Hi everyone,
I'm about to configure my Lab based on CCR2204.
It's the first time for me, and I will need some help (By the way, thanks to Anav for her help to set up my AP with the MT:) )
So, i explain first my architecture: I have a ISP device (GPON ZTE) with public IP in one side, in the other side I have my MT (CCR2004).
To be able to reach remotely my Lab from my home for example, I want to make port forwarding.
From what I understood and what I read, I should do a bridge connection between my ISP device and my MT. Am I wrong?
PS: I'm getting internet by introducing credentials giving by my ISP.
Can you give me just global orientations about global steps to follow... I saw many guides talking about different methods, and I don't know with are applicable to my case.
Thank you in advance.

Hello,

Where do you need to access from outside? To Mikrotik or a client in the lan side?
IMHO, you have 2 options:
1) Change ISP modem to bridge mode (Will be the best option)
2) Create the port forwarding in the ISP modem and in the mikrotik router

To be able to connect from outside, you will need to connect to a public IP, if your ISP modem is in router mode, the same ISP modem is dialing and is getting the public IP. And the mikrotik, probably is getting a private IP. If you change the ISP modem to bridge mode, you will need to dial from the Mikrotik, entering username and password there and you will have the public IP in the Mikrotik.

What kind of IP (public or private) do you have in your mikrotik router, in the port where you connected the ISP modem?

Regards,
Damián

Hi Damian,
Thanks for replying.
I want to connect from outside to MT and to some PCs also.
I have a static public IP in my ISP Modem.
My Modem LAN1 is connected to my MT SFP12
I'm OK for the 1st option (Bridge mode). I will like this, and see what Can I do.
Thank you once again.

Is there a reason why you would like to port forward rather than use a VPN? using say SSTP would be way more secure not only due to needing to authenticate and the packets have some encryption on them but it would only mean you would need to open up 1 port on the router (443 by default) that the open world can get to.
from there you would just route to where you need to go or even put a mikrotik on the other end and set up a EoIP tunnel if you would like to send layer 2 packets as well

Hi AidanAus,
Thanks for replying.
Why I need remote access? It's my first time to use MT devices, and I'm about testing things (adding rules, enabling and disabling, ...). But I can't do this during production time (We have 2 shifs from 6:00 to 22:00). It happened that when I do some modifications that I need to reboot MT. So I need to stay at office since production teams left. So the first need is to access the MT itself. The second thing, is that I'm about to upgrade some virtual servers, and by having remote access to the hosts I can do the job in masked time or in week end.
I don't know if the port forwarding is the best and the secure way, and I'm opened to suggestions.
Now, I'm working in turning my ISP to bridge mode and get internet access in the MT. But until now, I didn't success. As I understand from the ISP tech team: It"s not possible to turn the ONT to bridge mode.
What can be the alternatives in your opinion?
Thanks in advance.

The question is,
Does your modem provide you with a public IP. If yes, then the suggestion by whatshisname is fruitless (wasting your time). You have what you need.
If what your saying is that the MODEM gets a public IP and then gives you, on its ether1, a private IP then you are potentially screwed.

So its either a modem/router (where you get a private IP and will have to port forward from this device to the MT, pray this is possible) OR
Its simply a modem, or ONT as you say and it give you a public IP which can be assigned on the MT.

By the way I have both cable modem and an ONT. From the ONT I go straight to my MT and I get a public IP over a vlan.
Yours may be over VLAN or pppoe ???\

++++++++++++++++++++++++++++++++++++

Yes, to access your assets behind the MT, your best bet is to start off with WIREGUARD VPN access.
This will allow you to SECURELY REMOTE IN, from anywhere, at home, at hotel etc and then access the router for config purposes or access the LANS for whatever.
The reason port forwarding is used is when external clients need access to some services.
However this requires, in good security practices,
a. some sort of encrypted login (essential)
b. username and password (essential)
c. 2-factor authentication or radius server acceptance (recommended).
d. Limiting inbound external users by SOURCE ADDRESS on the dst-nat rule, thus only allowing bonafide users to attempt access ( smart move )
(note: this means knowing the fixed/static IP or getting all users with dynamic WANIPs to get a dnydns name - free at many sites, so no excuses)

What I recommend is at the office take one port and make it off bridge and will be exclusively use it to config the router, or to access it in an emergency when the bridge gets confused and the router is not accessible via the bridge............. This makes life very easy but always use SAFE Mode while configuring the router as well!
viewtopic.php?t=181718

Before you attempt setting up any port forwarding or VPN, get your firewall rules in order and your basic setup done.
In other words, start remote access and port forwarding from a clear, concise working setup.
Once you are ready to start with the vpn and port forwarding post your config for review..............

