Community discussions

 
cucul
just joined
Topic Author
Posts: 5
Joined: Mon Jul 15, 2019 1:43 am

2 x Lan, 2 x DVR, 1 Problem

Mon Jul 15, 2019 1:54 am

I have the following situation shown in the figure:

When port forward is set in network 2 (with Mikrotik), I can see from the network 1 the pictures transmitted by the DVR2, but I can not see from the network 2 the pictures transmitted by the DVR1.

If I disable port forward from network 2, I can see from the network 2 the pictures transmitted by the DVR1, but evident, I can no longer see from the network 1 the pictures transmitted by the DVR2.

This problem has only occurred since I replaced the old router (Asus) with a Mikrotik.


The software used is IVMS-4200 from Hikvision.

Some suggestions for this troubleshooting ???

Thank you.

Image
 
mkx
Forum Guru
Forum Guru
Posts: 3195
Joined: Thu Mar 03, 2016 10:23 pm

Re: 2 x Lan, 2 x DVR, 1 Problem

Mon Jul 15, 2019 9:09 am

Post output from command /ip firewall nat export (run it from terminal window). I suspect your port forward setting might be a tad too greedy and steals all connections, not only those destined at Network2 ...
BR,
Metod
 
cucul
just joined
Topic Author
Posts: 5
Joined: Mon Jul 15, 2019 1:43 am

Re: 2 x Lan, 2 x DVR, 1 Problem

Mon Jul 15, 2019 4:14 pm

# jul/15/2019 16:12:28 by RouterOS 6.45.1
# software id = ZW51-WQMY
#
# model = 2011UiAS-2HnD
# serial number = 91E10A7ACFE2
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=Bogons
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=FTP_Server dst-port=21 protocol=tcp \
to-addresses=192.168.99.100 to-ports=21
add action=dst-nat chain=dstnat comment=DVR_1 dst-port=8000 protocol=tcp \
to-addresses=192.168.99.150 to-ports=8000
add action=dst-nat chain=dstnat comment=RDP_Server dst-port=3389 protocol=tcp \
to-addresses=192.168.99.100

Thank you.
Last edited by cucul on Mon Jul 15, 2019 4:19 pm, edited 1 time in total.
 
cucul
just joined
Topic Author
Posts: 5
Joined: Mon Jul 15, 2019 1:43 am

Re: 2 x Lan, 2 x DVR, 1 Problem

Mon Jul 15, 2019 4:19 pm

...full version...

# jul/15/2019 16:15:47 by RouterOS 6.45.1
# software id = ZW51-WQMY
#
# model = 2011UiAS-2HnD
# serial number = 91E10A7ACFE2
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=****** use-peer-dns=yes user=****
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto \
mode=ap-bridge ssid=aes wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=*** \
wpa2-pre-shared-key=***
/ip pool
add name=dhcp ranges=192.168.99.2-192.168.99.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan1
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.99.1/24 interface=ether2 network=192.168.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.99.101 client-id=1:c:d2:92:6b:86:36 comment=\
Laptop_Wireless mac-address=0C:D2:92:6B:86:36 server=dhcp1
/ip dhcp-server network
add address=192.168.99.0/24 gateway=192.168.99.1 netmask=24
/ip dns
set servers=192.168.99.1
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=Bogons
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=FTP_Server dst-port=21 protocol=tcp \
to-addresses=192.168.99.100 to-ports=21
add action=dst-nat chain=dstnat comment=DVR_1 dst-port=8000 protocol=tcp \
to-addresses=192.168.99.150 to-ports=8000
add action=dst-nat chain=dstnat comment=RDP_Server dst-port=3389 protocol=tcp \
to-addresses=192.168.99.100
/ip route
add disabled=yes distance=1 gateway=192.168.99.1
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=Europe/Bucharest
/system ntp client
set enabled=yes primary-ntp=62.231.108.243 secondary-ntp=193.22.95.9
/system ntp server
set broadcast=yes enabled=yes

Thank you.
 
mkx
Forum Guru
Forum Guru
Posts: 3195
Joined: Thu Mar 03, 2016 10:23 pm

Re: 2 x Lan, 2 x DVR, 1 Problem

Mon Jul 15, 2019 5:01 pm

The IP addresses used in configuration, don't correspond to IP addresses indicated on the chart (why did you bother writing them there if you didn't want to show exact addresses anyway?), I'll assume the addresses in the config export are correct.

So:
add action=dst-nat chain=dstnat comment=DVR_1 dst-port=8000 protocol=tcp \
to-addresses=192.168.99.150 to-ports=8000

As I expected, the quoted rule is the problem: it grabs any connection, targeting tcp port 8000, and redirects it to LAN IP host 192.168.99.150. And it doesn't matter if the connection comes from WAN via PPPoE targeting your public IP address ... or coming from LAN targeting some remote internet host (your network #1 in this case).

Straight-forward fix would be to change the NAT rule to this one:
add action=dst-nat chain=dstnat comment=DVR_1 dst-port=8000 protocol=tcp \
to-addresses=192.168.99.150 to-ports=8000 in-interface-list=WAN
This way the NAT rule will only change destination address when connection requests come in through WAN interfaces.
The same problem affects your other DST-NAT rules as well.

Implementing it might break one functionality which you may be using or not: if you try to check DVR2 from a PC in the network 2 and you use WAN address of network 2 to connect, then before implementing the change I proposed works, but won't work afterwards.

