
It gets a private IP from the router (on one of its lans)
Then ensure the two ports being used (from external users) that hit the main router are forwarded to the wanip of the mikrotik
Mikrotik can then send the two separate incoming port to the same server on the same port, through destination nat rules.
However depending on which MT device performance may not be all that great
No one’s asking you to. The port forward changes what port the ISP router is listening on to perform the port-forward. External port 2000 (in my example) goes to internal port 1000 on host A, and external port 3000 goes to internal port 1000 on host B.
Now if you’re going to tell me that the client can’t connect to a different port, that’s different, but then we’d need to get down to specific cases. Also, I’d be back to my earlier question: if not the external port number to clue the router in to which internal host to connect to, then what?
P.S. It should be noted that none of this would change if you put the ISP modem into bridge mode and used the RouterOS box as the gateway router. I’d still be recommending the same sort of port-forwarding scheme under RouterOS.
Both the application side and client side are listening/sending on a certain port. I have no control over this.
I already have one device listening on that port, the issue is with adding in a second device that also needs that port.
I havent done any packet capture on that port 1000 traffic to see if there is anything I can us to direct it to one box or the other.
All right, now that you’ve constrained the problem to impossible levels, how about you tell me how the network — any piece of it — is supposed to decide which host to connect to? Never mind what specific hardware you’ve got right now; for the sake of this argument, I’m giving you license to invent any tech you need to make this work. Tell me how it is even possible in principle for what you want to work.
Start from the principle that every TCP or UDP connection is uniquely identified by a 4-tuple: host IP, host port, dest IP, dest port. Host IP is no discriminant: both connections could be coming from the same host. Host port is no discriminant: it’s random. Destination IP is the same for both, because they’re behind NAT, as you’ve specified in the first post. Destination port you’ve now constrained to be the same.
Even if there was, it would be at application level, which the firewall cannot work with if the connection is a TCP one, and can work quite unreliably if the connection is a UDP one.
If the clients run at distinct addresses, you could make the port forwarding rules match on src-address so each client would be connected to the proper server.
If you want to be able to connect from the very same client to one or the other server, you can use a “port knocking” techniques, that consists in sending a packet to some other port, telling the firewall to activate a particular one of two port-forwarding rules during next few seconds. Would this suit your application case?
What sindy and tangent are eloquently saying is that on the face of it,
one cannot have traffic arriving with destination port XXXX on the router and go to server A
while also having traffic arriving with destination port XXXX on the same router and go to server B.
Since its clear you are not able to motivate others to hit your router on a different port to get to server A or B, then what sindy is saying
is that you need some other bit of information about that traffic that is unique, such as source address (who the request is coming from).
As for source addresses, it should be easy to gather a firewall address list of their public IPs, if fixed/static.
If they have dynamic WANIPs, then they can get free dyndns urls/names and the MT router will resolve those to their WANIP.
+++++++++++++
In terms of the easy solution…
The question I have is WHY NOT. What is it about these users that makes them unwilling to modify their destination port.
If they were told, you cannot reach the server if you do not, what then?