Hello Ladies & Gentlemen,

I have the following setup

SXT Lite 5 (Station WDS) with PPPoE Client to the ISP
Public IP (Dynamic): 100.x.x.x
ether1 IP (Static): 192.168.88.1/24

TP Link WAN IP (Static): 192.168.88.2/24
DHCP Server: 192.168.0.2-254/24

I want to access both the SXT and the TP Link from the public IP so that:
If I connect from Winbox to 100.x.x.x I reach the SXT
Whereas, if I connect from the browser, I reach the TP Link

Would you please advise?

Thank you

That is probably not going to work, as your 100.x.x.x address is probably not reachable from outside.

If 100.x.x.x is public address (depends on what the first "x" is, but there's a good chance it's public), I see no problem. You don't need to do anything for WinBox connection to SXT, because it has the public address directly on it. And for TP Link's administration, just forward whatever port(s) it uses (probably 80 or 443) to it.

As he is asking, it probably does not work yet. His address is likely in the 100.64.0.0/10 range.
(100.64.0.0 - 100.127.255.255)

No guys dont worry about the public address, it is reachable from anywhere within my network.

I just need the specific configuration needed to do the port forward.
I already tried to add destnat and used ex port 8081 to forward to IP 192.168.88.2 on port 80 but it didnt work

So you had this rule: Or was yours different? And how exactly it didn't work? Were you testing it from inside or from outside? You need to give us some useful info...

So you had this rule:

Code: Select all

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.x.x.x dst-port=8081 protocol=tcp to-addresses=192.168.88.2 to-ports=80

Or was yours different? And how exactly it didn't work? Were you testing it from inside or from outside? You need to give us some useful info...

I am trying to reach it from the same router.
ie: I am connected to the tplink which has access to the internet through the sxt which is connected with pppoe.
I can reach the sxt normally from this place or from another place under my network (same ISP, same network, different IP:100.y.y.y)

the only thing is I can't reach the tplink through port forwarding.
do I need to set anything on the tplink itself?
I only enabled remote management on 255.255.255.255

So you had this rule:

Code: Select all

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.x.x.x dst-port=8081 protocol=tcp to-addresses=192.168.88.2 to-ports=80

Or was yours different? And how exactly it didn't work? Were you testing it from inside or from outside? You need to give us some useful info...

I am trying to reach it from the same router.
ie: I am connected to the tplink which has access to the internet through the sxt which is connected with pppoe.
I can reach the sxt normally from this place or from another place under my network (same ISP, same network, different IP:100.y.y.y)

the only thing is I can't reach the tplink through port forwarding.
do I need to set anything on the tplink itself?
I only enabled remote management on 255.255.255.255

example I am on 100.102.147.164 and want to reach the sxt and tplink on 100.102.147.163
no problem reaching sxt (if pppoe client) or tplink (if pppoe client) since they acquire the 100.102.147.x IP

Are these your real internet addresses?
If so -> CGNAT at your provider.
If not -> provide network diagram with realistic addresses.

Are these your real internet addresses?
If so -> CGNAT at your provider.
If not -> provide network diagram with realistic addresses.

Here you go

I presume the TPlink has the correct route towards the SXT to send traffic outside its network.
Normally it should be OK when DHCP is used to configure the TPlink from the DHCP server on the SXT.
The generic port forward command given by Sob should work for you, with or without port translation.
Of course when you want to forward port 80 you need to disable its service on the SXT, but you can
first try using port 8080.
When this mangle rule is in place you might have a firewall issue.
The default firewall rules handle this situation OK, but you may have modified the rules or deleted
some of them. In that case the incoming traffic for forwarded ports will be blocked because it comes
in from the WAN interface.

This rule in /ip firewall filter
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway

is what is important. it is the drop rule for the external interface (shown for ethernet router in this case)
where the parameter connection-nat-state=!dstnat exempts the port forward traffic from the rule.
Without this (or another solution in the firewall to forward dstnat traffic) it will not work.

Also note that you will only be able to connect from one to the other of the two setups that you have
shown here (with the two 100.x.x.x addresses), and even that only when your ISP allows this user-to-user
traffic (they may block it in their firewall). Your ISP is terminating these PPPoE sessions into
another router that does NAT. So you will not be able to connect to these addresses from another
internet connection, your mobile phone with 4G, etc.

Of course when you want to forward port 80 you need to disable its service on the SXT, ...

Not really. Dstnat just "steals" the packet before it can reach the service on router and sends it elsewhere.