Community discussions

MUM Europe 2020
 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

How to manage a RB behind a RB from the WAN?

Tue Jan 29, 2013 12:55 am

Hi there,

I've got a setup that I would like to manage all RB's on site its setup in the following way (see diagram).

I want to be able to access the winbox for all RB's on the network if needed. I believe its just a matter of port forwarding but I can't seem to get it to work. Can anyone help me please.
You do not have the required permissions to view the files attached to this post.
To show support for those with food allergies/intolerances please download the application from www.biteappy.com
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: How to manage a RB behind a RB from the WAN?

Tue Jan 29, 2013 1:09 am

It would probably be less work and more secure to VPN to the first device and then access the Winbox interface on all of them via the (encrypted) VPN
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

How to manage a RB behind a RB from the WAN?

Tue Jan 29, 2013 1:12 am

Do you have a central location that the routers can establish a PPTP or L2TP connection to?

You could also VPN to their network and have access through the VPN.
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

Re: How to manage a RB behind a RB from the WAN?

Tue Jan 29, 2013 10:40 pm

Hi thank you for your replies.

I do have a hosted VPN server which they could all connect to (Linux based machine). But If i was to use that method, could I access the RB's from my remote PC by connecting to the VPN machine.
Also if i remember correctly I've setup the machine so that it isolates all VPN connections from each other as there is public users that connect in.

I use DMAsoftlabs to authorise users and devices on the network which again is held on another hosted server.

I guess it would be better if I could connect into the 'master' aka site 1 RB450G and then access winbox from there. But once I've connected into that RB how do I allow the discovery tool to find the others (i.e. firewall rules)
To show support for those with food allergies/intolerances please download the application from www.biteappy.com
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: How to manage a RB behind a RB from the WAN?

Tue Jan 29, 2013 11:19 pm

I guess it would be better if I could connect into the 'master' aka site 1 RB450G and then access winbox from there. But once I've connected into that RB how do I allow the discovery tool to find the others (i.e. firewall rules)
If you know the IP address of those internal routers then you don't need to have discovery running to use Winbox - you can just use the IP address directly.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 12:00 am

Oh really? Is that the case if they are based on a hotspot setup too?
To show support for those with food allergies/intolerances please download the application from www.biteappy.com
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 12:30 am

Oh really? Is that the case if they are based on a hotspot setup too?
As long as the port is open in the input filter chain and the router has a valid IP route back to you it should be possible to simply enter the IP number directly.

Note that in certain situations if you VPN to a front door device like your site 1 it might be necessary to run proxy arp on its internal interface so that it answers ARP requests on behalf of your VPN session IP address.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 1:36 pm

Ok I've been playing this with configuration but I can't seem to get it to work correctly.

The remote PC connects via VPN to the RB (main) - of which I can:
Ping Main RB = OK
Ping/use internet = OK
Ping remote PC from RB = OK

Ping sub RB = Fail
PING 10.5.50.240 (10.5.50.240): 56 data bytes
92 bytes from 10.5.50.242: Dest Unreachable, Bad Code: 10
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 c2d1   0 0000  3f  01 3ef3 10.5.50.235  10.5.50.240 

Winbox to sub RB whilst in VPN = Fail
Winbox to 10.5.50.1 (main RB) whilst in VPN = OK
To show support for those with food allergies/intolerances please download the application from www.biteappy.com
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 1:45 pm

I use the CLI for this instead of Winbox. It works well. If I want to connect to client1 router, then from a command prompt on your WAN computer:
ssh 86.86.86.86
(login)
/system
ssh 10.5.50.2
(login)
 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 1:53 pm

I did think of using CLI but the problem with that is, from a Mac winbox doesn't allow copy/paste so if there is bulk uploads to be done it would be a nightmare.
To show support for those with food allergies/intolerances please download the application from www.biteappy.com
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 1:56 pm

What IP is the VPN client being given?
Is proxy arp running on the internal interface of the main router?
What does the routing table look like on the devices that you can't ping?
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 2:03 pm

