Community discussions

MikroTik App
 
JancariusSeiryujinn
just joined
Topic Author
Posts: 13
Joined: Tue Sep 07, 2021 10:42 am

Second Layer Port Forwarding

Mon Jun 20, 2022 3:39 am

A brief overview of my setup:
I have an ISP provided router which connects via Cat6a to my Mikrotik router via fiber, and then the Mikrotik switch serves as my LAN hub. I have 2 wireless routers connect to the switch, but they are not relevant for this.

I am trying to set up my PC to run servers for various multiplayer games for my friends and I. The issue is that I can get the server up and running perfectly on the LAN, but I am struggling to get it working with WAN addressing. Initially I thought I'd just put in a port-forward on the ISP router to my LAN IP and I'd be good, however, because the LAN IP space I use is not the same network as the ISP's LAN space, it tells me it's invalid. Okay, no big deal, I'll just create a static bidirectional NAT for my PC on the Mikrotik router giving my PC an IP on the ISP LAN space then point it at that.

However, when I do this, I lose connectivity to the router and general internet access - A ping initiated before the rule goes active remains going until I stop and restart it so I'm not totally down when this happens, but I'm not sure what's causing everything else to go haywire. What is the best way to set this up in the Mikrotik environment?

4 X chain=srcnat action=src-nat to-addresses=192.168.0.50 src-address=192.168.100.3 out-interface=bridge1 log=yes log-prefix=""
This is the rule (currently disabled) I am using to NAT
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Second Layer Port Forwarding

Mon Jun 20, 2022 3:51 am

On ISP router forward ports to address used by Mikrotik on its WAN interface. And then do e.g.:
/ip firewall nat
add chain=dstnat dst-address=<address on WAN interface> protocol=tcp dst-port=12345 action=dst-nat to-addresses=<address of target device in LAN>
 
JancariusSeiryujinn
just joined
Topic Author
Posts: 13
Joined: Tue Sep 07, 2021 10:42 am

Re: Second Layer Port Forwarding

Mon Jun 20, 2022 6:45 am

4 X chain=srcnat action=src-nat to-addresses=192.168.0.50 src-address=192.168.100.3 out-interface=bridge1 log=yes log-prefix=""

5 X chain=dstnat action=dst-nat to-addresses=192.168.100.3 dst-address=192.168.0.50 log=no log-prefix=""

So I have it set like this, but it still prevents any new connections from working. Unless I'm misunderstanding, this should bidirectional NAT all traffic regardless of port/protocol from 100.3 to 0.50.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Second Layer Port Forwarding

Mon Jun 20, 2022 2:12 pm

192.168.0.50 is what Mikrotik router has on its WAN interface, and 192.168.100.3 is PC in LAN behind router, correct? If so, then dstnat rule is ok, and srcnat rule is not needed at all, since you most likely already have another srcnat/masquerade rule that changes source of anything from LAN to internet to 192.168.0.50 anyway.
 
JancariusSeiryujinn
just joined
Topic Author
Posts: 13
Joined: Tue Sep 07, 2021 10:42 am

Re: Second Layer Port Forwarding

Tue Jun 21, 2022 12:46 am

Yeah. The ISP router is WANside Public IP - Router - 192.168.0.0/24 - Mikrotik Router - 192.168.100.0/24. Adding teh DST rule did not break my internet, so testing the forwarding now, update shortly.


Okay, so the ping test from the ISP router fails. No 0.50 device is seen in the ARP table on the ISP router.
 
kevinds
Long time Member
Long time Member
Posts: 638
Joined: Wed Jan 14, 2015 8:41 am

Re: Second Layer Port Forwarding

Tue Jun 21, 2022 1:04 am

This looks like CGNAT.. If so, it won't be possible.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Second Layer Port Forwarding

Tue Jun 21, 2022 11:22 am

I thought that Mikrotik router itself has 192.168.0.50 and that access to internet from behind it works. So ISP router would have to see it.
 
