Port forwarding across Nat'd network

Arpanet · Thu May 01, 2014 7:22 pm

Below my network map. I'm trying to access ip camera outside lan.
As you can see everything is behind NAT.
Should I bridge one layer instead of NAT layer?
I don't know how to set port forwarding.
All hardware (except for the camera) is based on routerOS

Egate · Fri May 02, 2014 12:06 am

Forwarding port 80 is almost always a bad idea, because there is so many things using port 80, not least of all web pages. In this case you would create a firewall rule in access point firewall dst-nat with dst ip 192.168.6.1 and action dst-ip = 192.168.0.100 This will route all traffic coming in on 192.168.6.1 to 192.168.0.100. Would probably be a good idea to create rule with masquerading on the interface going from AP to camera. Would be better to change camera ip to, as example port 808, in which case you would change firewall rule to include dst-port 808.

Arpanet · Fri May 02, 2014 12:16 pm

The problem is not the port, but how to set routing and forwarding.
I could use another port instead of 80.

@egate I did not understand what you told...so confusing

Egate · Fri May 02, 2014 11:57 pm

Add this to firewall nat, should function if you enter 192.168.6.1:808 in browser. Read explanation again.

add action=dst-nat chain=dstnat comment="Publick IP" \
disabled=no dst-address=192.168.6.1 dst-port=808 protocol=tcp \
to-addresses=192.168.0.100 to-ports=80
add action=masquerade chain=srcnat disabled=no dst-port=808 out-interface=\
ether1 protocol=tcp

Arpanet · Sat May 03, 2014 12:30 am

sorry for my ignorance, I am newbie...
so you suggest to forward all traffic comin on modem 192.168.6.1 to 192.168.0.100 through port 808?
Rules you posted are to be set into modem?
Where do I run dynamic dns client?
Is ip routing involved with port forwarding?

Egate · Sat May 03, 2014 11:22 am

Ok, my bad. Assumed equipment was mikrotik equipment. Which make modem and what mikrotik gear do you have?

Caci99 · Sat May 03, 2014 2:03 pm

There are too many nodes (NAT) involved in that map which is not good. If you can I would recommend to bridge them until you serve the final network.
Anyway, there are two ways to reach to your camera. First is by doing a nat rule on every node:

/ip firewall nat
add chain=dst-nat dst-address=modem address protocol=tcp dst-port=8080 action=dstnat to-addresses=192.168.6.10 to-ports=8080

this rule is placed on modem and will forward the request on port 8080 to the access point with address=192.168.6.10. Obviously the syntax for the modem is different, but you get the idea

/ip firewall nat
add chain=dst-nat dst-address=192.168.6.10 protocol=tcp dst-port=8080 action=dstnat to-addresses=192.168.10.60 to-ports=8080

this rule is placed on the access point and will forward the request to the other router

/ip firewall nat
add chain=dst-nat dst-address=192.168.10.60 protocol=tcp dst-port=8080 action=dstnat to-addresses=192.168.88.200 to-ports=8080

/ip firewall nat
add chain=dst-nat dst-address=192.168.88.200 protocol=tcp dst-port=8080 action=dstnat to-addresses=192.168.0.100 to-ports=80

this the final dstnat on the last router reaching at your IP Camera.

The other method would be adding static routes on each node and only one dstnat rule on the first node which is the modem:

/ip routes
add dst-address=192.168.0.0/24 gateway=192.168.6.10

/ip routes
add dst-address=192.168.0.0/24 gateway=192.168.10.60

/ip routes
add dst-address=192.168.0.0/24 gateway=192.168.88.200

These rules, each one placed on the respective nodes (modem, access point, next one) are basically telling the modem where to find the network 192.168.0.0/24 where your IP Camera is. Once the modem finds the camera, just add a dstnat on the modem with destination 192.168.0.100

Arpanet · Sat May 03, 2014 4:33 pm

now it's very clear caci99..thanks
but how about dynamic dns client? Shouldn't I run it?
Which way is better between forwarding and ip routing?
I'd like to keep my current configuration, I feel safe with NAT...

Caci99 · Sat May 03, 2014 9:08 pm

but how about dynamic dns client? Shouldn't I run it?

You mean dhcp client? What about them? If you mean that tey do have a dynamic IP because of the dhcp server, then you can force the dhcp server to give them the same IP by setting the client as static in the lease table of dhcp server.

Which way is better between forwarding and ip routing?

Basically is just the same. I would have used static routing because it might come at hand for future configurations.

Arpanet · Sat May 03, 2014 9:13 pm

Dynamic dns client, I'm talking about public ip from my isp is dymanic
http://en.wikipedia.org/wiki/Dynamic_DNS

Caci99 · Sat May 03, 2014 9:20 pm

Dynamic dns client, I'm talking about public ip from my isp is dymanic
http://en.wikipedia.org/wiki/Dynamic_DNS

Oh, I see. Well that depends on the modem, what kind of dyndns it supports, since it the modem who gets the dynamic public IP.

Arpanet · Sat May 03, 2014 9:23 pm

So it should be run into the modem?
Correct?

Caci99 · Sat May 03, 2014 9:27 pm

So it should be run into the modem?
Correct?

Yes.

Port forwarding across Nat'd network

Port forwarding across Nat'd network

Re: Port forwarding across Nat'd network

Re: Port forwarding across Nat'd network

Re: Port forwarding across Nat'd network

Re: Port forwarding across Nat'd network

Re: Port forwarding across Nat'd network

Re: Port forwarding across Nat'd network

Re: Port forwarding across Nat'd network

Re: Port forwarding across Nat'd network

Re: Port forwarding across Nat'd network

Re: Port forwarding across Nat'd network

Re: Port forwarding across Nat'd network

Re: Port forwarding across Nat'd network

Who is online