Clarification:
network 2 WAN IP address = 1.2.3.4
now: from LAN PC with address 192.168.99.42 ... connecting to 192.168.99.150 port 8000 ... works
now: from LAN PC with address 192.168.99.42 ... connecting to 1.2.3.4 port 8000 ... works
after: from LAN PC with address 192.168.99.42 ... connecting to 192.168.99.150 port 8000 ... will work
after: from LAN PC with address 192.168.99.42 ... connecting to 1.2.3.4 port 8000 ... will fail

If you need this kind of connectivity, then you'll have to implement hair-pin NAT.
BR,
Metod
 
mkx
Forum Guru
Forum Guru
Posts: 3195
Joined: Thu Mar 03, 2016 10:23 pm

Re: 2 x Lan, 2 x DVR, 1 Problem

Mon Jul 15, 2019 5:10 pm

There are some other minor errors in the configuation:
/ip address
add address=192.168.99.1/24 interface=ether2 network=192.168.99.0
The LAN address should really be bound to interface=bridge1 ... sometimes this kind of error causes weird behaviour.

/ip dns
set servers=192.168.99.1
This setting instructs router to query itself for any FQDN<->IP mapping. Which won't work well. You should add address of one (or two) DNS servers ... either LAN-hosted (if you have some) or WAN server (ISP, Google, whatever).

In firewall filter section you have a few rules which have in-interface=ether1 ... these are no good when your WAN access is over pppoe-out1 interface. You should rework those rules and use in-interface-list=WAN instead.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 2 x Lan, 2 x DVR, 1 Problem

Mon Jul 15, 2019 6:04 pm

Well that was thorough, no crumbs for me. Off I go in search of for food. Excellent support as usual from Yoda
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
cucul
just joined
Topic Author
Posts: 5
Joined: Mon Jul 15, 2019 1:43 am

Re: 2 x Lan, 2 x DVR, 1 Problem

Mon Jul 15, 2019 8:10 pm

Well, I have tried to implement the above instructions:

# jul/15/2019 20:03:36 by RouterOS 6.45.1
# software id = ZW51-WQMY
#
# model = 2011UiAS-2HnD
# serial number = 91E10A7ACFE2
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=*** use-peer-dns=yes user=HD***
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto \
mode=ap-bridge ssid=aes wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=*** \
wpa2-pre-shared-key=***
/ip pool
add name=dhcp ranges=192.168.99.2-192.168.99.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan1
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.99.1/24 interface=bridge1 network=192.168.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.99.101 client-id=1:c:d2:92:6b:86:36 comment=\
Laptop_Wireless mac-address=0C:D2:92:6B:86:36 server=dhcp1
add address=192.168.99.150 client-id=1:44:47:cc:c0:5:5c comment=DVR \
mac-address=44:47:CC:C0:05:5C server=dhcp1
add address=192.168.99.100 client-id=1:48:f:cf:3d:e:4d comment=Server \
mac-address=48:0F:CF:3D:0E:4D server=dhcp1
/ip dhcp-server network
add address=192.168.99.0/24 gateway=192.168.99.1 netmask=24
/ip dns
set servers=192.168.99.1,193.231.252.1,213.154.124.1
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=Bogons
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=FTP_Server dst-port=21 protocol=tcp \
to-addresses=192.168.99.100 to-ports=21
add action=dst-nat chain=dstnat comment=DVR_1 dst-port=8000 in-interface=\
ether1 protocol=tcp to-addresses=192.168.99.150 to-ports=8000

add action=dst-nat chain=dstnat comment=RDP_Server dst-port=3389 protocol=tcp \
to-addresses=192.168.99.100
/ip route
add disabled=yes distance=1 gateway=192.168.99.1
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=Europe/Bucharest
/system ntp client
set enabled=yes primary-ntp=62.231.108.243 secondary-ntp=193.22.95.9
/system ntp server
set broadcast=yes enabled=yes

but port 8000 is closed and the DVR (192.168.99.150) from the Internet can not be accessed.

Something I did wrong ... ???

Thank you.
 
mkx
Forum Guru
Forum Guru
Posts: 3195
Joined: Thu Mar 03, 2016 10:23 pm

Re: 2 x Lan, 2 x DVR, 1 Problem

Tue Jul 16, 2019 8:31 am

Your WAN interface is not ether1 but rather pppoe-out1 (ether1 is only physical interface, carrying PPPoE traffic; the logical interface which carries WAN traffic, is pppoe-out1), so the NAT rule you have now

add action=dst-nat chain=dstnat comment=DVR_1 dst-port=8000 in-interface=ether1 protocol=tcp to-addresses=192.168.99.150 to-ports=8000

can't work. As I wrote, change it to

add action=dst-nat chain=dstnat comment=DVR_1 dst-port=8000 in-interface-list=WAN protocol=tcp to-addresses=192.168.99.150 to-ports=8000


Another suggestion: firewall rules from latest export somehow work, but are not really safe ... the chain=forward have some rules, but don't really prevent any connections which are not mentioned in the rule list. Accepting DST-NATed connections is one example. I suggest to place these two rules at the end of rule list:
add action=accept chain=forward comment="allow dst-nat connections from WAN" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop anything else from WAN" in-interface-list=WAN

And, for better performance (reduced CPU load), add this rule to the top (definitely it should be above similar rule, but with action=accept ... which must remain there and enabled):
add action=fasttrack-connection chain=forward comment="defconf: fasttrack established,related" \
    connection-state=established,related
Define rule and then move it to the top (drag and drop if using winbox or webfig, use command move if using CLI).
BR,
Metod
 
cucul
just joined
Topic Author
Posts: 5
Joined: Mon Jul 15, 2019 1:43 am

Re: 2 x Lan, 2 x DVR, 1 Problem

Tue Jul 16, 2019 9:12 pm

It seems that all the problems have been solved.
@mkx
Thanks for kindness and explanation.

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 36 guests