JancariusSeiryujinn
just joined
Topic Author
Posts: 13
Joined: Tue Sep 07, 2021 10:42 am

Re: Second Layer Port Forwarding

Fri Jun 24, 2022 1:34 am

This looks like CGNAT.. If so, it won't be possible.
What is CGNAT?
thought that Mikrotik router itself has 192.168.0.50 and that access to internet from behind it works. So ISP router would have to see it.
The Mikrotik itself has 0.2 on the ISP LAN. I was assuming I could run a static NAT for an IP besides the main interface IP
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Second Layer Port Forwarding

Fri Jun 24, 2022 3:30 am

You can, if in addition to .0.2 address, you add another .0.50 to same interface. But I don't see how it would make anything better than just using existing .0.2.

CGNAT is NAT at ISP (even before the router you got from them), where you don't have public address at all, and can't have any incoming connections. It's still a possibility, you can check ISP's router (the one you got) for its WAN address, if it's public or not.
 
kevinds
Long time Member
Long time Member
Posts: 638
Joined: Wed Jan 14, 2015 8:41 am

Re: Second Layer Port Forwarding

Fri Jun 24, 2022 3:41 am

Re-reading this, I may be understanding it a bit more... Sleep helps too.. ;)

I would strongly suggest putting (or finding a way) the ISP's modem/gateway/router onto bridge mode, allowing your Mikrotik to get a public IP.

You are trying to port-forward on the ISP's gateway to your Mikrotik? Many NAT gateways do not do this well (even 'DMZ').

If this is what you are trying to do, why? What does the Mikrotik router add to your setup? Does it work when only using the ISP's gateway?
 
JancariusSeiryujinn
just joined
Topic Author
Posts: 13
Joined: Tue Sep 07, 2021 10:42 am

Re: Second Layer Port Forwarding

Fri Jun 24, 2022 11:44 pm

Re-reading this, I may be understanding it a bit more... Sleep helps too.. ;)

I would strongly suggest putting (or finding a way) the ISP's modem/gateway/router onto bridge mode, allowing your Mikrotik to get a public IP.

You are trying to port-forward on the ISP's gateway to your Mikrotik? Many NAT gateways do not do this well (even 'DMZ').

If this is what you are trying to do, why? What does the Mikrotik router add to your setup? Does it work when only using the ISP's gateway?
Well, I'm pretty sure I'm getting a public IP - the ISP modem lists one on it's WAN connection.

The Mikrotik router is serving to route my internal house fiber networks, which are divided into 4 different VLANs. There is what I intended to be a DMZ-type zone which is the ISP's 0.0/24 network; the Mikrotik has 100.0/24, 101, 102, and 103. It occupies the .2 IP address on the 0.0/24.

I don't think I can bridge mode the ISP router. The thing is a kind of limited CenturyLink model with no CLI. At one point I tried to do static assigned DHCP leases to it and wound up bricking it and having to factory reset it, which does not make me confident in my ability to reconfigure it in any meaningful way.
You can, if in addition to .0.2 address, you add another .0.50 to same interface. But I don't see how it would make anything better than just using existing .0.2.

CGNAT is NAT at ISP (even before the router you got from them), where you don't have public address at all, and can't have any incoming connections. It's still a possibility, you can check ISP's router (the one you got) for its WAN address, if it's public or not.
So I need to add 192.168.0.50 to the IPaddresses on the interface connected to the ISP router in addition to it's .2?
 
kevinds
Long time Member
Long time Member
Posts: 638
Joined: Wed Jan 14, 2015 8:41 am

Re: Second Layer Port Forwarding

Fri Jun 24, 2022 11:49 pm

I don't think I can bridge mode the ISP router. The thing is a kind of limited CenturyLink model with no CLI. At one point I tried to do static assigned DHCP leases to it and wound up bricking it and having to factory reset it, which does not make me confident in my ability to reconfigure it in any meaningful way.
Which model?

There are likely instructions to follow online for it..

https://www.centurylink.com/home/help/i ... tings.html

https://www.centurylink.com/home/help/i ... oting.html

C3000Z if you are lucky...

