Community discussions

MikroTik App
 
konigman
just joined
Topic Author
Posts: 3
Joined: Mon Dec 04, 2017 10:46 pm

Setting up firewall and NAT rules to access device on home subnet

Mon Dec 04, 2017 11:37 pm

Hello everyone, so I read through the wiki and the forum and while there is a lot of information out there, I am still not really sure what exactly I should be doing and therefore looking for a nudge in the right direction.

My aim: to be able to access a thermostat in my parents guesthouse from anywhere with internet access.

Current home network structure:
  1. Parents have a primary router at 192.168.0.1 that connects via wireless to their ISP's AP.
  2. All devices in the main house are in this 192.168.0.x range (how do I actually write that; is it the 192.168.0.0/24 subnet?).
  3. A separate guest house is connected through a wireless bridge and the guest house wireless receiver is then connected via cable (ether1) to a Mikrotik hAP lite router - the second router - which has the IP address of 192.168.0.8 (I assume this can be called the WAN IP?) and a local IP of 192.168.2.1.
  4. Connected to the second router via wifi is a thermostat at 192.168.2.2 port 4000.
The thermostat is remotely controlled through a phone app. Currently, I can connect to the thermostat through the app only when I am in the same subnet (ie. connected to the Mikrotik router). I want to do the same from a) the public web and once I learn how to config the firewall from b) the main house (the 192.168.0.x range).

I contacted my ISP and they have set up the appropriate port forwarding on their end, so the connection is now like this;
phone with app on the net -> the ISP's public address 1.1.1.1 and port 10123 (used as an example). This is then forwarded to the primary router 192.168.0.1 and port 10123, which then forwards the packets to the second router at 192.168.0.8.

What I tried: all sorts of combinations of source and destination Firewall NAT rules, but at this point I am getting confused and don't know what I am doing :|.

I know the issue is with me not being able to set-up the firewall and/or NAT rules correctly. I turned on the log for dropped packets and the forwarding to 192.168.0.8 works (also confirmed by the packet count increasing every time I try to connect via the app) but the 192.168.0.8 -> 192.168.2.1 is where the problem is.

So, these are the questions I have;
Q: Is this a Source or Destination NAT rule issue? Or do I need both?
Q: What IPs and ports am I forwarding? The packet can originate from any IP (mobile provider's assigned IP, IP assigned by any public AP and so on) so am I trying to change the src IP?
Q: The current port of the thermostat is 4000 but the one from the ISP is different (e.g example of 10123) so is there any advantage of changing the thermostat port to be the same 10123? The thermostat allows this; port 4000 is just the default one.
Q: Do I need to play with the firewall rules as well if I configure the NAT rules correctly? [Attached screenshot of what I have now]


Side quest: Once I learn this whole firewall/nat rules, can I use the same to access the Mikrotik router at 192.168.0.8 (192.168.2.1) web config through port 80 from the main house (192.168.0.x)? Is that also a NAT thing and/or do I need to create firewall rules? Forwading or Input?
You do not have the required permissions to view the files attached to this post.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1180
Joined: Fri Jul 28, 2017 2:53 pm

Re: Setting up firewall and NAT rules to access device on home subnet

Wed Dec 06, 2017 9:31 am

If networks on the router 1 and router 2 are fully routable, then you need 2 rules: destination nat from ISP IP address on router 1 on port 10123 to 192.168.2.2:4000. When IP packet from internet will hit your router 1 to dst IP 1.1.1.1:10123(for example(your ISP IP)) router 1 will translate it to 192.168.2.2:4000. After this router 1 will check his routing table and find that 192.168.2.0/24 can be found on 192.168.0.8 nexthop and forward it to router 2(192.168.0.8 ). On router 2 you will need firewall rule for accept forwarding port(tcp or udp, idk) for 192.168.2.2:4000 from 0.0.0.0/0 or specific source IP you want(from Internet). And remember, when you NATing traffic, you don't need to accept it by firewall. It will just pass through.

Who is online

Users browsing this forum: rAgyMb14kaUyzGrs0wa6 and 36 guests