can't access my dvr from outsite

newtomikrotik · Wed May 06, 2015 12:46 am

I was wondering if someone can help me
Before mikrotik install
my dvr ip 192.168.1.110 port 9000
my public ip 197.xx.xx.xx
I can access it from outsite

after Mikrotok install
i did the follwing

/ip firewall nat
add chain=dstnat action=dst-nat protocol=tcp dst-address=197.XXX.XXX.XXX dst-port=80 to-addresses=192.168.1.110 to-ports=80
add chain=dstnat action=dst-nat protocol=tcp dst-address=197.XXX.XXX.XXX dst-port=9000 to-addresses=192.168.1.110 to-ports=9000

/ip firewall filter
add chain=forward action=accept protocol=tcp dst-address=192.168.1.110 dst-port=80,9000
not working

bingo220 · Thu May 07, 2015 9:11 pm

Try instead "dst-address=197.XXX.XXX.XXX" to use "in-interface=NAMEofWANinterface"

newtomikrotik · Sat May 09, 2015 10:09 pm

thanks for your reply .... but still not work

Sat May 09, 2015 10:33 pm

This works for me

/ip firewall filter
add chain=input comment=KAMERY dst-address=n.n.n.n dst-port=36100-36104 protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="BCS HDCVI" dst-address=n.n.n.n dst-port=36100-36104 protocol=tcp to-addresses=x.x.x.x

Remeber to open all ports needed for dvr...my dvr was reconfigured to use continous addresses 36100-36104 instead of 80, 9000 etc.
Dvr should have gateway configured as packets coming from "outside" have dst address changed but the src address is the original one so dvr needs to know where/how to send them back.

newtomikrotik · Sun May 10, 2015 5:13 pm

still not working
anyone help me .. please
what is the problem of my server...

pukkita · Sun May 10, 2015 5:20 pm

can you post /ip export?

newtomikrotik · Sun May 10, 2015 6:15 pm

[admin@MikroTik] /ip> export
# may/10/2015 17:59:37 by RouterOS 6.27
# software id = S6U0-VRLX
#
/ip hotspot profile
add dns-name=www.malak.com hotspot-address=192.168.88.1 name=hsprof1
/ip hotspot user profile
add name=512 rate-limit=128K/512K transparent-proxy=yes
/ip pool
add name=hs-pool-10 ranges=10.5.50.2-10.5.50.254
add name=dhcp ranges=192.168.88.2-192.168.88.254
add name=poe ranges=8.8.8.1-8.8.8.254
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=192.168.1.20/24 interface=ether1 network=192.168.1.0
/ip dhcp-server
add address-pool=hs-pool-10 disabled=no interface=ether10 lease-time=1h name=dhcp1
add address-pool=dhcp disabled=no interface=bridgeLocal lease-time=1h name=dhcp2
/ip dhcp-server network
add address=10.5.50.0/24 comment="hotspot network" gateway=10.5.50.1
add address=192.168.88.0/24 comment="hotspot network" gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,192.168.88.1,213.131.65.20,213.131.66.246,8.8.4.4
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=forward content=facebook protocol=tcp src-port=80,443
add action=drop chain=forward content=youtube protocol=tcp src-port=80,443
add action=drop chain=forward content=.mp3
add action=drop chain=forward content=.exe
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.5.50.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.5.50.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.5.50.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.5.50.0/24
/ip hotspot
add disabled=no interface=bridgeLocal name=hotspot1 profile=hsprof1
/ip hotspot user
add name=admin password=admin_admin
add mac-address=90:2B:34:F8:A9:3C name=mina password=123 profile=512 server=hotspot1
add mac-address=9C:B7:0D:F8:21:54 name=gabry password=123 server=hotspot1
/ip route
add distance=1 gateway=192.168.1.1

pukkita · Sun May 10, 2015 8:58 pm

Is the router with the real public ip configured so that it forwards its ports to the mikrotik?

newtomikrotik · Mon May 11, 2015 1:40 am

the router ip is 192.168.1.1
but my real ip from ISP 197.xx.xx.xx .... the router is not configued with that ip ...

suntelSean · Mon May 11, 2015 2:16 am

If your Internet works, it is configured to the public IP unless you're using a 3/4g modem.
Which port is your wan is your wan interface?

Sent from my iPhone using Tapatalk

newtomikrotik · Mon May 11, 2015 3:05 am

my internet works fine ..
i use linksys wag 120n
before mikrotik i could access my dvr 197.xx.xx.xx
media port 9000

sonny · Mon May 11, 2015 10:26 am

does your dvr have set default gateway?
is connection tracking on?

