Community discussions

 
GregS
just joined
Topic Author
Posts: 5
Joined: Wed Dec 27, 2017 1:38 am

Forward port from one router to another router

Wed Dec 27, 2017 9:51 pm

Hello Forum,

I have an IP camera connected to my second MikroTik router and my computers connected to the first router. I would like to get things setup so I can access the camera from the computers on the first router. If I connect my computer to the second router, I can access the IP camera.

Here is my current setup:
The internet is connected to my first MikroTik router. The second MikroTik router is connected to the first MikroTik router. I have an IP camera connected to the second router. My computer is on the first router. I can’t get the configuration correct so I can access my IP camera on the second router.

The IP assigned to the camera on the second router is 192.168.99.120 on port 9003

Here is the rule on my second router I currently have to forward traffic to the camera. Well, at least that’s my idea.

add action=dst-nat chain=dstnat dst-port=9003 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.99.120 to-ports=9003

Being new to this, I’m not sure if the rule I have is correct or do I need to add another rule to the second router, do I need to add a rule to the first router?

Any help you can give me is much appreciated.
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Forward port from one router to another router

Thu Dec 28, 2017 1:36 pm

1. You are not writing from where would you like to have the access to cameras - from the LAN of 1st MikroTik and/or from the Internet?
2. Are MikroTiks in the same subnet or not?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1717
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Forward port from one router to another router

Thu Dec 28, 2017 4:33 pm

GregS,

Could you be so kind and draw your topology and describe links on the drawing?
Real admins use real keyboards.
 
GregS
just joined
Topic Author
Posts: 5
Joined: Wed Dec 27, 2017 1:38 am

Re: Forward port from one router to another router

Thu Dec 28, 2017 8:47 pm

Thanks for the reply.

1. The first step is to get access from my computer connected to router 1 to the camera connected to router 2. If I get that working, I would then like to get the camera so it is accessible from the internet. Because I'm new to this, I wanted to take small steps.
2. The computer and camera are on different subnets.

I don't have the ability to upload an attachment to this post. I don't have any web site account setup that I can upload my image to for my network topology so I can insert the link in my post.

So I'll try it the old fashion way.

Network Topology

Computer is connected to router 1 with IP 192.168.98.100
Router 2 has been given the IP of 192.168.98.200 by router 1 (is it correct to say WAN IP for router 2?)
The camera connected to router 2 has been given the IP of 192.168.99.120 assigned by router 2
From my computer (192.168.98.100) I see router 2 as IP 192.168.98.200

Internet
|
|
router 1
Gateway IP: 192.168.98.1 ---------Computer, IP 192.168.98.100
|
|
router 2
IP assign to router 2 from router 1 = 192.168.98.200
GW: 192.168.99.1
|
|
|
camera
IP: 192.168.99.120
port:9003
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Forward port from one router to another router

Thu Dec 28, 2017 9:49 pm

Internet
|
|
router 1
Gateway IP: 192.168.98.1 ---------Computer, IP 192.168.98.100
|
|
router 2
IP assign to router 2 from router 1 = 192.168.98.200
GW: 192.168.99.1
|
|
|
camera
IP: 192.168.99.120
port:9003
On router 2:
/ip firewall nat add action=dst-nat chain=dstnat disabled=yes dst-port=9003 in-interface=Interface_connected_to_router_1 protocol=tcp to-addresses=192.168.99.120 to-ports=9003
Then, if you want to grant an access from the net, you need to do almost the same on the router 1:
/ip firewall nat add action=dst-nat chain=dstnat dst-port=9003 in-interface=YOUR_WAN_INTERFACE protocol=tcp to-addresses=192.168.98.200 to-ports=9003
However, there still is a question: is there any particular reason why you are double NATing you cameras?
 
GregS
just joined
Topic Author
Posts: 5
Joined: Wed Dec 27, 2017 1:38 am

Re: Forward port from one router to another router

Thu Dec 28, 2017 10:58 pm

The quick answer for double NATing is the first router is a RB750GL (not wireless) and router 2 is a RB951G-2HnD (wireless). Years ago I purchased the first router thinking (actually not thinking ahead or lack of planning) that I wasn't going to need a wireless router. Didn't have a wireless camera at the time nor any other wireless device at the time. Now that I'm thinking through this setup, I wonder if I should just remove router 1 and connect everything to router 2. Although I would like to get this working with both routers.

i ran your command and I still can't get to the camera from router 1. Is there an issue with the firewall rule on router 2?

Here is my export from router 2 for the firewall rules and NAT

# dec/28/2017 13:24:57 by RouterOS 6.41
# model = 951G-2HnD

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat disabled=yes dst-port=9003 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.99.120 to-ports=9003

/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
 
pe1chl
Forum Guru
Forum Guru
Posts: 5923
Joined: Mon Jun 08, 2015 12:09 pm

Re: Forward port from one router to another router  [SOLVED]

Fri Dec 29, 2017 12:29 am

When you have two routers in a home, with one used for wireless behind the other used as NAT router with or without wireless, it
is usually better to configure router 2 (as in your scheme) in bridge mode. That way you have only one network range in your
home and all devices can communicate without the issues you are facing now.
In bridge mode, router 2 does not have a DHCP service and the requests for addresses are simply sent to router 1 which hands
out all the addresses in the network.

