Community discussions

MikroTik App
 
mikrodoog
newbie
Topic Author
Posts: 27
Joined: Mon Apr 19, 2021 12:25 am

Routing specific traffic from WAN to another place in the WAN

Sat Aug 13, 2022 7:19 pm

Ok, it sounds crazy but here me out.

I have this setup:

A TP-Link router as a gateway00 for my main LAN00, and the hAP lite as a gateway01 for the another LAN01 that is WiFi only.

The hAP is BEHIND the TP-Link, yes, is it a double nat, but the TP-Link does not have the advanced functions, like vlan handling and multi-addressing to handle several networks.

What I want to do is use the hAP to forward specific traffic or ports to one specific machine on the LAN00 again. I know, the TP-Link can do it that BUT, the thing is that I want the hAP to use the src-address list to allow just certain machines that come from the internet to access that specific machine in LAN00.

So, the the hAP that is behind the TP-Link will act as a gatekeeper with the src-address list forwarding just specific traffic or ports to that specific machine on the Lan00
Untitled Diagram (2).jpg
I know, that it can be also done via vlans, but I would like to know how messed up this way would be.

In short (with diagram), Me, will be coming from the internet, the TP-Link will have a port forward pointed to the hAP that is behind, and I want the hAP to forward or route the traffic to an specific machine that is int he TP-Link LAN, which is also the WAN side of the hAP.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific traffic from WAN to another place in the WAN

Sat Aug 13, 2022 7:43 pm

Quick and simple solution is to use variant of harpin NAT, i.e. dstnat from hAP to target machine and srcnat to change source to hAP's address, to make target machine send responses back to hAP and not to TP-Link as its default gateway. Downside is that target machine won't be able to see original source addresses, everything will look like it's coming from hAP.

There may be other options, depending on how much configurable is target device and how much it needs to be part of 192.168.0.0/23 subnet.
 
mikrodoog
newbie
Topic Author
Posts: 27
Joined: Mon Apr 19, 2021 12:25 am

Re: Routing specific traffic from WAN to another place in the WAN

Sat Aug 13, 2022 8:00 pm

Quick and simple solution is to use variant of harpin NAT, i.e. dstnat from hAP to target machine and srcnat to change source to hAP's address, to make target machine send responses back to hAP and not to TP-Link as its default gateway. Downside is that target machine won't be able to see original source addresses, everything will look like it's coming from hAP.

There may be other options, depending on how much configurable is target device and how much it needs to be part of 192.168.0.0/23 subnet.
The target would be a windows machine, before I had an access list on the windows firewall but I was like "meh... if I want to add another machine, I need to repeat the same setup again in that machine".

Then I remembered that I had the hAP lite on the network and I was like "...I wonder if..."

But your solution could be exactly what I need.

Edit: How do I do what you said?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific traffic from WAN to another place in the WAN  [SOLVED]

Sat Aug 13, 2022 8:29 pm

If you have default firewall, then just dstnat should be enough, e.g.:
/ip firewall nat
add chain=dstnat dst-address=192.168.h.h protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.m.m
where 192.168.h.h is hAP's address in 192.168.0.0/23 subnet and 192.168.m.m is target machine. You can additionally exclude local connections, in case you need to be able to connect to given ports on hAP itself (192.168.h.h) from local subnets, using src-address=!192.168.0.0/16 ("!" means "not"). The srcnat part should be covered by default masquerade rule, but otherwise it would be:
/ip firewall nat
add chain=srcnat dst-address=192.168.m.m protocol=tcp dst-port=80 action=srcnat to-addresses=192.168.h.h
Possibly with src-address=!192.168.0.0/16 to again exclude local traffic (direct connections to 192.168.m.m from subnet behind hAP).
 
mikrodoog
newbie
Topic Author
Posts: 27
Joined: Mon Apr 19, 2021 12:25 am

Re: Routing specific traffic from WAN to another place in the WAN

Sat Aug 13, 2022 8:47 pm

So, I will use this if I had the default masquerada rule, which I do:
/ip firewall nat
add chain=dstnat dst-address=192.168.h.h protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.m.m

If not, I need to add this also so it works in pairs for the traffic to flow.
/ip firewall nat
add chain=srcnat dst-address=192.168.m.m protocol=tcp dst-port=80 action=srcnat to-addresses=192.168.h.h
[/quote]

Right?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific traffic from WAN to another place in the WAN

Sat Aug 13, 2022 9:39 pm

It can be any srcnat rule that applies to this forwarded traffic.

This one with specific address and port is minimal version that shows only what's required, and tries to not touch other traffic. For example, if you didn't have NAT on hAP and subnet behind it was known to TP-Link (it would have route to it), you'd be connecting from there to machine's other ports, and you'd want to keep original source addresses, then you'd need srcnat rule that doesn't mess that up. This one would still affect connections to port 80, but it could be prevented with additional src-address=!192.168.0.0/16.

If you have masquerade, where only condition is outgoing interface, it covers it too. And also everything else from hAP's subnet, but since that's intentional, everything is fine.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing specific traffic from WAN to another place in the WAN

Sun Aug 14, 2022 12:29 am

Your words point to the optimal solution, good thing Sob came along, would have never thought of using NAT for such a backwards approach to traffic handling. How does he do it?
The hAP is BEHIND the TP-Link, yes, is it a double nat, but the TP-Link does not have the advanced functions, like vlan handling and multi-addressing to handle several networks.

The wrong router is attached to the internet.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific traffic from WAN to another place in the WAN

Sun Aug 14, 2022 6:11 pm

There's nothing special, you have some goal and tools you can use to achive it. Just combine what you have to get what you want. It's like a puzzle. And yes, making RB the first router sounds good to me, but I guess there's some reason for current setup.
 
mikrodoog
newbie
Topic Author
Posts: 27
Joined: Mon Apr 19, 2021 12:25 am

Re: Routing specific traffic from WAN to another place in the WAN

Mon Aug 15, 2022 3:38 pm

True, the wrong router is facing the internet.

The problem is that all this network was a mess at first. There were HUBS everywhere, guest traffic mixed with private traffic, security holes EVERYWHERE, just last year the switches were installed and this year I was able to implement vlans (which was not easy task since all of this has been done remotely).

Yet, the TP-Link has only one advantage, is it a load balancer.
Yes, the hAP can do that too, but knowing the customer (which is a PITA for the budget), I had to get old 2960 switches (all of them EOL), but they were economical, and the hAP was laying around at the owner's house unused, brand new in a box (whch was a miracle), so technically was free.

All of this in a 3rd world country in latam. Yes, we do things differently here, things keep on running... barely, but they keep running. It is what it is.

Also that I do not have skilled local support so, right now, the TP-Link (that was long before the hAP) is the main router and the hAP manages just the WiFi.
Overkill and unnecessary, yes, but it keeps things running.

Oh, and combined with Pi-Hole and other stuff, it keeps the network clean and the bandwith to good use.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing specific traffic from WAN to another place in the WAN

Mon Aug 15, 2022 6:05 pm

Understood, and good on ya for hobbling that together and making it work. Sob was the guy, he specializes in being backwards. ;-)

Who is online

Users browsing this forum: dozer46 and 46 guests