If not, it will not work.

bingo220 · Mon May 11, 2015 11:57 am

1. configure the modem (linksys wag 120n) in bridge mode
2. set up external IP on the RB (ppp.., dhcp, static, or what required your ISP)

pukkita · Mon May 11, 2015 12:21 pm

1. configure the modem (linksys wag 120n) in bridge mode
2. set up external IP on the RB (ppp.., dhcp, static, or what required your ISP)

That, or setting the RB as DMZ host on the wag120 (is what I tried to know with my previous post)

newtomikrotik: how is the wag120 configured?

newtomikrotik · Mon May 11, 2015 1:08 pm

my router configuration : in the following two pics.

newtomikrotik · Tue May 12, 2015 12:05 am

any help ... please

bingo220 · Tue May 12, 2015 12:32 am

any help ... please

1. configure the modem (linksys wag 120n) in bridge mode
2. set up external IP on the RB (ppp.., dhcp, static, or what required your ISP)

j7n · Tue May 12, 2015 2:42 am

I agree, avoiding double-NAT would simplify the setup. Otherwise...

If the DVR is behind the Mikrotik, its IP should be in range 192.168.88.0/24 such as 192.168.88.110, and its gateway should be the Mikrotik 192.168.88.1. Reduce the size of the "dhcp" pool to make room for the DVR, or assign its MAC a static lease from the pool.

Then:

/ip firewall nat
add chain=dstnat action=dst-nat protocol=tcp dst-address=192.168.1.20 dst-port=80 to-addresses=192.168.88.110 to-ports=80
add chain=dstnat action=dst-nat protocol=tcp dst-address=192.168.1.20 dst-port=9000 to-addresses=192.168.88.110 to-ports=9000

Or replace dst-address with "dst-address-type=local" - allows hairpin NAT access from LAN -, or "in-interface=ether1".

If the Mikrotik doesn't have address 197.xx.xx.xx, because that has beeen NAT'ed by the modem, a firewall rule containing that address will do nothing. Port-forward the DVR ports to the Mikrotik (.20) inside the modem. I do not fully understand the multiple srcnat/masquerade rules, but it seems they shouldn't interfere. Make sure the drop facebook,exe,mp3 rules don't accidentally match connection with the DVR.

newtomikrotik · Tue May 12, 2015 5:52 pm

I agree, avoiding double-NAT would simplify the setup. Otherwise...

If the DVR is behind the Mikrotik, its IP should be in range 192.168.88.0/24 such as 192.168.88.110, and its gateway should be the Mikrotik 192.168.88.1. Reduce the size of the "dhcp" pool to make room for the DVR, or assign its MAC a static lease from the pool.

Then:

/ip firewall nat
add chain=dstnat action=dst-nat protocol=tcp dst-address=192.168.1.20 dst-port=80 to-addresses=192.168.88.110 to-ports=80
add chain=dstnat action=dst-nat protocol=tcp dst-address=192.168.1.20 dst-port=9000 to-addresses=192.168.88.110 to-ports=9000

Or replace dst-address with "dst-address-type=local" - allows hairpin NAT access from LAN -, or "in-interface=ether1".

If the Mikrotik doesn't have address 197.xx.xx.xx, because that has beeen NAT'ed by the modem, a firewall rule containing that address will do nothing. Port-forward the DVR ports to the Mikrotik (.20) inside the modem. I do not fully understand the multiple srcnat/masquerade rules, but it seems they shouldn't interfere. Make sure the drop facebook,exe,mp3 rules don't accidentally match connection with the DVR.

j7n
thanks for your reply
tested above without bridge mode ... still not working ,
Does that mean I have to connect the DVR directly to ADSL modem to escape from mikrotik ?

j7n · Tue May 12, 2015 11:45 pm

It should work even if the solution is not optimal.

What is the current IP configuration on the DVR (address, subnet, gateway)? What do you have under Applications & Gaming on the modem (its own NAT)?

Break the problem into steps: Can you reach the DVR from another PC on the same LAN? Can you reach it from a PC plugged into the modem (via the Mikrotik's address 192.168.1.20)?

Try replacing the rule. It may be nothing.

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.88.0/24
with
add action=masquerade chain=srcnat out-interface=ether1

newtomikrotik · Wed May 13, 2015 12:19 am

It should work even if the solution is not optimal.

What is the current IP configuration on the DVR (address, subnet, gateway)? What do you have under Applications & Gaming on the modem (its own NAT)?

Break the problem into steps: Can you reach the DVR from another PC on the same LAN? Can you reach it from a PC plugged into the modem (via the Mikrotik's address 192.168.1.20)?

Try replacing the rule. It may be nothing.