Alternatively, you can configure router 2 as a true router (no NAT) by just removing the NAT rules and the drop rules on ether1,
and putting a static route to 192.168.99.0/24 gw 192.168.98.200 in router 1. That way, you can just route traffic between your
two networks without "port forwarding".
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Forward port from one router to another router

Fri Dec 29, 2017 12:53 am

The quick answer for double NATing is the first router is a RB750GL (not wireless) and router 2 is a RB951G-2HnD (wireless). Years ago I purchased the first router thinking (actually not thinking ahead or lack of planning) that I wasn't going to need a wireless router. Didn't have a wireless camera at the time nor any other wireless device at the time. Now that I'm thinking through this setup, I wonder if I should just remove router 1 and connect everything to router 2. Although I would like to get this working with both routers.

RB951G-2HnD is more powerful than RB750GL and it can be easily used as a main (edge) router at your home. You can use both, but I would suggest to set up RB951 as a main one, and RB750 as a simple switch. Of course, I assume, that there is no difference where your AP is located. If it makes difference, you can use RB750GL as a edge router and RB951 as a switch with AP. However, RB750 has less RAM, slower CPU, etc. Here you can compare both.
RB951G - https://mikrotik.com/product/RB951G-2HnD
RB750GL - https://mikrotik.com/product/RB750GL

The quick answer for double NATing is the first router is a RB750GL (not wireless) and router 2 is a RB951G-2HnD (wireless). Years ago I purchased the first router thinking (actually not thinking ahead or lack of planning) that I wasn't going to need a wireless router. Didn't have a wireless camera at the time nor any other wireless device at the time. Now that I'm thinking through this setup, I wonder if I should just remove router 1 and connect everything to router 2. Although I would like to get this working with both routers.

i ran your command and I still can't get to the camera from router 1. Is there an issue with the firewall rule on router 2?

Here is my export from router 2 for the firewall rules and NAT

# dec/28/2017 13:24:57 by RouterOS 6.41
# model = 951G-2HnD

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat disabled=yes dst-port=9003 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.99.120 to-ports=9003

/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway

You don't need firewall on that device at all. Just reset with no config, log in via MAC address using WinBox, bridge all ports (ether1,2,3,4,5,wlan1- if you are going to use RB951 as a switch). Then set up DHCP client on that bridge: IP > DHCP Client > click + > choose bridge as interface > click Apply. On the main router you can set up static IP address that will be alwats assigned to that device.
Make sure, that all devices have DHCP clients on. Otherwise, if they are static, make sure they are in the same subnet and their addresses are not colliding with those assigned bythe main router.
 
GregS
just joined
Topic Author
Posts: 5
Joined: Wed Dec 27, 2017 1:38 am

Re: Forward port from one router to another router

Fri Dec 29, 2017 3:20 am

@pe1chl,
I thought I'd try setting up router 2 as a true router per your instructions. I thought that would be the fastest fix. I must have something configured incorrectly, because it didn't work.

Here is the export from ip route in router 1
/ip route
add distance=1 dst-address=192.168.99.0/24 gateway=192.168.98.200

I removed the NAT rules and drop rules for ether1 in router 2.

I was just about ready to read up on how to configure router 2 in bridge mode when I saw the reply from matiaszon.

@matiaszon,
After comparing the two routers, I think it's time to consider switching the two routers. Making the RB951G the edge router and the RB750 a bridge router. I'm not sure if moving the AP will impact the wireless camera.

Because I have a few devices doing streaming via ether net cables, its time (maybe long past time) to read up/learn about and understand the proper way to config those devices on the home network. I think that's where VLAN's come in to play. Well, that's another question for another thread/topic.

I want to thank both of you for your help and great ideas.

Later, much later tonight I'll try getting the router 2 in bridge mode just to get something working before moving on the moving routers around. The more I work with the routers the more I learn.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5923
Joined: Mon Jun 08, 2015 12:09 pm

Re: Forward port from one router to another router

Fri Dec 29, 2017 10:08 am

That with the router config should normally work.
You will need to do some tests, like /ping 192.168.98.1 from router 2 and
/ping 192.168.99.1 from router 1 and see what is the problem.
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Forward port from one router to another router

Fri Dec 29, 2017 2:19 pm

Later, much later tonight I'll try getting the router 2 in bridge mode just to get something working before moving on the moving routers around. The more I work with the routers the more I learn.
The easiest way to do it in steps.

1. Get the latest RouterOS on both of your devices.
2. Reset your RB951G and get default config.
In WinBox: System > Reset Configuration
Make sure that nothing is checked and click on "Reset Configuration"
After reboot router will be configured with WAN on ether1, and all other ports will be bridged. Default Firewall rules will be set up.
IP on LAN will be 192.168.88.1
3. Reset your RB750 with option "No Default Configuration" checked.
Login to it vi WinBox and do the things I wrote previously.
Good luck
 
GregS
just joined
Topic Author
Posts: 5
Joined: Wed Dec 27, 2017 1:38 am

Re: Forward port from one router to another router

Sat Dec 30, 2017 5:32 am

Problem solved with making the router 2 a true router. Details for the fix below.

@pe1chl,
After I stepped away for a while and came back I used the ping command and found the trouble. The IP for router 2 had changed. During the troubleshooting process, router 1 had been powered off and back on again. When this happened, the IP for router 2 had changed. When I made the changes after your first reply and it didn't work, I should have doubled checked IP address then. I am reminded now that I need to make the IP for router 2 static. I understand that making the IP static might be basic for someone that knows what they are doing. Lesson learned on this end. Thanks for your help!

@matiaszon,
Thanks for the step by step instructions for setting up the routers with the RB951G as the edge router. The instructions will be very helpful when I switch the routers around. I'll be making this change later down the road. For now, I'm going to enjoy that things are working. Thanks.

Now that I have a little bit more knowledge about how things work and more tools in my tools box for troubleshooting, I think things will be a bit smoother next time.

Thanks again to the both you.

Who is online

Users browsing this forum: Google [Bot] and 29 guests