Community discussions

 
draven
just joined
Topic Author
Posts: 4
Joined: Mon Jul 02, 2018 1:43 pm

Portforwarding to mikritik and dchp behind other router

Mon Jul 02, 2018 1:55 pm

Hello,
I have a DSL router Lancom with real ip address 80.xx.xx.xx without dhcp server. Mikrotik is connecting to it with static ip address from 192.168.2.0/24. So they are in the same network. Mikrotik keeps it's DHCP Server - 192.168.1.0/24. I can't forward port neither on webinterface of mikrotik, or to a pc inside dchp pool of mikrotik. I add port forwarding rule on DSL router, e.g. 8080 port on the ip of MT - 192.168.2.2 to access the webinterface from the internet, and tried out different configurations of the filter rules and NAT solutions with dst-nat on Miktotik, but in vain.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 4808
Joined: Mon Apr 20, 2009 9:11 pm

Re: Portforwarding to mikritik and dchp behind other router

Mon Jul 02, 2018 7:33 pm

Not enough info. Do you have NAT on Mikrotik, or is everything just routed without NAT? What about firewall rules, do you have any and if so, what exactly?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
draven
just joined
Topic Author
Posts: 4
Joined: Mon Jul 02, 2018 1:43 pm

Re: Portforwarding to mikritik and dchp behind other router

Tue Jul 03, 2018 1:19 pm

Filter rules:
ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no
log-prefix=""

1 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""

2 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ISP1 log=no log-prefix=""

3 chain=input action=accept protocol=icmp log=no log-prefix=""

4 chain=input action=accept connection-state=established log=no log-prefix=""

5 chain=input action=accept connection-state=related log=no log-prefix=""

6 chain=input action=drop in-interface=ISP1 log=no log-prefix=""

7 chain=input action=accept protocol=tcp in-interface=ISP1 dst-port=8081
log=no log-prefix=""

I have NAT on Mikrotik for local network.
[animal@Mikrotik_Main] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ISP1
log=no log-prefix=""

1 chain=srcnat action=masquerade out-interface=ISP2 log=no log-prefix=""
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1718
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Portforwarding to mikritik and dchp behind other router

Tue Jul 03, 2018 1:29 pm

Try to narrow problem and first configure mikrotik to pass 192.168.8.x to 192.168.1.x while are you connected to 192.168.8.x network.
If you will be able to access local net then you will be sure that MKT router works.
Then start checking if access from outside DSL model works or not.
Real admins use real keyboards.
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Portforwarding to mikritik and dchp behind other router

Tue Jul 03, 2018 3:45 pm

Firewall rule order matters! Move filter rule 7 above 6. You are currently dropping everything not established or related.
 
draven
just joined
Topic Author
Posts: 4
Joined: Mon Jul 02, 2018 1:43 pm

Re: Portforwarding to mikritik and dchp behind other router

Tue Jul 03, 2018 4:19 pm

Try to narrow problem and first configure mikrotik to pass 192.168.8.x to 192.168.1.x while are you connected to 192.168.8.x network.
If you will be able to access local net then you will be sure that MKT router works.
Then start checking if access from outside DSL model works or not.
I can access from local to dsl and mikrotik catch the internet and provide it to our local net. The problem is that mikrotik's web interface is unreachable from the outside. I connect via DSL and get ip "80.x.x.x", I want to make web accessable on it. 80.x.x.x:8089. If it works, I can forward the other ports for ssh or web to local net.
 
draven
just joined
Topic Author
Posts: 4
Joined: Mon Jul 02, 2018 1:43 pm

Re: Portforwarding to mikritik and dchp behind other router

Thu Jul 12, 2018 6:11 pm

Guys need your assitance. I have tried a plenty of configuration and surfed a lot across the internet and did't find the example of solution. But i can't open port 81 for e.g into localnet. The local webserv is listening to 81. ( i changed it to avoid conflicts) Here's the config.
ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ISP1
log=no log-prefix=""

1 chain=srcnat action=masquerade out-interface=ISP2 log=no log-prefix=""

2 chain=dstnat action=dst-nat to-addresses=192.168.1.13 to-ports=81
protocol=tcp in-interface=ISP1 dst-port=81 log=no log-prefix=""

3 XI ;;; NAT in HTTP
chain=dstnat action=dst-nat to-addresses=192.168.1.13 to-ports=80
protocol=tcp in-interface=ISP1 dst-port=8088 log=no log-prefix=""

4 XI chain=srcnat action=masquerade src-address=192.168.1.0/24
out-interface=ISP1 log=no log-prefix=""

ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no
log-prefix=""

1 XI chain=input action=accept protocol=tcp in-interface=ISP1 src-port=80 log=no

log-prefix=""

2 chain=forward action=accept protocol=tcp dst-address=192.168.1.13
dst-port=81 log=no log-prefix=""

3 chain=input action=accept protocol=icmp log=no log-prefix=""

4 chain=input action=accept connection-state=established log=no log-prefix=""

5 chain=input action=accept connection-state=related log=no log-prefix=""

6 chain=input action=accept protocol=tcp in-interface=ISP1 dst-port=8081
log=no log-prefix=""

Who is online

Users browsing this forum: No registered users and 36 guests