Reading for Wireguard - viewtopic.php?t=182340
Reading for Port Forwarding - viewtopic.php?t=179343

If you need pointers on firewall,
viewtopic.php?t=180838

Hi Anav,
Thank you for your replying.
I'm reading guides you gave me...
To answer your questions:
-> The modem give me a static address: I can see it in IP/Cloud
-> PPPOE or VLAN? I don't know what to answer! In the Modem WAN config, I have a PPP user and pass + VLAN turned ON with an ID (See attached).
When I turn OFF VLAN, I lost internet in my MT.
Thanks in advance.

Well, not quite clear, how do you know its a static address?
Is it a private IP address then?
If its public IP (dont need nor want to see it but if its private it doesnt matter).

Hi Anav,
It's a public IP (102.xx.xx.xx): it doesn't change even after router reboot.
I bought it from the ISP...

Sounds good, although mine is dynamic and rebooting the router doesnt always cause it to get a new number.

Based on the readings have you got an initial config for review.......?
Keep in mind you can write up config in notepad++, take a copy of current config and modify and thus not even touch the working config if thats an issue

Hi,
The config:


/interface bridge
add name=LAN1-INFO_Bridge
/interface ethernet
set [ find default-name=ether1 ] comment="Management Port" name=Ether1
set [ find default-name=sfp-sfpplus1 ] comment="->Dell T430 DAC1" name=SFP+01
set [ find default-name=sfp-sfpplus2 ] comment="->Dell T430 DAC2" name=SFP+02
set [ find default-name=sfp-sfpplus3 ] comment="->INFO2 (Local C)" name=\
SFP+03
set [ find default-name=sfp-sfpplus4 ] comment="->INFO3 (LocalC)" name=SFP+04
set [ find default-name=sfp-sfpplus5 ] comment="->INFO1 (Local D)" name=\
SFP+05
set [ find default-name=sfp-sfpplus6 ] comment="->Dell R820 DAC1" name=SFP+06
set [ find default-name=sfp-sfpplus7 ] comment="->HP DL360e DAC1" name=SFP+08
set [ find default-name=sfp-sfpplus9 ] name=SFP+09
set [ find default-name=sfp-sfpplus10 ] name=SFP+10
set [ find default-name=sfp-sfpplus11 ] auto-negotiation=no comment=\
"AP1_Local D" name=SFP+11
set [ find default-name=sfp-sfpplus12 ] auto-negotiation=no comment=\
"IAM Modem 192.168.2.1" name=SFP+12
set [ find default-name=sfp28-1 ] name=SFP28-01
set [ find default-name=sfp28-2 ] name=SFP28-02
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.8.100-192.168.8.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN1-INFO_Bridge lease-time=11m name=\
dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=LAN1-INFO_Bridge interface=SFP+01
add bridge=LAN1-INFO_Bridge interface=SFP+02
add bridge=LAN1-INFO_Bridge interface=SFP+03
add bridge=LAN1-INFO_Bridge interface=SFP+04
add bridge=LAN1-INFO_Bridge interface=SFP+05
add bridge=LAN1-INFO_Bridge interface=SFP+06
add bridge=LAN1-INFO_Bridge interface=SFP+08
add bridge=LAN1-INFO_Bridge interface=SFP+09
add bridge=LAN1-INFO_Bridge interface=SFP+10
add bridge=LAN1-INFO_Bridge interface=SFP+11
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=LAN1-INFO_Bridge list=LAN
add interface=SFP+12 list=WAN
/ip address
add address=192.168.8.1/24 interface=LAN1-INFO_Bridge network=192.168.8.0
add address=192.168.2.2/24 interface=SFP+12 network=192.168.2.0
/ip dhcp-server lease
add address=192.168.8.21 mac-address=78:94:B4:CF:1F:E8 server=dhcp1
add address=192.168.8.22 mac-address=78:81:02:DC:8B:B8 server=dhcp1
/ip dhcp-server network
add address=192.168.8.0/24 dns-server=192.168.8.5,8.8.8.8 gateway=192.168.8.1
/ip dns
set servers=192.168.8.5,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.8.0/24
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=\
192.168.8.1 to-ports=80
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp to-addresses=\
192.168.8.5 to-ports=3389
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.2.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10

