Page 1 of 1

Router behind Router

Posted: Tue Oct 03, 2017 5:36 pm
by tabate47
We have a setup like this:

Building 1 has internet service and a mikrotik router.

Building 2 is connected via a unifi nanobeam ac. There is a mikrotik router and the network is totally separate. The two buildings have nothing in common except they share an internet connection.

The issue we are having is we cannot use the mikrotik dns name in building 2. Even though it's on the router in building 2, it points to the public IP on building 1.

We want to open a few ports for cctv, etc. What is the best way to be able to access building 2 in this scenario?

Thanks.

Re: Router behind Router

Posted: Wed Oct 04, 2017 12:53 am
by tabate47
any help is appreciated.

Re: Router behind Router

Posted: Wed Oct 04, 2017 3:10 am
by pcunite
We like graphs, we like diagrams.

Re: Router behind Router

Posted: Wed Oct 04, 2017 3:14 am
by tabate47
ok, I'll try to draw something up. I figured because it's so basic you wouldn't need a diagram.

Re: Router behind Router

Posted: Wed Oct 04, 2017 3:39 am
by Paternot
Port forward. Use port forward, from internet facing mikrotik to the host You want to expose to the internet.

Or to the second router, if You cannot route without NAT between buildings. In this case You would have two NAT, one behind the other. Not pretty, but...

Re: Router behind Router

Posted: Wed Oct 04, 2017 5:10 am
by tabate47
Would I set up a vpn the same way? Am I able to have a vpn on both routers?

The ultimate goal is to make the second router as if it had its own connection to its own isp.

Re: Router behind Router

Posted: Wed Oct 04, 2017 2:04 pm
by Paternot
Some VPNs are easier than others with NAT. OpenVpn is the easier one, with NAT. Just forward one port, and you are set. But it doesn't have hardware acceleration.

IPsec is quite problematic with NAT - but has hardware acceleration.

Not sure what you mean by "like each router had its own ISP".

Re: Router behind Router

Posted: Wed Oct 04, 2017 8:21 pm
by tabate47
Here is the setup:

router 1:

wan: public ip address from isp
lan: 192.168.1.1

router 2:

wan: ip address from router 1 192.168.1.100
lan: 10.0.1.1

I would like to be able to access router 2 from the outside the same way I can access router 1. What ports, and on which routers, do I need to forward?

Thanks

Re: Router behind Router

Posted: Wed Oct 04, 2017 8:59 pm
by pcunite
I would like to be able to access router 2 from the outside the same way I can access router 1. What ports, and on which routers, do I need to forward?
Here is one way to do this. For Router1, set it up like so. Note that ip address 1.2.3.4, is your work from home IP. Remove it if you want to allow from all. As shown, you can connect, using Winbox, on port 8291 from ip address 1.2.3.4 on port 8291 to access Router 1. For Router 2, you'll use port 9000.
/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Accept established related"
add chain=input action=accept in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=input action=accept dst-port=8291 protocol=tcp src-address=1.2.3.4 comment="Router1 Access"
add chain=input action=drop comment="Drop all other input"
add chain=forward action=accept connection-state=established,related comment="Accept established related"
add chain=forward action=accept connection-state=new in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=forward action=accept connection-nat-state=dstnat in-interface=ether-WAN comment="Accept Port forwards"
add chain=forward action=drop comment="Drop all other forward"

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether-WAN comment="Default masq"
add chain=dstnat action=dst-nat    in-interface=ether-WAN  protocol=tcp src-address=1.2.3.4 to-addresses=10.0.1.1 dst-port=9000 to-ports=8291 comment="Router2 Access"

/ip service
set winbox address=192.168.1.0/24,1.2.3.4/32
Router 2 will allow Winbox from these two networks. Naturally, you'll change Router 2's firewall to allow Router 1 to connect to it. Use Router 1's setup as an example.
/ip service
set winbox address=10.0.1.0/24,192.168.1.0/24

Re: Router behind Router

Posted: Wed Oct 04, 2017 9:08 pm
by tabate47
Thanks I'll give it a try.

If I want to access a camera system for example, on router 2, on port 81, can this be done?

Is there a way to open up everything for router 2 in one shot so I don't have to keep forwarding ports? Kind of like a "DMZ" for router 2?

Re: Router behind Router

Posted: Fri Aug 16, 2019 4:22 pm
by Shefartech
Were you able to solve the problems of accessing the camera?
I believe we have similar networks.
I want to be able to access the wireless AP's that are connected via a POE switch on Router 2

Re: Router behind Router

Posted: Fri Aug 16, 2019 4:23 pm
by Shefartech
The AP's have port 443