I am not a mikrotik user per se, but have been supplied one by my ISP as a gateway to their network. The problem is the ISP maintain admin control over the Mikrotik router and the user has no control over Mikrotik router, firewall or any other settings except the wifi password and network name, for which the client has a user with privilidges limited to adjusting those settings.
The ISP has been unable to setup the router so that all traffic, except for the ports they require, are diverted to a DMZ where my router reside. I suppose I my setup differs from the standard setup they are fimiliar with.
So I asked that they set it up and channel all traffic via DMZ to my router. They however, claim they require the use of ports that nmap identify as follows:
2828/tcp open http Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
8291/tcp open unknown
8728/tcp open routeros-api MikroTik RouterOS API
However, the following ports is also open (although they did not request control over these ports):
21/tcp open ftp MikroTik router ftpd 6.42
53/tcp open domain (generic dns response: NOTIMP)
2000/tcp open bandwidth-test MikroTik bandwidth-test server
4415/tcp open http-proxy MikroTik http proxy
I am not sure what they do, if the ISP actually do need them and the people speaking to me simply don't realise it or if they are activated by default.
My network can be shown as follows:
Code: Select all
Internet
|
|
|--------------| Mobile Phone 1
| Router 1 |-------------192.168.88.160
| Mikrotik |
| RB951Ui-2HnD |
| 192.168.88.1 |-------------Mobile Phone 2
|--------------| 192.168.88.161
|
|
|-----------------------| NAS/ftp server
| 192.168.88.150 |----192.168.1.51
| Router 2 |
| Firewall/Local Router |
| 192.168.1.1 |----laptop
|-----------------------| 192.168.1.52
| | |
| | |
| | |----------------M2M.server
| | 192.168.1.53
| |
| |---------------------Desktop
| 192.168.1.54
|
|--------------------------Device
192.168.1.56
So far it has really been a pain, after many attempts the ISP can't get it right - although they still remain friendly and helpful, but clearly clueless. I have a server that manages the backend for some of my machine-to-machine (M2M) devices, and an app on the phone that can also control these devices. I point these devices to the pubic IP address/web address. After the latest effort by the ISP, some problems has been resolved, only for new problems to appear. Initially, the devices worked perfectly until they get in wifi-range (either wifi on router.1 or Router.2), then the device fails to communicate with the server. Then if they fix that, another problem arises. On and on, a never ending story. After the last efforts by the ISP to configure the router, all M2M device communication received by my M2M server shows up as coming from the IP address 192.168.88.1 and any return messages or ACK from the server to the device gets lost, as the M@M server sends the return messages to 192.168.88.1
Can anybodybody please assist me with the correct NAT rules and filter rules in order to get this setup to function correctly? I searched this forum and the wiki, but is a bit daunting for a newcomer to RouterOS to understand and execute these settings correctly. If there are clear guides for this purpose, it can be sufficient if you just direct me to the right port of call, so to speak. but it would be really helpful if, next time I speak to the friendly folk at my ISP, if I can tell them what should be done so that I can get my system functioning again. I have Winbox read-only access (no telnet/ssh access) to the router, should additional information be required.
Kind regards and thanks in advance.
Marakas