Hello,
I have a client on which I do the IT support.
It's a small medical office.

About 3-4 months ago they paid a company to install some security cameras.
This camera company did an all-Ubiquity setup.

The final setup for them was as shown in the attached image. What I would like to do is setup the Ubiquity hardware behind the Mikrotik CRS125.
Either in a separate DHCP pool, or the same.

The other thing to take into consideration is:
- I want to update the dynamic IP the ISP provides... I thought something from this Mikrotik wiki link https://wiki.mikrotik.com/wiki/Dynamic_ ... for_dynDNS
(any recommendations that are not DynDNS?
-The port that is open on the Ubiquity airVision is 7443. I would like to create that port forwarded to that device (would this be via the Mikrotik's Firewall rules?).

Any suggestions you can give me as to how to do it different/better?

Thank you very much for the time!

It is going to depend on whether or not your ISP modem / router can be configured in Bridge Mode. Let's assume it can.



You will need to configure a port on the CRS125 as the WAN port, allow it to get an IP address dynamically from the ISP.
You will need to configure NAT masquerade under the FW tab and allow the IPs that you want to access the internet to be able to.
Now we need to enable DHCP server if it is not already - I believe it is based on the diagram you provided.

All names and VLAN numbers are simple place holders, feel free to change those to meet your needs.

We will start by creating the "SVI" or a bridge interface for the VLANs

• Go to Interface
  click on the "+" symbol then move your mouse down to "bridge"
  Name: bridge-vlan20
  Click on "comment" on the right: add relevant name, i.e. IP Cams or Wireless

We need to create the Address Pool we will later reference in our DHCP Scope:

• Go to IP > Pool
  Click on the "+" symbol
  Give it a relevant name: i.e. IPCams_Pool
  Enter the address range that the DHCP can pull from: i.e. 192.168.1.2-254 (assuming 192.168.1.1 is the DG)
  Click "OK"

We need to create the address space and assign it to our bridge or SVI:

• Go to IP > Addresses
  next we want to hit the "+" symbol to create a new network
  Address: 192.168.1.1 /24 (the last octect is the designation for your DG, typically .1 or .254)
  Interface: select the bridge interface we previously created in the drop down menu
  Add a comment: i.e. IP_Cams
  Press Apply and or OK

Under the DHCP Server box in Winbox:
We need to create the IP Camera DHCP scope

• Give it a relevant name: i.e. IPCams_DHCP (example)
  Interface: select the previously created bridge vlan from the drop down menu
  Lease Time: self-explanatory
  Address_Pool: Assign the previously created IP Address Pool

You'll then repeat this for each network that you need.You will also need to setup NAT for each of these networks that needs access to the internet.

This should get you started and if you have any questions feel free to ask away.

For the Dynamic DNS, I haven't used that feature on Mikrotik before. If you do a search on the forums, there was a well written up post from a member that had it working fine with a simple script.

For the Destination NAT, i.e. the traffic you want coming in for the cameras.

You will need to open up your Firewall window (using WinBox)

• Select the NAT tab
  We then want to click on the "+"
  Under the General Tab
  Chain: select "dstnat" from the drop down menu
  Protocol: select from the drop down menu if it is "udp" or "tcp"
  Dst. Port: this is the port we want our router listening on for this specific traffic: i.e. 7443
  You will most likely want to select the "In. Interface" and select your WAN interface from the drop down menu

Now we want to select the "Action" tab at the top of this window.

• Action: select dst-nat from the drop down menu
  To Address: input the IP address of your airVision
  To Ports: this is only needed if you want to change the port that your router is sending to the device behind it.
  Click "okay"

Now we will want to build a FW rule permitting the traffic.

• Go back to your Filter Rules tab
  Click on the "+" symbol
  Chain: select "forward" from the drop down menu
  Dst Address: input the IP of the airVision on your LAN
  Protocol: select "tcp" or "udp"
  Dst. Port: enter 7443
  In. Interface: select WAN interface from the drop down list

Now select the "Action" tab at the top of this window

• Action: select "accept" from the drop down window

You should now be able to access the airVision from outside of the network.

One thing I forgot in a previous post, you have to associate each physical interface with the VLAN.

So you will need to click on the "interfaces" button on the left side of the WinBox window.

• Click on the "+" symbol and select VLAN
  We want to give this a specific name: typically I will use {VLAN name + interface } i.e. IPCam-Eth7
  VLAN ID: change the vlan to "20" in this example to match the wireless / IP Cam network from my diagram
  Interface: select the physical interface that the host device connects to in the drop down menu: i.e. ether7 in this case.

We also need to associate that port with the Bridge for everything to work for that VLAN:

• Click on "bridge" on the left side of the WinBox window
  select "ports" tab
  Click on the physical interface "ether7" then select "bridge=vlan20" from the drop down list beside "Bridge"