Community discussions

MikroTik App
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Modem/Router behind the MikroTik

Mon Aug 02, 2021 12:43 am

Hello all,
I've seen similar threads to mine, but couldn't find (or was too dumb to implement) a working solution for my scenario.

My setup: Internet -> ISP Modem (static public IPv4 X.X.X.a & 192.168.178.0/24) -> MikroTik (static public IPv4 X.X.X.b) -> LAN (192.168.100.0/24). The MikroTik router is setup on the IPS modem as an "exposed host".

I can ping my IPS modem from within the LAN, but cannot access its web interface. I'm not sure if I need to setup a specific NAT rule for this, or what exactly needs to be done to get it working.
Here's my current NAT config:

nat.png
Your help would be appreciated!
You do not have the required permissions to view the files attached to this post.
Last edited by Gomo on Mon Aug 02, 2021 8:25 pm, edited 1 time in total.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Modem/Router behind the MikroTik

Mon Aug 02, 2021 5:01 pm

Are you sure that that modem's webpage is accessible for you? It's on public address so maybe ISP has restricted access to it?
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: Modem/Router behind the MikroTik

Mon Aug 02, 2021 8:29 pm

Are you sure that that modem's webpage is accessible for you? It's on public address so maybe ISP has restricted access to it?
I forgot to mention that the ISP's modem can be pinged from LAN via it's local IP (ping from my PC 192.168.100.10 to 192.168.178.1 for example). At the moment I have hidden wifi running on my ISP's modem so that I can make changes when needed. And since I can ping it via LAN, there must be a way to reach it via the browser as well. I don't want to unnecessarily cause noise in my MikroTik wifi & use up channels just for this purpose.
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: Modem/Router behind the MikroTik

Tue Aug 03, 2021 9:42 pm

Anyone? :|
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Modem/Router behind the MikroTik

Wed Aug 04, 2021 12:16 am

/export hide-sensitive file=anynameyouwish
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 12:52 am

/export hide-sensitive file=anynameyouwish
config.rsc
there it is :)

Looking forward to your suggestions!
You do not have the required permissions to view the files attached to this post.
Last edited by Gomo on Thu Aug 05, 2021 2:01 am, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 1:13 am

...At the moment I have hidden wifi running on my ISP's modem...
Hidden Wi-Fi do not exist.
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 1:17 am

Are you sure that that modem's webpage is accessible for you? It's on public address so maybe ISP has restricted access to it?
At the moment I have hidden wifi running on my ISP's modem so that I can make changes when needed.
That's because it's running on the ISP's modem, so that I have access to it (via wiifi).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 1:25 am

On bridgeLocal the admin MAC still the same of ether1 MAC?
Change that MAC with eterh2 MAC
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 1:30 am

On bridgeLocal the admin MAC still the same of ether1 MAC?
Change that MAC with eterh2 MAC
I'm not sure I understand what you're saying.. "bridgeLocal" - "Admin. MAC Address should be changed? what effect would that have?
bridgeLocal.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 1:32 am

Is the same MAC of ether1 or the sfp?
Must be the MAC of ether2
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 1:35 am

The MAC address matches.. WAN (connection to the ISP modem) of the MikroTik router is ether1, as it should be.
bridgeLocal_MAC.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 1:38 am

Full read what someone write, not only the first line....

Must be the MAC of ether2

readed now?

You have removed (disabled) the ether1 from bridgeLocal,
but you do not have changed the admin MAC with one of ethernet presents (still active) on the bridge (ether2).
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 1:48 am

Full read what someone write, not only the first line....

Must be the MAC of ether2

readed now?

You have removed (disabled) the ether1 from bridgeLocal,
but you do not have changed the admin MAC with one of ethernet presents (still active) on the bridge (ether2).
No need to get upset, I'm reading what you wrote, the problem is, it was not understandable. Okay, I see that the "ether1" is disabled in the localBridge, but I didn't do that manually, it must've happened during the initial configuration.

Should I keep it disabled? or enable it? And, if I keep it disabled, you're saying I should adjust the MAC of the "localBridge" with the MAC of "ether2". Again, what kind of effect will this have?
bridgeLocal_2.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 1:52 am

I can not be upset?
What happen if you have two separate interfaces (ether1 and bridgeLocal) with same address?
You not read... I have already explained because this error are present, by you or by "initial configuration" not matter.
I also suggest the fix.

You can not reach the configuration pages with 109.?0.15?.2?9 instead?

Probably the router webpage is contacted from 109.?0.15?.230 because you nat the 192.168.100.0/24 on WAN exit
and your must omit the NATting for 192.168.178.0/24 because for security probably, can reply on ping,
but web access is restricted for same range of addresses 192.168.178.0/24
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 2:08 am

What happen if you have two separate interfaces (ether1 and bridgeLocal) with same address? (yes, is administrative access to the bridge)
1. So, should I enable "ether1" OR change the bridgeLocal MAC?

