New Mikrotik user here. I want to monitor through the internet a remote site that has to be accessed via the cellular network (numbers 4-5 in the attached diagram).
The cellular operator restricts access to the remote site: it can only be accessed from an specially provisioned cellular link, limiting the usability of the monitoring system (I have to carry the modem with me, it cannot be shared, etc). So I had the idea to share access to the monitoring system by configuring my home network to expose the cellular modem/router on my side (3) to the internet. The desired flow would be 1-2-3-4-5. Realizing my home router won’t allow me to do something like this, I researched a little and found Mikrotik. So far I have made the RB750GL (2) the center of my network, and also I’m able to access the remote site from any computer in the local network using the following static route:
/ip route
add distance=1 dst-address=10.208.221.210/32 gateway=192.168.0.200where 10.208.221.210 is the address assigned to the remote link by the cellular operator (4) and 192.168.0.200 is the address I set to the TP-LINK 3G modem/router on my home network (3). The TP-LINK modem/router’s routing table has the info for routing the remote address and this works fine when accessed from the local network (6) when I use the remote address 10.208.221.210 in a browser, for example. However, I haven’t found a way to make this available from the internet. I tried a dst-nat :
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=4000 in-interface=pppoe-out1 protocol=tcp to-addresses=10.208.221.210 to-ports=5000and although I see the statistics counter of the dst-nat move, it doesn’t work. I guess the static route I added doesn’t get evaluated when the request comes from NAT. Just for testing I changed the dst-nat to point to the lan computer (6) where I installed a TCP proxy pointing to 10.208.221.210 and I was able to make it work, but I’d like to avoid using an extra computer for this. Also I’d like to avoid connecting to the Mikrotik using a VPN since other it could be confusing to other people that will be accessing the system. I’ve tested other configurations and researched a bit about this but my lack of networking knowledge and terminology is preventing me to produce/find the correct configuration. Any ideas on how to make this work?
In addition to using DST NAT to send the traffic to the remote system you probably need to use SRC NAT to make that traffic look as if it came from an address that the remote system knows how to reply to.
Thanks for your response! Do you mean something like the following?
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes src-address=10.208.221.210 to-addresses=xx.xx.xx.xxthe to-address I set for testing is my external ip address, which is assigned by my ISP… Not sure if that’s OK. The src-address is the cellular address of my remote system, which is the one I’m trying to reach. Sorry if I’m not making a lot of sense here, but I’m not very familiar with this kind of equipment
Do I need additional configuration to make src-nat to work?
I don’t think the 3G router in my home network (#3 in the diagram) is receiving the requests that come from the internet. I made a test with the Mikrotik sniffer on and I got the following:
316 1.254569 201.144.174.18 xxx.xxx.xx.xxx TCP 78 26493→3200 [SYN] Seq=0 Win=65535 Len=0 MSS=1410 WS=16 TSval=1232188679 TSecr=0 SACK_PERM=1
317 1.254752 201.144.174.18 10.208.221.210 TCP 78 26493→5000 [SYN] Seq=0 Win=65535 Len=0 MSS=1410 WS=16 TSval=1232188679 TSecr=0 SACK_PERM=1
407 1.538906 201.144.174.18 xxx.xxx.xx.xxx TCP 78 26494→3200 [SYN] Seq=0 Win=65535 Len=0 MSS=1410 WS=16 TSval=1232188929 TSecr=0 SACK_PERM=1
408 1.539005 201.144.174.18 10.208.221.210 TCP 78 26494→5000 [SYN] Seq=0 Win=65535 Len=0 MSS=1410 WS=16 TSval=1232188929 TSecr=0 SACK_PERM=1
671 2.304467 201.144.174.18 xxx.xxx.xx.xxx TCP 78 [TCP Retransmission] 26493→3200 [SYN] Seq=0 Win=65535 Len=0 MSS=1410 WS=16 TSval=1232189690 TSecr=0 SACK_PERM=1