Then I would dstnat the Winbox port to that localnet ip in your core router when I need it.
/ip firewall nat
add chain=dstnat action=dst-nat dst-address=86.86.86.86 dst-port=8291 to-addresses=10.5.50.2 to-ports=8291 protocol=tcp
Otherwise, you might want to try setting up a VPN.
 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 2:11 pm

The VPN client is getting an internal IP once connected - 10.5.50.200
Proxy ARP is running has maintains a list of all clients connected to the main RB.
I can't get a print out of the routing table as I'm at another location now - but all clients connected are working fine. From the remote PC, I cannot ping any other device on the network other than the main RB.
To show support for those with food allergies/intolerances please download the application from www.biteappy.com
 
User avatar
che
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Fri Oct 07, 2005 1:04 pm

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 2:14 pm

I believe its just a matter of port forwarding but I can't seem to get it to work. Can anyone help me please.

ros code

/ip firewall nat
add chain=dstnat action=dst-nat dst-address=86.86.86.86 dst-port=8292 to-addresses=10.5.50.2 to-ports=8291 protocol=tcp
add chain=dstnat action=dst-nat dst-address=86.86.86.86 dst-port=8293 to-addresses=10.5.50.3 to-ports=8291 protocol=tcp
add chain=dstnat action=dst-nat dst-address=86.86.86.86 dst-port=8294 to-addresses=10.5.50.4 to-ports=8291 protocol=tcp
How to use alternate Winbox port:

Image


Note: I suggest protecting access to these via src address list
 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 2:20 pm

I've tried that port forwarding suggestion - but I'm still unable to get connected. Winbox is replying back with no response.
To show support for those with food allergies/intolerances please download the application from www.biteappy.com
 
User avatar
che
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Fri Oct 07, 2005 1:04 pm

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 2:27 pm

Then you are missing the following rule

ros code

/ip firewall nat
add action=src-nat chain=srcnat disabled=no src-address=10.5.50.0/24 to-addresses=86.86.86.86
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 2:32 pm

I recommend you post "ip firewall nat" and "/ip firewall filter" from the core router and one client. That may be blocking everything, including the VPN connections.

I like che's solution, but you should use a really good password, or other security. I use port knocking so I can connect from anywhere.

@che: I don't need a related srcnat to do this. The dstnat routes in and out, according to my tests.
 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 2:36 pm

Even with that rule it has the same issues.
Please note the correct external IP is 86.27.83.232
internal IP of client = 10.5.50.240