You can not reach the configuration pages with 109.?0.15?.2?9 instead?
2. No I cannot, I tried multiple things before creating this forum post.

Probably the router webpage is contacted from 109.?0.15?.230 because you nat the 192.168.100.0/24 on WAN exit
and your must omit the NATting for 192.168.178.0/24 because for security probably, can reply on ping,
but web access is restricted for same range of addresses 192.168.178.0/24


3. Should anything in the NAT be changed or added?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 2:11 am

>duplicate, read next post<
Last edited by rextended on Thu Aug 05, 2021 2:18 am, edited 2 times in total.
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 2:14 am

Maybe you didn't provide an explanation & answer my questions? Even though I asked multiple times. I do not follow "random" suggestions without an explanation. If you can't provide one, how can I be sure I'm not configuring nonsense. Hope you understand.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Modem/Router behind the MikroTik

Thu Aug 05, 2021 2:16 am

Nonsense?
I understand your dubts, but a forum member from 2014 with more than 4500 posts is writing to you, not "one" just registered since July 24th 2021 with 20 posts ...

Explain yourself:
What happen if you have two separate interfaces (ether1 and bridgeLocal) with same address?

And the two changes suggested, as anyone can understand, do not cause any explosion inside your home. Maybe... :roll:

1. So, should I enable "ether1" OR change the bridgeLocal MAC?
I never wrote to enable ether1 inside the bridge (at most delete it)
You are unable to read in red? :lol:

I notice you modify the export config,
so you can only understand what I have not written but I pointed this out to you...


3. Should anything in the NAT be changed or added?
How much time I must write it before you understand? :mrgreen:

add NOT ! dst-address 192.168.178.0/24 on your SECOND NAT rule

your dhcp CLIENT give you one address 192.168.178.x/24 to your ether1?
if not, you ALSO put one address 192.168.178.x/24 to your ether1
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: Modem/Router behind the MikroTik

Tue Aug 10, 2021 11:13 pm

I followed your tips as suggested, but it didn't work..
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Modem/Router behind the MikroTik

Tue Aug 10, 2021 11:22 pm

on the IP address assignment to be consistent make the interface bridge-guest instead of wlan3??

small point on dst nat, it appears as if you have a static fixed WANIP based on your dst nat rule.
In this case the generic Sourcenat rule (second rule after hairpin nat)
should be in the form
add action=src-nat chain=srcnat comment=NAT out-interface=ether1 to-addresses=<public_fixed_ip>

remove if not needed.
/ip upnp interfaces
add interface=bridgeLocal type=internal
add interface=ether1 type=external

set to NONE
/tool mac-server
set allowed-interface-list=LAN
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: Modem/Router behind the MikroTik

Wed Aug 11, 2021 1:19 am

on the IP address assignment to be consistent make the interface bridge-guest instead of wlan3??

small point on dst nat, it appears as if you have a static fixed WANIP based on your dst nat rule.
In this case the generic Sourcenat rule (second rule after hairpin nat)
should be in the form
add action=src-nat chain=srcnat comment=NAT out-interface=ether1 to-addresses=<public_fixed_ip>

remove if not needed.
/ip upnp interfaces
add interface=bridgeLocal type=internal
add interface=ether1 type=external

set to NONE
/tool mac-server
set allowed-interface-list=LAN
I've made the suggested changes, which from what I understand improve my configuration a bit & thanks for that. As for the access to the ISP router, the ping goes through, but I still can't reach its web interface via browser.
IPS-Router-Access.png
Would a seperate cable connection over make sense? This is my current setup, visualized a bit better:

network layout.png
You do not have the required permissions to view the files attached to this post.
 
almdandi
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Sun May 03, 2015 5:22 pm

Re: Modem/Router behind the MikroTik

Wed Aug 11, 2021 2:37 am

Hallo,

we have a customer that has a similar setup. The ISP put a Fritzbox after the ONT, to provide VoIP Service to one VoIP phone in the 192.168.178.0/24 subnet. The use your own firewall the ISP configured an expose host and a second /30 subnet on port 4 or port 1, i can't rembemer.

The firewall has only the second usable ip address of the second /30 subnet on the wan interface (ether1). The firewall has no 192.168.178.x/24 ip address and there is no second cable between the firewall and the FritzBox. All traffic that leaves the wan port is nated with the public ip address of the firewall. I tested it right now and i can reach (ping and webinterface) the Fritzbox and the VoIP phone.

In my opinion there is no need for special NAT rules.

