A brief overview of my setup:
I have an ISP provided router which connects via Cat6a to my Mikrotik router via fiber, and then the Mikrotik switch serves as my LAN hub. I have 2 wireless routers connect to the switch, but they are not relevant for this.
I am trying to set up my PC to run servers for various multiplayer games for my friends and I. The issue is that I can get the server up and running perfectly on the LAN, but I am struggling to get it working with WAN addressing. Initially I thought I’d just put in a port-forward on the ISP router to my LAN IP and I’d be good, however, because the LAN IP space I use is not the same network as the ISP’s LAN space, it tells me it’s invalid. Okay, no big deal, I’ll just create a static bidirectional NAT for my PC on the Mikrotik router giving my PC an IP on the ISP LAN space then point it at that.
However, when I do this, I lose connectivity to the router and general internet access - A ping initiated before the rule goes active remains going until I stop and restart it so I’m not totally down when this happens, but I’m not sure what’s causing everything else to go haywire. What is the best way to set this up in the Mikrotik environment?
4 X chain=srcnat action=src-nat to-addresses=192.168.0.50 src-address=192.168.100.3 out-interface=bridge1 log=yes log-prefix=“”
This is the rule (currently disabled) I am using to NAT
On ISP router forward ports to address used by Mikrotik on its WAN interface. And then do e.g.:
/ip firewall nat
add chain=dstnat dst-address=<address on WAN interface> protocol=tcp dst-port=12345 action=dst-nat to-addresses=<address of target device in LAN>
4 X chain=srcnat action=src-nat to-addresses=192.168.0.50 src-address=192.168.100.3 out-interface=bridge1 log=yes log-prefix=“”
5 X chain=dstnat action=dst-nat to-addresses=192.168.100.3 dst-address=192.168.0.50 log=no log-prefix=“”
So I have it set like this, but it still prevents any new connections from working. Unless I’m misunderstanding, this should bidirectional NAT all traffic regardless of port/protocol from 100.3 to 0.50.
192.168.0.50 is what Mikrotik router has on its WAN interface, and 192.168.100.3 is PC in LAN behind router, correct? If so, then dstnat rule is ok, and srcnat rule is not needed at all, since you most likely already have another srcnat/masquerade rule that changes source of anything from LAN to internet to 192.168.0.50 anyway.
Yeah. The ISP router is WANside Public IP - Router - 192.168.0.0/24 - Mikrotik Router - 192.168.100.0/24. Adding teh DST rule did not break my internet, so testing the forwarding now, update shortly.
Okay, so the ping test from the ISP router fails. No 0.50 device is seen in the ARP table on the ISP router.
You can, if in addition to .0.2 address, you add another .0.50 to same interface. But I don’t see how it would make anything better than just using existing .0.2.
CGNAT is NAT at ISP (even before the router you got from them), where you don’t have public address at all, and can’t have any incoming connections. It’s still a possibility, you can check ISP’s router (the one you got) for its WAN address, if it’s public or not.
Well, I’m pretty sure I’m getting a public IP - the ISP modem lists one on it’s WAN connection.
The Mikrotik router is serving to route my internal house fiber networks, which are divided into 4 different VLANs. There is what I intended to be a DMZ-type zone which is the ISP’s 0.0/24 network; the Mikrotik has 100.0/24, 101, 102, and 103. It occupies the .2 IP address on the 0.0/24.
I don’t think I can bridge mode the ISP router. The thing is a kind of limited CenturyLink model with no CLI. At one point I tried to do static assigned DHCP leases to it and wound up bricking it and having to factory reset it, which does not make me confident in my ability to reconfigure it in any meaningful way.
So I need to add 192.168.0.50 to the IPaddresses on the interface connected to the ISP router in addition to it’s .2?
I wouldn’t say “need”, it’s just a possibility if you insist that .2 is not good enough for you, for some reason. But once again, I don’t see how it would be better. I’d simply use .2, forward either all or selected ports from ISP’s router to .2, and from there forward them to devices in LAN. It’s the usual double NAT. That’s if you can’t go with the other suggestion to get public address directly on RB.
TURN passes all levels of NAT, and uses a server that can be accessed from the internet. A multilevel NATted LAN mostly can just reach the internet, as the NAT is outgoing. It is NATted up to the ultimate public IP address of the ISP.
It is not because you can detect that public IP address in your APP, Router or browser, https://whatismyipaddress.com/ that you can receive incoming connections addressed to that IP address.
4G/LTE or satellite links never allow for incoming connections, without special options added.
The DIY solution for TURN is fairly easy. I do it with just a hAP Lite (the cheapest MT?) running several VPN servers. The TURN server is on (another) ISP link with cabled connection, and has a dynamicaly changing public IP address on the modem (Fixed IP is a payed for option, and can be expensive). DDNS solves that IP address-changing problem. DDNS service is built in RouterOS. (based on serial number) or you could use https://www.noip.com/ instead or as failover. So the TURN server has a static DDNS name, used for setting up the VPN connection, from the participating multi-NATted locations/routers.
There are offerings for public TURN services, like “Hamachi by LogMeIn” https://www.vpn.net/
“Zerotier” has free TURN services.
