Community discussions

MikroTik App
 
adamdavi3s
just joined
Topic Author
Posts: 13
Joined: Thu Sep 10, 2020 10:45 pm

Forward ALL ports to router

Tue Jan 25, 2022 10:07 am

Hi All,

I have a. bit of a funky setup and I am trying to get dynamic DNS running, honestly I know "bits" of this stuff and it always gives me a headache

I have a DrayTek vigor 2862 which I have got set up with their dynamic DNS service all fine and routing through the mikrotik, however I am struggling to get the server domain(s) to connect, I have the DrayTek as it balances between two WANs a fibre and the mikrotik LTE6 on 4G. Currently the fibre has a static IP and I use the DrayTek to route all the necessary traffic over Wan1 to the correct servers.

I want to get rid of the fibre and just have the LTE on WAN2, what I am struggling to do is forward all the ports from Mikrotik to my DrayTek for routing, I just literally want to forward everything directly to the DrayTek and have the LTE acting just as a modem as it is now
 
Zacharias
Forum Guru
Forum Guru
Posts: 3281
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Forward ALL ports to router

Tue Jan 25, 2022 10:23 am

I am confused...
You have a dynamic DNS configured on your Draytek router, so i guess you want to access some type of services in your Local network through that DNS, right ?
If yes, what you need is to port forward from your Draytek to your Mikortik ( since it routes traffic ) the appropriate ports that the end device listens to and then again port forward from the Mikortik to your Local device...
Not the other way around...
So is that the case ?
Maybe a network diagram would help and more details on why you need that port forward...
 
adamdavi3s
just joined
Topic Author
Posts: 13
Joined: Thu Sep 10, 2020 10:45 pm

Re: Forward ALL ports to router

Tue Jan 25, 2022 2:08 pm

You are not the only one, thank you for taking the time to reply.

Right now I have

[URL] -> [A RECORD] -> Static IP -> Fibre Line -> DrayTek WAN1 -> routes to server ip based on port. The servers are routed specifically through WAN1 in both directions.
As well as all other traffic
[Person] -> Wifi -> Draytek WAN2 -> Mk LTE6 -> Internet

I want to remove WAN1 from the setup, because the LTE6 doesn't have a fixed IP, I have assumed I need dynamic DNS in place

[URL] -> [CNAME] -> Variable IP -> Mk LTE6 -> DrayTek WAN2 -> routes to server ip based on port

What currently works is:

[URL] - > [CNAME] -> [Lookup CNAME URL] -> Public IP of the LTE6 Say 213.x.x.x.x

The LTE6 is connected to the DrayTek 192.168.1.1 on WAN2 with an IP of say 10.x.x.x.x and I think this is where it falls down?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3281
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Forward ALL ports to router

Tue Jan 25, 2022 5:00 pm

Can you please provide a simple network diagram with the requirements ?
Do you want to access your server from the Internet using a DNS service ?
Do you want to access the server from the LAN using a DNS service ?
Both ?
 
sindy
Forum Guru
Forum Guru
Posts: 8830
Joined: Mon Dec 04, 2017 9:19 pm

Re: Forward ALL ports to router

Tue Jan 25, 2022 6:58 pm

You can configure the LTE apn profile into "passthrough" mode, which will make the Mikrotik device act as a dhcp server assigning the IP address assigned by the mobile provider further to the Draytek. But then the DDNS update must be done by the Vigor itself as the LTE router has no access to that address.

Alternatively, you can use a single dst-nat rule on the Mikrotik, redirecting whatever comes in to the WAN (LTE) interface to an IP address you assign to the Vigor at LAN, without matching on any dst-port:
/ip firewall nat
add chain=dstnat in-interface=lte1 action=dst-nat to-addresses=lan.ip.of.vigor


But either way only makes sense if you've got a public IP acessible from the internet from the mobile operator, is that the case?
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
adamdavi3s
just joined
Topic Author
Posts: 13
Joined: Thu Sep 10, 2020 10:45 pm

Re: Forward ALL ports to router

Tue Jan 25, 2022 7:30 pm

Thank you both, I will digest this and try and work it out, I believe the single NAT rule might be the answer I am looking for.