192.168.x.10 (LAN) -> 192.168.178.1 (Fritzbox)

1.) 192.168.x.10 will route the package to this default gateway (own firewall)
2.) the firewall also has no route for 192.168.178.0/24, so it will also route the package to his defualt gateway (fritzbox) but will change the source ip address of the packets to the public wan ip address (e.g. 1.1.1.2/30)
3.) packets arrives by the fritzbox and gets processed.
4.) the fritzbox sends the answer to the source ip address of the arrived packet. In your example 1.1.1.2
5.) the firewall routed the packets from the fritzbox based the the connection table the 192.168.x.10
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: Modem/Router behind the MikroTik

Wed Aug 11, 2021 7:45 am

Hallo,

we have a customer that has a similar setup. The ISP put a Fritzbox after the ONT, to provide VoIP Service to one VoIP phone in the 192.168.178.0/24 subnet. The use your own firewall the ISP configured an expose host and a second /30 subnet on port 4 or port 1, i can't rembemer.

The firewall has only the second usable ip address of the second /30 subnet on the wan interface (ether1). The firewall has no 192.168.178.x/24 ip address and there is no second cable between the firewall and the FritzBox. All traffic that leaves the wan port is nated with the public ip address of the firewall. I tested it right now and i can reach (ping and webinterface) the Fritzbox and the VoIP phone.

In my opinion there is no need for special NAT rules.

192.168.x.10 (LAN) -> 192.168.178.1 (Fritzbox)

1.) 192.168.x.10 will route the package to this default gateway (own firewall)
2.) the firewall also has no route for 192.168.178.0/24, so it will also route the package to his defualt gateway (fritzbox) but will change the source ip address of the packets to the public wan ip address (e.g. 1.1.1.2/30)
3.) packets arrives by the fritzbox and gets processed.
4.) the fritzbox sends the answer to the source ip address of the arrived packet. In your example 1.1.1.2
5.) the firewall routed the packets from the fritzbox based the the connection table the 192.168.x.10


Well, this pretty much describes my setup / situation. The question is, how do I reach the ISP router web interface .. what I don't get is, why can I ping it but not reach the web interface. I guess the "exposed" host part in this scenario means that there's no active firewall for traffic that is passing through the FritzBox via port 4, but the FritzBox itself still keeps firewall active for everything else... idk. Anyways, there's also an option to make the FritzBox reachable via its public IP & custom port. I enabled this option and I can reach it just fine (when I'm outside of my local network), but from within the MikroTik local network, I cannot reach it via PUBLIC IP:PORT. Is this where traffic 'masquerading' plays a role? How did your customer solve this issue?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Modem/Router behind the MikroTik

Wed Aug 11, 2021 10:31 am

192.168.x.10 (LAN) -> 192.168.178.1 (Fritzbox)
4.) the fritzbox DO NOT sends the answer to the source ip address of the arrived packet. In your example 1.1.1.2 because is not on 192.168.178.0/24 network
5.) the firewall routed the packets from the fritzbox based the the connection table the 192.168.x.10
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Modem/Router behind the MikroTik

Wed Aug 11, 2021 10:34 am

@Gomo,

as ping works and web access doesn't, I'd expect some trouble at application level or at TCP level. Hence my first step would be to sniff on the WAN port of the Mikrotik, filtering by the IP address of the Fritz you are trying to access.

Open a CLI window (press [Terminal] in Winbox/WebFig or use ssh) and make it as wide as your screen permits. Then set a file name:
/tool sniffer set file-name=einige-schoene-name.pcap

Next, run
/tool sniffer quick interface=ether1 ip-address=<PublicIPfromTheGateway-ISP-Modem>
and try to access the web interface of the Fritz. You will see whether the 4011 sends TCP packets to the Fritz and whether Fritz sends any responses.

If you can see bi-directional communication, break the sniffing and use /tool sniffer packet print detail to see more information about the individual packets (namely, the TCP flags); if that's still insufficient, download einige-schoene-name.pcap from the 4011 and open it using Wireshark.

As you have quite an unusual setup (a public /30 between the Fritz and the 4011), it may be that management access filtering in the Fritz configuration forbids web access from any public IP, without taking into account that the request comes in via LAN interface.

Another thing I'd try would be to disable the action=drop rule in /ip firewall raw - if that helps, it means the logic of populating the ddos-attackers address list is broken.
 
almdandi
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Sun May 03, 2015 5:22 pm

Re: Modem/Router behind the MikroTik

Wed Aug 11, 2021 5:05 pm

@rextended
In the case of our customer. The fritzbox routes the traffic normal between the public subnet (port 4) and the 3 lan ports (192.168.178.0/24).

As sindy said, a package capture on the wan port would be a good idea with the the sniffer tool.

I thing i forgot to mention. The ISP support said, that the WAN port on your firewall should only have the public subnet configured. Otherwise the exposed host functionality will break. I don't know exactly why but if you need a 192.168.178.x/24 on your firewall, you can configure a secend port for that on your firewall.

Who is online

Users browsing this forum: cloud45 and 77 guests