/ip firewall nat
add action=src-nat chain=srcnat disabled=no src-address=10.5.50.0/24 to-addresses=86.27.83.232
add action=dst-nat chain=dstnat disabled=no dst-address=86.27.83.232 dst-port=8295 protocol=tcp to-addresses=\
    10.5.50.240 to-ports=8291
add action=accept chain=pre-hotspot comment="Hotspot bypass rule " disabled=no dst-address=!10.5.50.0/24 \
    hotspot=auth
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no src-address=10.5.50.0/24
add action=masquerade chain=srcnat comment="masquerade management pc network" disabled=no src-address=\
    192.168.11.0/24
/ip firewall filter
add action=log chain=forward comment="Radius " connection-state=new disabled=no log-prefix="" protocol=tcp \
    src-address=10.5.50.0/24
add action=log chain=forward comment=Radius connection-state=new disabled=no log-prefix="" protocol=udp \
    src-address=10.5.50.0/24
add action=drop chain=forward disabled=no dst-address=10.0.0.0/24 hotspot=from-client src-address=10.0.0.0/24
add action=drop chain=forward disabled=no dst-address=192.168.11.0/24 src-address=10.5.50.0/24
add action=add-src-to-address-list address-list=VOIP_list address-list-timeout=0s chain=forward comment=\
    "Voip list" connection-type=sip disabled=no
add action=drop chain=forward disabled=no dst-address=192.168.0.0/24 src-address=10.5.50.0/24
add action=drop chain=forward disabled=no dst-address=192.168.100.0/24 src-address=10.5.50.0/24
add action=accept chain=forward comment="xbox live" disabled=no dst-port=88,3074 protocol=tcp src-port=88,3074
add action=accept chain=forward comment="xbox live" disabled=no dst-port=88,3074 protocol=udp src-port=88,3074
add action=accept chain=input disabled=no src-address-list=Trust
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=no
add action=drop chain=forward disabled=no src-mac-address=00:1B:11:E1:00:CC
add action=accept chain=icmp comment="allow established connections" disabled=no icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="allow already established connections" disabled=no icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=no icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=no icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp
add action=accept chain=output content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/2m \
    protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" disabled=no jump-target=virus
add action=drop chain=icmp comment="deny all other types" disabled=no
add action=drop chain=forward comment="drop non authorised hs users" disabled=no hotspot=!from-client \
    in-interface=vlan2-customers
add action=accept chain=forward disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list="" address-list-timeout=0s chain=forward connection-limit=30,32 \
    disabled=no dst-port=25 limit=50,5 protocol=tcp
add action=drop chain=virus comment="Drop Spammer" disabled=no dst-port=25 protocol=tcp src-address-list=\
    spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=1d chain=virus comment=\
    "add to spammer list" connection-limit=30,32 disabled=no dst-port=25 limit=50,5 protocol=tcp
add action=accept chain=icmp comment="drop invalid connections" disabled=no icmp-options=0:0 protocol=icmp
add action=drop chain=input comment="Drop FTP Brute Forcers" disabled=no dst-port=21 protocol=tcp \
    src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content=\
    "530 Login incorrect" disabled=no protocol=tcp
add action=drop chain=input comment="Drop SSH Brute Forcers" disabled=no dst-port=22 protocol=tcp \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=0s chain=input \
    connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=0s chain=input \
    connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=0s chain=input \
    connection-state=new disabled=no dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=0s chain=input \
    connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=drop chain=forward disabled=no src-address=0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward disabled=no src-address=127.0.0.0/8
add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=drop chain=forward comment="block other network" disabled=no src-address=192.168.1.0/24
add action=drop chain=forward comment="block other network" disabled=no dst-address=192.168.1.0/24
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=135 protocol=tcp
add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 protocol=udp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=135 protocol=udp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\
    "Port scanners to list " disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\
    "NMAP FIN Stealth scan" disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\
    "SYN/FIN scan" disabled=no protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\
    "SYN/RST scan" disabled=no protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\
    "FIN/PSH/URG scan" disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\
    "ALL/ALL scan" disabled=no protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\
    "NMAP NULL scan" disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no src-address-list="port scanners"
To show support for those with food allergies/intolerances please download the application from www.biteappy.com
 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 2:37 pm

I recommend you post "ip firewall nat" and "/ip firewall filter" from the core router and one client. That may be blocking everything, including the VPN connections.

I like che's solution, but you should use a really good password, or other security. I use port knocking so I can connect from anywhere.

@che: I don't need a related srcnat to do this. The dstnat routes in and out, according to my tests.
Yes, once it's working port knocking with block list will be in place. Although since I have a radius server a VPN setup would be best.
To show support for those with food allergies/intolerances please download the application from www.biteappy.com
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 2:38 pm

I see hotspot rules! Which router has the hotspot? Is that your core router? Is the hotspot on the interface with the client routers?
 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 2:41 pm

The hotspot is on the Core router - all 10.5.50.X are in the hotspot range. But yes its on the same interface.
To show support for those with food allergies/intolerances please download the application from www.biteappy.com
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 2:47 pm

It may be a bit premature, but I will guess that is your problem with everything. You will need to bypass the router mac addresses through the hotspot if you expect a reply from them through that interface.
/ip hotspot ip-binding
add mac-address=xx:xx:xx:xx:xx:xx type=bypassed
Have you disabled the 1:1 NAT in the hotspot? If not, you may have trouble with the translation there too.
/ip hotspot
set 0 address-pool=none
WARNING! If you bypass those routers, and they have a masquerade on their WAN interrfaces, any clients behind those routers will be bypassed also.
Last edited by SurferTim on Wed Jan 30, 2013 2:53 pm, edited 1 time in total.
 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 2:52 pm

The problem is if I bypass it, then user's on that router can't be checked against the radius server.