Save you a LOT of headaches..
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Second Layer Port Forwarding

Sat Jun 25, 2022 12:07 am

So I need to add 192.168.0.50 to the IPaddresses on the interface connected to the ISP router in addition to it's .2?
I wouldn't say "need", it's just a possibility if you insist that .2 is not good enough for you, for some reason. But once again, I don't see how it would be better. I'd simply use .2, forward either all or selected ports from ISP's router to .2, and from there forward them to devices in LAN. It's the usual double NAT. That's if you can't go with the other suggestion to get public address directly on RB.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Second Layer Port Forwarding

Sat Jun 25, 2022 11:41 am

If the ISP is doing NAT (CGNAT) then you will not get a public IP address, (unless the ISP allows for that, mostly payed for, option), and does a specific port-forwarding for your address)
Easily recognised because the address you get is in the private ranges. 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 , or any other known private range: https://help.keenetic.com/hc/en-us/arti ... P-address-


The way to connect to the LAN from elsewhere on the internet is through STUN, TURN, ICE : https://anyconnect.com/stun-turn-ice/

TURN passes all levels of NAT, and uses a server that can be accessed from the internet. A multilevel NATted LAN mostly can just reach the internet, as the NAT is outgoing. It is NATted up to the ultimate public IP address of the ISP.
It is not because you can detect that public IP address in your APP, Router or browser, https://whatismyipaddress.com/ that you can receive incoming connections addressed to that IP address.

4G/LTE or satellite links never allow for incoming connections, without special options added.

The DIY solution for TURN is fairly easy. I do it with just a hAP Lite (the cheapest MT?) running several VPN servers. The TURN server is on (another) ISP link with cabled connection, and has a dynamicaly changing public IP address on the modem (Fixed IP is a payed for option, and can be expensive). DDNS solves that IP address-changing problem. DDNS service is built in RouterOS. (based on serial number) or you could use https://www.noip.com/ instead or as failover. So the TURN server has a static DDNS name, used for setting up the VPN connection, from the participating multi-NATted locations/routers.

There are offerings for public TURN services, like "Hamachi by LogMeIn" https://www.vpn.net/
"Zerotier" has free TURN services.
 
kevinds
Long time Member
Long time Member
Posts: 638
Joined: Wed Jan 14, 2015 8:41 am

Re: Second Layer Port Forwarding

Sat Jun 25, 2022 1:21 pm

If the ISP is doing NAT (CGNAT) then you will not get a public IP address, (unless the ISP allows for that, mostly payed for, option), and does a specific port-forwarding for your address)
Easily recognised because the address you get is in the private ranges. 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 , or any other known private range: https://help.keenetic.com/hc/en-us/arti ... P-address-
It isn't.. They are just doing double-NAT with an ISP provided gateway.. FTTP service.
 
JancariusSeiryujinn
just joined
Topic Author
Posts: 13
Joined: Tue Sep 07, 2021 10:42 am

Re: Second Layer Port Forwarding

Mon Jun 27, 2022 4:02 am

I don't think I can bridge mode the ISP router. The thing is a kind of limited CenturyLink model with no CLI. At one point I tried to do static assigned DHCP leases to it and wound up bricking it and having to factory reset it, which does not make me confident in my ability to reconfigure it in any meaningful way.
Which model?

There are likely instructions to follow online for it..

https://www.centurylink.com/home/help/i ... tings.html

https://www.centurylink.com/home/help/i ... oting.html

C3000Z if you are lucky...

Save you a LOT of headaches..
4000XG. I'll look through the instructions for it though
 
kevinds
Long time Member
Long time Member
Posts: 638
Joined: Wed Jan 14, 2015 8:41 am

Re: Second Layer Port Forwarding

Mon Jun 27, 2022 5:40 am

4000XG. I'll look through the instructions for it though
It definitely has a bridge-mode..

No idea if you will need to setup PPPoE or not though. If you do, you will likely need to get the user/pass from CenturyLink.

Who is online

Users browsing this forum: Bing [Bot] and 39 guests