WAN IP and LAN IP HELP

jmart321 · December 2, 2021, 2:39am

Hi Everyone,

Wondering if you can help me with my issues, I am logged in to a Mikrotik remotely via VPN to my parents Mikrotik. The Mikrotik WAN IP is 192.168.1.73

We had plugged a security camera but the camera has a static IP of 192.168.1.91 connected to LAN

My parents are not the most tech savvy people so getting them to login to the camera and change the IP is very difficult.

Is there any way for me to NAT into the camera remotely?

LAN IP is set to default 192.168.88.1.

When I had issues like this before, I would change the LAN IP to the correct subnet e.g. 192.168.0.1 and have a NAT dst rule e.g. port 88 to connect to LAN 192.168.0.11
But in this case I can’t change the LAN IP to the same range as the WAN as it just disconnects.

Appreciate the help

anav · December 2, 2021, 6:23pm

Well the details provided are not all the clear (whose on first etc etc.).

Step one:
But if it was me, I would use wireguard to connect the the two routers
Then on my parents router I would provide the wirguard or vpn interface access to the router on the INPUT CHAIN.
I would ensure that the wireguard or VPN interface is an interface list member for the list that has access to winbox.

Thus I would be able to configure winbox.

Step two:
I would provide access from wireguard/vpn to the LAN subnet where changes are required and thus be able to access devices to make changes.

Sob · December 2, 2021, 8:09pm

You can’t easily have same subnet on both WAN and LAN, but all you really need is for router to be able to communicate with camera, and it’s enough to add point to point address for that:

/ip address
add interface=<LAN> address=192.168.1.x network=192.168.1.91

Where network=192.168.1.91 is camera’s address, even though it may not look right. Then address=192.168.1.x is any other unused address. Add this and you should be able to ping camera from router. Then if you want access from elsewhere, using e.g. forwarded ports, you may need this:

/ip firewall nat
add chain=srcnat dst-address=192.168.1.91 action=masquerade

It could work without it, if above address=192.168.1.x matches camera’s default gateway, but since it may be the same as router’s default gateway, that would be a problem. This NAT rule works around that.

anav · December 2, 2021, 8:12pm

I dont recommend a NAT rule to a camera that has no protection. Unless you want the camera video to be seen by every tom dick and chinese military hacker…
Do concur that VPN into the router and then view camera is a safer method.

Sob · December 2, 2021, 8:28pm

I meant it as quick way to get to it, to be able to change address. But if you start with safer VPN way from the beginning, even better.

anav · December 2, 2021, 8:45pm

A quick way to get your inheritance is to kill your parents, but there is risk
(that aside Sob, if you have free time, and since your input was critical to a decent doc, any input here appreciated https://forum.mikrotik.com/viewtopic.php?t=180838 )