See I know the setup isn't ideal and really it should use PPPoE for any routers. On this network there is a mixture of routers/AP's - clients can either login to an AP for quick access or to a router (allowing their connection to be shared).

In terms of trying to keep it simple and user friendly the only method I can think of which doesn't require any knowledge is just a simple login using the hotspot system.
To show support for those with food allergies/intolerances please download the application from www.biteappy.com
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 2:56 pm

Do you know that once one user logs in on that router, and that router has a masquerade, all users behind that router are also logged in on that username?

I recommend using hotspots on the remote (client) routers, but that is just the way I do it.
 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 3:01 pm

I am aware of that, and that is how I wanted it to work in this case.

Is there any other method I can use to get around this issue?
To show support for those with food allergies/intolerances please download the application from www.biteappy.com
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 3:08 pm

I don't see a way to do that without causing security issues. With a masquerade in the client router, the hotspot only sees the ip/mac of the router. It has no way of telling whether the traffic is the router OS or a client behind it.

Normally, I would recommend removing the masquerade and routing all that, but that would disable the "one logs in, all logged in" thing, and you said you want that.

I'll think about it tho. Maybe someone else knows this part.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How to manage a RB behind a RB from the WAN?

Wed Jan 30, 2013 3:24 pm

I thought about it. Maybe there is a way, but I do not have my normal routers here to test it. One is TDY to a customer location while waiting for a warranty replacement.

Assign two ips to each client router WAN. Don't use a masquerade, use a srcnat. I'll use 10.0.0.2/24 and 10.0.0.3/24 as the two ips assigned to the client WAN (attached to hotspot interface on the core router) and 192.168.0.1/24 is on the client localnet. Then in the client router:
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=10.0.0.2 src-address=192.168.0.1/24
add chain=srcnat action=src-nat to-addresses=10.0.0.3
Now bypass 10.0.0.3 as an ip in the hotspot.

I have not tried this.
 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

How to manage a RB behind a RB from the WAN?

Thu Jan 31, 2013 2:00 am

Thanks for the info. Ill try that out ASAP.

So just to confirm:
By doing what you've suggested. Any users beside the 'client' RB will still all have access as long as one person logs in.

As I mentioned the hotspot network has a mixed of APs (which individually authorizes users) and client RBs (one user logs in and everyone who has access can use the Internet (no log out required).
To show support for those with food allergies/intolerances please download the application from www.biteappy.com
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How to manage a RB behind a RB from the WAN?

Thu Jan 31, 2013 2:31 pm

In my example, the clients will be srcnatted to 10.0.0.2. That ip should not be bypassed. One client behind the router must login to get access.

Winbox should use 10.0.0.3 to connect to the router. It should be bypassed by ip address.
/ip hotspot ip-binding
add address=10.0.0.3 type=bypassed
edit: This will also allow router services like NTP to work correctly behind the hotspot. The RouterOS will use 10.0.0.3 for that.
 
H2009
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Oct 26, 2010 8:46 am

Re: How to manage a RB behind a RB from the WAN?

Sun Feb 03, 2013 4:01 pm

HI
I gave this ago but I couldn't get it to work correctly - still the same issue of not being able to connect.

Could the same results be achieved by with PPTP to the core router and then connecting into that on the PPPTP client IP?
To show support for those with food allergies/intolerances please download the application from www.biteappy.com

Who is online

Users browsing this forum: npero, svmk, vortex, wispmikrotik and 117 guests