======================

(1) Make sure you dont attach this device to your modem you have no firewall rules.........????

(2) Assuming using fake IP address for WANIP of 192.168.2.1
Then the source nat rule should look like this

add chain=srcnat action=src-nat to-addresses=publicIP-static out-interface=sfp+12

(3) Where is the admin in this picture? Are you on the LAN Bridge with your PC most of the time?
What is on ether1 ??

(4) Format for port forwarding for fixed static wanip is incorrect, should look like this......... (to ports not required if same as dst ports).

add action=dst-nat chain=dstnat dst-address=publicIP-static dst-port=80 protocol=tcp \
to-addresses=192.168.8.1
add action=dst-nat chain=dstnat dst-address=publicIP-static dst-port=3389 protocol=tcp \
to-addresses=192.168.8.5

(5) What is the purpose of your 3389, your router will get hacked if you attempt RDP to home networks................
MUCH BETTER, why not wireguard into the router and then RDP through the tunnel ???

(6) Why do you have to access port 80 on your router (assumign some device somewhere).............

ON BOTH 5,6, you have not limited access to specific external users by source address????

Hi Anav,
I think you are going to kick me out of the forum soon
So:
(1) Make sure you dont attach this device to your modem you have no firewall rules.........????
As newbie, I want to get things working with the least constraints, then I can add more rules (If it doesn't work with 3 rules, I don't think it will with ten).


(2) Assuming using fake IP address for WANIP of 192.168.2.1
Then the source nat rule should look like this
add chain=srcnat action=src-nat to-addresses=publicIP-static out-interface=sfp+12
(4) Format for port forwarding for fixed static wanip is incorrect, should look like this......... (to ports not required if same as dst ports).

add action=dst-nat chain=dstnat dst-address=publicIP-static dst-port=80 protocol=tcp \
to-addresses=192.168.8.1
add action=dst-nat chain=dstnat dst-address=publicIP-static dst-port=3389 protocol=tcp \
to-addresses=192.168.8.5


/ip firewall nat
add action=masquerade chain=srcnat
add action=src-nat chain=srcnat out-interface=SFP+12 to-addresses=102.102.102.102
add action=dst-nat chain=dstnat dst-address=102.102.102.102 dst-port=80 protocol=tcp to-addresses=192.168.8.1

#102.102.102.102 is a fake WAN public IP


(3) Where is the admin in this picture? Are you on the LAN Bridge with your PC most of the time?
What is on ether1 ??
I'm connected to LAN switch, connected to the MT LAN bridge (All PCs and devices are connected to LAN switch)
In Eth1 I made an IP to connect to MT if there is an emergency that can make enable to connect trough LAN.

(5) What is the purpose of your 3389, your router will get hacked if you attempt RDP to home networks................
MUCH BETTER, why not wireguard into the router and then RDP through the tunnel ???
I'm planning to do this after succus in getting access

(6) Why do you have to access port 80 on your router (assumign some device somewhere).............
I want to access the MT web page... After, I'm planning to connect with Winbox or SSH.

ON BOTH 5,6, you have not limited access to specific external users by source address????
Same

=> I added rules as you see above, but it doesn't work! I'm using
PS: I'm using my phone to access the 102.102.102.102:80 trough 4G but not working until now.
Any suggestions.

Thanks in advance.

Hi,
After a days of "war" in phone with ISP services, I finally got a new (It's old in fact) router with bridge mode activated.
You can"t imagine how I'm happy with this. I was about ordering a SFP from fs.com with Mac and SN icluded with bridge mode on.... But know, no need.
Thanks a lot for helping.
I will now start to "step up my game" starting by firewall rules.