Hello,
I’m newbe (very). I have an rb450G and this scenario:
I pretend to have VPN to Access to main net. The internet connection is with ADSL broadband router. There is DHCP with range 192.168.0.50 - 192.168.0.50.
Than I pretend to has VPN Access to this net. Then I dicide to put the rb450G between the ADSL router and the switch.
Ok, I configured ether1 address to 192.168.0.3 - static. I created a lan in ether2 like 192.168.100.0/24 with DHCP - this will be from now “main” network.
I have configured VPN with 192.168.150.0 and it Works. I can Access remotely to 192.168.100.x on ether2.
But… If a notebook is conected via wi-fi via ADSL broadband router, I can not acces to “main” network 192.168.100.x. What I have to do to acomplish that?
I think that now a have routing between ether1 and ether2. Maybe I have to briging? Or there is some firewall issue?
-----------------[ADSL]--------------------------------------[RB450G]-------------------------------[SWITCH]
public IP…192.168.0.?..192.168.0.3…192.168.100.0/24
What is the IP of the LAN side of the ADSL modem?
You mention that there is a DHCP scope of 192.168.0.50-192.168.0.50. What is this for and where is it located?
You wrote that you created a VPN with an IP of 192.168.150.0… Is that a /24 or something else?
What IP is the laptop connected to the ADSL wifi pulling? is that in the 192.168.0.0/xx network?
What IP are you typing in to connect to the VPN? You should be typing in the WAN IP of the Mikrotik - 192.168.0.3 and there should be firewall rules “accepting” the traffic if you are using a firewall.
I need more info to be of any assistance to you, if you can answer the above questions we can start digging into your problem.
-----------------[ADSL]---------------guest network-----------------------[RB450G]--------main network------------------[SWITCH]
public IP…192.168.2.1…192.168.2.3…192.168.100.1…192.168.100.1/24
What I want that the multi copier printer in main network with address 192.168.100.50 be accesible from the guest network 192.168.2.x, so the laptops conected can print and maybe scan?
The printer is Canon iRC 2380i and I think it uses 9100 port for print.
I use this commands (with Brother printer for test):
You want to be sure that the Mikrotik’s WAN interface shows a network of 192.168.2.0/24. It should if the ADSL is providing DHCP to the Mikrotik. Just something to consider/check if you manually set the WAN IP of the Mikrotik.
Just for confirmation…
a) The Mikrotik can ping the LAN interface on the ADSL modem/router - correct?
b) The Mikrotik can ping the IP address of the printer - 192.168.100.50 - correct?
I know, I’m checking the simple stuff, just bare with me on those.
You need to add all ports needed for the printer. At the moment, your dst-nat would point all traffic destined for your Mikrotik’s WAN interface to your printer. You’ll need to add src-port and dst-port to your dst-nat config.
This is not needed. Just ensure there is a default src-nat rule in place.
You may need to check your firewall. Ensure that their is an accept statement for traffic destined for the printer. i.e. chain=forward src=192.168.2.0/24 dst=192.168.100.50. Syntax is not fully there, I can update it when I get home and get in front of my CCR.
and now I can print from guest network 192.168.2.x/24.
But there is another issues: Windows says “printer without connection”. So I think that there is another port/protocol that have to be nat? Or have to be source nat?
I’m not familiar with this issue. You may need to try and re-add the printer as a network printer. You can also go to the manufacturer’s site and see if additional ports are needed.
In my test scenario it works, but when I go to the costumer, it not works. I have this config:
guest network main network - lan
-----------------[ADSL]--------------------------------------[RB450G]-------------------------------[SWITCH]
public IP…192.168.1.1…192.168.1.3…192.168.100.0/24
The printer has 192.168.100.220. address.
Trying to do telnet 192.168.1.3 9100 not respond. In the log of Mikrotik :
192.168.1.121:58707->192.168.1.3:910, len 52
dstnat: in:ether1 out:(none), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN),
Is Telnet permitted on your firewall? Has the telnet service been disabled by chance?
That all looks good. Have you confirmed the printers are listening on the correct port? From your Mikrotik, can you connect to those printers via the designated ports? Can a host machine communicate with those printers over those ports?
Hello,
I have the log enable:
add action=dst-nat chain=dstnat comment=“Impresora Canon iRC 2380i” dst-address=192.168.1.3 dst-port=9100 log=yes protocol=tcp \ to-addresses=192.168.100.220 to-ports=9100
but when I try to telnet WAN por of the router “telnet 192.168.2.3 9100” there is noting in the log? Instead if y connect to the router via telenet with “telnet 192.168.2.3” there is info in the log for the connection.
I connected my laptop directly with patchcord to the WAN interface with IP 192.168.2.5 and the same result: nothing.
The Wireshark says:
screen-wireshark.png
I note that the Mikrotik responds with RESET Flag on TCP with “set” thats mean thant reject the connection, but why?
The “out interface = none” simply means that an outbound interface has not been specifically set in the configuration. That should not be an issue here.
I would look at your firewall. Ensure that you have an accept statement going into your WAN interface for these ports.
If that does not work, then we would want to capture all packets going into and out of the WAN interface to see what we are missing.
It seems that the printer not accepts printing from another network, so I have to do src-nat to say to the printer that PC that wants to print is in the “same” network.