672 2.304588 201.144.174.18 10.208.221.210 TCP 78 [TCP Retransmission] 26493→5000 [SYN] Seq=0 Win=65535 Len=0 MSS=1410 WS=16 TSval=1232189690 TSecr=0 SACK_PERM=1
799 2.604582 201.144.174.18 xxx.xxx.xx.xxx TCP 78 [TCP Retransmission] 26494→3200 [SYN] Seq=0 Win=65535 Len=0 MSS=1410 WS=16 TSval=1232189993 TSecr=0 SACK_PERM=1
800 2.604702 201.144.174.18 10.208.221.210 TCP 78 [TCP Retransmission] 26494→5000 [SYN] Seq=0 Win=65535 Len=0 MSS=1410 WS=16 TSval=1232189993 TSecr=0 SACK_PERM=1
1025 3.315376 201.144.174.18 xxx.xxx.xx.xxx TCP 78 [TCP Retransmission] 26493→3200 [SYN] Seq=0 Win=65535 Len=0 MSS=1410 WS=16 TSval=1232190697 TSecr=0 SACK_PERM=1
1026 3.315496 201.144.174.18 10.208.221.210 TCP 78 [TCP Retransmission] 26493→5000 [SYN] Seq=0 Win=65535 Len=0 MSS=1410 WS=16 TSval=1232190697 TSecr=0 SACK_PERM=1What I see is that the internet terminal 201.144.174.18 is connecting to my public address xxx.xxx.xx.xxx port 3200, which is the port I opened for this service, and then I see the src-nat working, trying to make the connection to the remote 3G address 10.208.221.210 port 5000, which is the port specified on the scr-nat action. After that it looks to me the internet terminal is trying to reach its peer but no answer is returned. Any ideas how I can solve this problem? As I previously stated, the static route works fine when the requests come from the LAN but it appears it’s not being evaluated when the request comes from the internet.
% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2014-09-17 11:28:55 (BRT -03:00)
That test was made using the 4G network of my cell phone since I only have one internet link at home. 201.144.174.18 was the address that my cellular provider (Telcel) assinged my phone to reach the internet at that moment; that’s the reason I didn’t bother removing it.
Any ideas on how to solve my problem? I think this system should work using the correct configurations.
Any ideas? Could it be that the TP-LINK TL-MR3020 3G router (3) would need to be configured so it can get the packets from the WAN? Sadly TL-MR3020’s configuration options are very limited. What if I replace the TL-MR3020 by a RouterBOARD mAP 2n, which accepts a 3G modem? Then maybe I could bridge the RB750GL and the mAP and route the packets…
I’d like to solve this problem using the hardware I already have… Does someone know how to do it? Or simply cannot be done?
Yes, I saw openwrt can be installed into TL-MR3020 with a little hacking, but first I wanted to see if I could route the WAN traffic to the 3G router by solely configuring the RB750GL. I still think it can be done Or not?
My comment was that traffic leaving the Mikrotik destined for 192.168.0.200 needs to be source NATed to use the RouterBoard’s IP address on that segment connecting the RouterBoard to the TP-Link.
Thanks for your answer, CelticComms. So you are saying in addition the dstNAT I need to add a srcNAT in order to reach the TP-LINK in my local network (#3 in the diagram)? The dstNAT I have is:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=4000 in-interface=pppoe-out1 protocol=tcp to-addresses=10.208.221.210 to-ports=5000Do I need to change it? If the Mikrotik’s address is 192.168.0.1, how should I write the srcNAT rule? What’s the action I need to use?
Lots of questions, sorry about that! Thanks for your patience
Yes - when you access the camera from the local network it works. When you access from outside the PPPoE connection it doesn’t - so you need to make the requests coming from the Internet via PPPoE look to the device at (3) as if the requests came from the 192.168.0.0/24 network.
Make sure that you only SRC NAT the specific traffic you need - i.e. not all inbound traffic from PPPoE.
Thanks a lot, CelticComms, I got it after your explanation. Now two rules are (the first one unchanged, shown for context):
add action=dst-nat chain=dstnat dst-port=4000 in-interface=pppoe-out1 protocol=tcp to-addresses=10.208.221.210 to-ports=5000
add action=src-nat chain=srcnat dst-address=10.208.221.210 dst-port=5000 protocol=tcp to-addresses=192.168.0.1 to-ports=5000Thanks a lot for your help!
