Access modem behind router

jneli · Sat Apr 11, 2020 2:00 pm

Hi all,

I just installed a Mikrotik router between my internet gateway (on ether1) and my internal network. All is working fine, except I can't access my internet gateway anymore from my LAN. The router is also unable to ping the gateway when selecting any other port than ether1. I have tried many things now, but so far without success. Here is my configuration through export:

# apr/11/2020 12:43:18 by RouterOS 6.46.5
# software id = LM7B-KZT4
#
# model = RB760iGS
# serial number = A36A0A955502
/interface bridge
add admin-mac=74:4D:28:C8:A7:FC auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.1.101-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.2/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.2.3/24 interface=ether1 network=192.168.2.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.2 gateway=\
    192.168.1.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.254
/ip dns static
add address=192.168.1.2 name=router.lan
add address=192.168.1.45 name=testserver
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
    dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-address=192.168.2.254 dst-port=80 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=192.168.2.254 dst-port=443 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=443
add action=dst-nat chain=dstnat dst-address=192.168.2.254 dst-port=9001 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=9001
add action=dst-nat chain=dstnat dst-address=192.168.2.254 dst-port=8000 \
    protocol=tcp to-addresses=192.168.1.50 to-ports=8000
add action=dst-nat chain=dstnat dst-address=192.168.2.254 dst-port=554 \
    protocol=tcp to-addresses=192.168.1.50 to-ports=554
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.2.254 \
    out-interface=ether1 to-addresses=192.168.2.3
add action=dst-nat chain=dstnat disabled=yes protocol=tcp src-address=\
    192.168.1.0/24 to-addresses=192.168.2.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.2.0/24 \
    out-interface=ether1
/ip route
add distance=1 gateway=192.168.2.254

Thanks in advance for your advice! Regards, Jan

Zacharias · Sat Apr 11, 2020 9:09 pm

From your dst-nat rules i can see your router is on a different subnet, 192.168.1.12... so why dont you just change your ISPs router IP to 192.168.2.x ?

jneli · Sun Apr 12, 2020 11:25 am

Thanks, it's actually the other way around. The LAN is on 192.168.1.0/24, and my ISP on 192.168.2.0/24. I'm not able to change the ISP modem settings however, so I would have to change the subnet on my LAN, which is a bit of a hassle with my devices with fixed IP's.
I thought there would be a way through the use of NAT to access the other subnet as well? I have tried a few rules already (the ones marked as disabled now in my settings), but without any luck.

mkx · Sun Apr 12, 2020 12:49 pm

The setup you're running should allow LAN PCs to access modem using its IP address of 192.168.2.254 ... DHCP server settings instruct LAN clients to use router as default gateway and the first srcnat rule should cover all LAN to modem connections (or else internet wouldn't work for any of LAN hosts).

BTW, trying to mimick incoming ports when pinging doesn't work ... setting interface= sets output interface of ping packets overriding selection otherwise done by routing engine.

jneli · Sun Apr 12, 2020 5:27 pm

Hi mkx, my LAN clients can access the internet, not the 192.168.2.254 modem however. I find this really strange as well. I also noticed none of my incoming NAT rules are working, so I can't access anything from outside. It looks like I'm missing something basic here, but I can't see what it is.

Zacharias · Sun Apr 12, 2020 6:21 pm

You simply can not access it because of your dst-nat rules... As soon as you try to access 192.168.2.254 you are dst-nated (port forwarded) to 192.168.1.12...
Delete ALL your NAT rules except the first one, and try again...

jneli · Sun Apr 12, 2020 8:54 pm

Yes, that did the trick, thanks! So it seemed my rules to direct outside traffic to the right server on the LAN are not correct. I'll look into those a bit more. Thanks again for your support.

Zacharias · Sun Apr 12, 2020 10:02 pm

Great, you can mark the post as solved...
If you want to reach a local device from outside your LAN you must convert your rule to:

add action=dst-nat chain=dstnat in-interface=yourWAN-Interface dst-port=8080 \
protocol=tcp to-addresses=192.168.1.12 to-ports=80

So, if you try outside your LAN, supposing your router is accessible from public, to reach your local device you will be port forwarded to 192.168.1.12 port 80.
Notice, i changed the public port to 8080...

Access modem behind router [SOLVED]

Access modem behind router

Re: Access modem behind router

Re: Access modem behind router

Re: Access modem behind router

Re: Access modem behind router

Re: Access modem behind router [SOLVED]

Re: Access modem behind router

Re: Access modem behind router

Who is online