Help on accessing rb450g from internet

xtrgeo · Fri Jun 08, 2012 12:18 am

Hello,

my setup is that i have two adsl modem-routers for connecting to internet. Their Ip addresses are:

modem 1: 192.168.2.1
modem 2: 192.168.3.1

These 2 are connected with my RB450G in eth2 and eth3 interfaces and their ip's are

eth2: 192.168.2.2
eth3: 192.168.3.2

Using rules for pcc, traffic is balanced very well.

If I am at a pc in my Lan(eth1 in mikrotik, 192.168.1.1, interface name:Local) i can access router's interface by typing to a browser 192.168.1.1.

What i want to achive is to access the router from internet, using the public ip of each modem-router.

I have forward the port 80 from both of the modem-routers to the internal ip of the mikrotik(each on it's own).

Do i have to set up any rule on mikrotik, although i can access it from the lan by simply typing 192.168.1.1 into my browser, in order to access it through the public ip of one of the modem-routers???

Thnks

Devil · Fri Jun 08, 2012 2:18 pm

it depends on your firewall filtering. is port 80 open for all interfaces or only for your local interface? you could make sure that its open for all by putting the following rule at the top of your firewall filter input chain:

/ip firewall filter add chain=input protocol=tcp dst-port=80 action=accept

Also, make sure no dstnat in being applied for incoming packets on port 80.

im sure you do know that port 80, is only for www service in mikrotik by default. so you can't connect to your router with the winbox from the internet for example.

xtrgeo · Fri Jun 08, 2012 8:20 pm

Thnks for the answer.

below is my confuguration

[admin@xxxxx] /ip firewall filter> print 

Flags: X - disabled, I - invalid, D - dynamic 

 0   chain=input action=accept protocol=tcp dst-port=80 

 1 X ;;; default configuration

     chain=input action=accept protocol=icmp 
 2 X ;;; default configuration

     chain=input action=accept connection-state=established 
 3 X ;;; default configuration

     chain=input action=accept connection-state=related 
 4 X ;;; default configuration

     chain=input action=drop in-interface=Local 
 5 X chain=input action=accept protocol=tcp in-interface=WAN1 
 6 X chain=input action=accept protocol=tcp in-interface=WAN1 dst-port=80 
 7 X chain=input action=accept protocol=tcp in-interface=WAN2 dst-port=80

[admin@xxxxx] /ip firewall nat> print 

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=Local 
 1   chain=srcnat action=masquerade out-interface=WAN1 
 2   chain=srcnat action=masquerade out-interface=WAN2 
 3 X chain=srcnat action=masquerade src-address-list=Allowed-Internet out-interface=WAN1 
 4 X chain=srcnat action=masquerade src-address-list=Allowed-Internet out-interface=WAN2 
 5   chain=dstnat action=dst-nat to-addresses=192.168.1.245 to-ports=80 protocol=tcp dst-address=192.168.3.2 dst-port=41245

[admin@xxxxxx] /ip firewall mangle> print 

Flags: X - disabled, I - invalid, D - dynamic 

 0   chain=prerouting action=accept dst-address=192.168.2.0/24 in-interface=Local 
 1   chain=prerouting action=accept dst-address=192.168.3.0/24 in-interface=Local 
 2   chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes in-interface=WAN1 connection-mark=no-mark 
 3   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes in-interface=WAN2 connection-mark=no-mark 
 4   chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local in-interface=Local connection-mark=no-mark per-connection-classifier=both-addresses:2/0 
 5   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local in-interface=Local connection-mark=no-mark per-connection-classifier=both-addresses:2/1 
 6   chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes in-interface=Local connection-mark=WAN1_conn 
 7   chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes in-interface=Local connection-mark=WAN2_conn 
 8   chain=output action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn 
 9   chain=output action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn 
10 X chain=input action=mark-connection new-connection-mark=from_WAN1 passthrough=yes in-interface=WAN1 
11 X chain=input action=mark-connection new-connection-mark=from_WAN1 passthrough=yes in-interface=WAN2

If u notice, there is one nat rule(no. 5) that does forwards the port 41245 from 192.168.3.1 to an internal server, on it's 80 port. I mean that there is a port forward in the adsl modem-router that does forwards port 41245 from 192.168.3.1 to 192.168.3.2:41245(mikrotik's wan2 port). With the nat rule this packet goes from mikrotik to the internal server, changing the port from 41245 to 80. This works fine and i can access my server from outside.
But i still cannot access mikrotik's web interface from outside...

Do u see any wrong in my configuration?

tjc · Sat Jun 09, 2012 7:58 pm

BTW - If you're going to do this I strongly recommend using some kind of whitelist for access control, and preferably an encrypted connection.

xtrgeo · Mon Jun 11, 2012 3:04 pm

It seems that the problem begins from the ADSL routers.As soon as I changed the ip service port on mikrotik from 80 to 8080,and forwarded this port from the ADSL routers,I can access the router from outside...
YES I will use secure connection and whitelist,thanks for the recommendation...

Devil · Mon Jun 11, 2012 4:30 pm

It might be your isp. some isps block access to certain ports. usually vulnerable ports known to be used by viruses or attackers. blocking port 80 is a quite bold move though. you could contact them and ask them about it.

Help on accessing rb450g from internet

Help on accessing rb450g from internet

Re: Help on accessing rb450g from internet

Re: Help on accessing rb450g from internet

Re: Help on accessing rb450g from internet

Re: Help on accessing rb450g from internet

Re: Help on accessing rb450g from internet

Who is online