Yes the LTE is assigned a public IP and this does appear to be correctly resolving via the DDNS. The vigor is able to retrieve the public IP from the LTE and publish this.
 
adamdavi3s
just joined
Topic Author
Posts: 13
Joined: Thu Sep 10, 2020 10:45 pm

Re: Forward ALL ports to router

Wed Jan 26, 2022 9:30 pm

You can configure the LTE apn profile into "passthrough" mode, which will make the Mikrotik device act as a dhcp server assigning the IP address assigned by the mobile provider further to the Draytek. But then the DDNS update must be done by the Vigor itself as the LTE router has no access to that address

This is definetly what I hoped to do originally but it never quite worked out that way, the Draytek has a WAN IP of 100.x.x.x from the Mikrotik and a public IP of 213.x.x.x, I can assign either of these to the DDNS but neither works.

Currently the mikrotik is set up so the LTE is bridged with Ether1 and this is connected to the WAN of the Draytek.

If I want to connect to the mikrotik admin panel, I have to hard wire in using Ether2 and assign my laptop an IP on 192.168.88.x, the admin panel being on 192.168.88.1
 
Zacharias
Forum Guru
Forum Guru
Posts: 3281
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Forward ALL ports to router

Wed Jan 26, 2022 10:06 pm

If you want to use the passthrough feature, then you will have to configure VLANs for the management of the LTE device...
 
adamdavi3s
just joined
Topic Author
Posts: 13
Joined: Thu Sep 10, 2020 10:45 pm

Re: Forward ALL ports to router

Sat Jan 29, 2022 12:22 pm

Ok it looks like all my Mikrotik config issue is fine, the issue I am hitting is CGNAT from what I can tell!
 
Zacharias
Forum Guru
Forum Guru
Posts: 3281
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Forward ALL ports to router

Sat Jan 29, 2022 12:50 pm

Ok it looks like all my Mikrotik config issue is fine, the issue I am hitting is CGNAT from what I can tell!
Does the IP address assigned from your ISP is in the space of 100.64.0.0/10 ?
If I want to connect to the mikrotik admin panel, I have to hard wire in using Ether2 and assign my laptop an IP on 192.168.88.x, the admin panel being on 192.168.88.1
You can't use the passthrough interface for access to the LTE device... You need a management VLAN.

You could ask your ISP to assign a Public IP address to your LTE connection...
 
adamdavi3s
just joined
Topic Author
Posts: 13
Joined: Thu Sep 10, 2020 10:45 pm

Re: Forward ALL ports to router

Sat Jan 29, 2022 1:05 pm

I hit some VPN issues this morning for the first time with a client which is what made me dig a bit deeper.

My public IP shows at 213.xxx but if I run a tracert I can see several 10.124 addresses.

Could be both CGNAT and a bad setup on the MIkrotik, I have asked the carrier if they will assign me a public IP address so at least I can rule that out!
 
mada3k
Long time Member
Long time Member
Posts: 537
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Forward ALL ports to router

Sat Jan 29, 2022 2:14 pm

Some VPN types simply don't work over CGNAT. That the reality. IPv6 is the only hope there.
CCR/CRS/hEX/wAP • Ansible • NetXMS
 
Zacharias
Forum Guru
Forum Guru
Posts: 3281
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Forward ALL ports to router

Sat Jan 29, 2022 2:20 pm

Is that the address of the LTE wan Interface ( 213.xxx ) ? If yes then it is already assigned a public IP address.
 
sindy
Forum Guru
Forum Guru
Posts: 8830
Joined: Mon Dec 04, 2017 9:19 pm

Re: Forward ALL ports to router

Sun Jan 30, 2022 12:51 pm

My public IP shows at 213.xxx but if I run a tracert I can see several 10.124 addresses.

Could be both CGNAT and a bad setup on the MIkrotik, I have asked the carrier if they will assign me a public IP address so at least I can rule that out!
The fact that tracert shows some private IPs is not a problem, the ISP may use them inside their network. What is important is whether the address you've got on your router's WAN is a public one or not. If it is a private one or one from the CGNAT range, the outcome is the same, your router cannot act as a server/responder to incoming connections, and since there is NAT, ancient VPN protocols (PPTP) usually do not work.

So what exactly means "my public IP shows at 213.xxx"? If some "whatismyip" web page shows it, it says nothing, as it is the public IP from which your connection has arrived to that web, so it may be some NAT device far away from you; what matters is the IP address on your WAN interface.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Ahrefs [Bot], dingoc, mkx, rextended and 45 guests