Community discussions

MikroTik App
 
OzBoyBlue
just joined
Topic Author
Posts: 10
Joined: Sun Jun 19, 2016 5:19 am

Multiple WAN IP's - WiFi clients OK for local services but not LAN/wired

Wed Nov 17, 2021 3:20 am

Any suggestions on where to start looking here would be great..

Basic setup is.. WiFi clients - wAP - Port10(POE):{RB2011}:Port2 - Switch - LAN (wired clients)

The RB2011 has Ether1 configured as WAN port connected to bridged VDSL modem, ISP provides single static WAN IP (xxx.xxx.159.22) for connection which gets handed to RB2011 using DHCP.

ISP has also recently allocated additional WAN IP range (xxx.xxx.42.48/30) when I requested which has been configured on RB2011 address list creating default associated route for the /30 range.

For testing I allowed ICMP from anywhere and can ping the new /30 IP's from internal and external.

Then I've configured a variety of internal services including RDP on obscure ports which I will only show for want of an example (the other services have similar NAT and Filter rules with different dst IP and ports)..
/ip firewall filter add action=accept chain=input comment="ALLOW ABC remote desktop from anywhere" dst-address=192.168.50.25 dst-port=xxx89 in-interface=ether1 protocol=tcp
/ip firewall filter add action=accept chain=forward dst-address=192.168.50.25 dst-port=xxx89 in-interface=ether1 protocol=tcp
/ip firewall filter add action=accept chain=input comment="ALLOW XYZ remote desktop from anywhere" dst-address=192.168.50.26 dst-port=xxx88 in-interface=ether1 protocol=tcp
/ip firewall filter add action=accept chain=forward dst-address=192.168.50.26 dst-port=xxx88 in-interface=ether1 protocol=tcp

/ip firewall nat add action=dst-nat chain=dstnat comment="NAT ABC services" dst-address=xxx.xxx.42.49 dst-address-type=local dst-port=xxx89 protocol=tcp to-addresses=192.168.50.25 to-ports=xxx89
/ip firewall nat add action=src-nat chain=srcnat src-address=192.168.50.25 to-addresses=xxx.xxx.42.49
/ip firewall nat add action=dst-nat chain=dstnat comment="NAT WXY services" dst-address=xxx.xxx.42.49 dst-address-type=local dst-port=xxx88 protocol=tcp to-addresses=192.168.50.26 to-ports=xxx88
/ip firewall nat add action=src-nat chain=srcnat src-address=192.168.50.26 to-addresses=xxx.xxx.42.49

This all works as expected, sort of.. From external everything works perfect, you can connect using IP (or DNS) from anywhere outside the local network and remote connect to the machines on the configured ports.

Internally however, it works for WiFi clients (again WAN IP or DNS), but for any wired clients the connection just times out - I have tried various computers and notebooks to make sure it's not just something quirky with one machine and it's consistent across Windows/Mac clients - wireless no problem, wired into the switch or RB2011 and can't connect using the WAN IP (or associated DNS) to any of the configured services.

Any input would be greatly appreciated.

Who is online

Users browsing this forum: Ahrefs [Bot], Erbit, jaclaz, lurker888, smirgo and 105 guests