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.88.0/24
with
add action=masquerade chain=srcnat out-interface=ether1

j7n
thanks for your reply
current ip of dvr is 192.168.88.110 , 255.255.255.0 , 192.168.88.1 ,, no app. on the modem ( media port of dvr 9000)
DVR could reach form any pc on the same lan (192.168.88.0/24).... couldn't reach outside this LAN

j7n · Wed May 13, 2015 12:55 am

no app. on the modem ( media port of dvr 9000)

There has to be an entry under Applications & Gaming:

Name1     80   80  TCP  20 Enable
Name2   9000 9000  TCP  20 Enable
..followed by anything else also needed..

couldn't reach outside this LAN

Please clarify what you tried. Right now you have two LANs, one directly behind the modem, and another one further behind the mikrotik, and need two layers of NAT. If you connect a PC to the modem, and it can go out on the Internet, but cannot reach the service on 192.168.1.20:9000 on the Mikrotik, the problem is in the configuration on the mikrotik. If so, please post the current /ip export hide-sensitive which includes changes you've made since.

deanMKD1 · Wed May 13, 2015 2:13 am

If i understand good, you have linksys between your DVR. So port 9000 that you sayd must first forward in your linksys, and pointing to IP of Mikrtotik. Then you need to NAT the same port 9000 to 192.168.88.110 on mikrotik. Then your DVR will be accessible from everywhere. Im behind 3 routers, and solve this in that way.

newtomikrotik · Wed May 13, 2015 2:26 am

no app. on the modem ( media port of dvr 9000)
There has to be an entry under Applications & Gaming:
Code: Select all
Name1     80   80  TCP  20 Enable
Name2   9000 9000  TCP  20 Enable
..followed by anything else also needed..
couldn't reach outside this LAN
Please clarify what you tried. Right now you have two LANs, one directly behind the modem, and another one further behind the mikrotik, and need two layers of NAT. If you connect a PC to the modem, and it can go out on the Internet, but cannot reach the service on 192.168.1.20:9000 on the Mikrotik, the problem is in the configuration on the mikrotik. If so, please post the current /ip export hide-sensitive which includes changes you've made since.

service under modem :
dvr1 9000 9000 192.168.1.110
dvr 80 80 192.168.1.110
All my pcs & dvr behind mikrotik ... no pc behind the modem .... all pcs ping dvr .... localy 192.168.88.110 ... if i connect a pc to a modem WAG 120n ( after change dvr ip to 192.168.1.110 gateway 192.168.1.1 ) i could reach it from outsite through my public ip 197.xx.xx.xx if i did anything wrong ... could you please clarify Linksys WAG 120n configuration and mikrotic too?

newtomikrotik · Wed May 13, 2015 2:50 am

If i understand good, you have linksys between your DVR. So port 9000 that you sayd must first forward in your linksys, and pointing to IP of Mikrtotik. Then you need to NAT the same port 9000 to 192.168.88.110 on mikrotik. Then your DVR will be accessible from everywhere. Im behind 3 routers, and solve this in that way.

1- linksys
2- mikrotik
3- All my pcs & dvr
linksys configuration
192.168.1.1
port 9000 forwarded to 192.168.1.110
If I did anything wrong , would you please clarify configuration of linksys and mikrotik

j7n · Wed May 13, 2015 3:14 am

service under modem :
dvr1 9000 9000 192.168.1.110
dvr 80 80 192.168.1.110

These services should be forwarded to the mikrotik 20 (so that it can then translate the request further to the DVR) and not 110 (which doesn't exist in the new configuration).

I suggested using another PC so that you have a readily accessible "WAN side" relative to the Mikrotik for troubleshooting.

suntelSean · Wed May 13, 2015 3:53 am

If i understand good, you have linksys between your DVR. So port 9000 that you sayd must first forward in your linksys, and pointing to IP of Mikrtotik. Then you need to NAT the same port 9000 to 192.168.88.110 on mikrotik. Then your DVR will be accessible from everywhere. Im behind 3 routers, and solve this in that way.
1- linksys
2- mikrotik
3- All my pcs & dvr
linksys configuration
192.168.1.1
port 9000 forwarded to 192.168.1.110
If I did anything wrong , would you please clarify configuration of linksys and mikrotik

This is the problem because you have double NAT. (And basically you're doing only one set of port forwarding. You need to get out of double nat. )

Need to break the WAN DHCP lease on the linksys and put it in bridge mode. Then connect your mikrotik port 1 to the first switch port on the linksys. Release and renew the IP on the mikrotik and you 'should' have your 197.xxx.xxx.xxx on your mikrotik. If not, you're not setting up bridge mode properly.

Once you have the wan IP on your mikrotik, your port forwards will work.

If you can't do the bridging, then you'll need to setup a second set of port forwards on the linksys that basically point to the mikrotik.

Sent from my iPhone using Tapatalk