Please help.
I would like to connect from the Internet to a computer on an inner subnet through RDP. The setup is as follows: Mikrotik Router leases 10.70.70.251 IP Address to an Edge Router-X. The computer to be connected to has been given an IP 192.168.1.100 by the Edge Router X DHCP. I have created a port forwarding on the Edge Router with outside port 5100 and forwards to port 3389 of IP 192.168.1.100. Remote connection is also allowed on the target PC.
On the Mikrotik, I have done:
1. ip firewall nat
chain=dstnat dst-address=”PUBLIC IP” dst-port=5200 protocol=tcp \
action=dst-nat to-addresses=10.70.70.251 to port 8585.
2. ip firewall nat
chain=dstnat dst-address=”10.70.70.251 dst-port=8585 protocol=tcp \
action=dst-nat to-addresses=192.168.1.100 to port 5100.
On the PC trying to connect via RDP, I have entered the Public IP then : 5200 as the IP/port and the computer username. I had done this setup before and it worked but I cannot remember how I did the port configuration. Can’t get it to work. Thanks to assist.

You need only one rule. If there's double NAT and RB doesn't have route to 192.168.1.100, then:
If you have routing between subnets, then you can forward port to target device directly:

This is clearly a double NAT scenario.

MT DEVICE
1. Ensure this rule is in the forward chain to allow port forwarding.
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN

2. Ensure you have a proper dst-nat rule (only a single rule is required your use of port 8585 was confusing and unnecessary)
add chain=dstnat action=dst-nat dst-address=ISPpublic IP {if static} dst-port=5200
to-addresses=10.70.70.251 to-ports=5100

If the public IP is dynamic you can use in-interface-list=WAN instead.

Sob and Anav .. thank you so much... you are my heroes !

@Anav..it is indeed double NAT. Your instructions were very helpful.

Won't leave you before asking.. the MT device is my Main CCR router giving connection to other Routers located at remote locations. I did not anticipate this challenge till there was a need to do port forwarding. How do I avoid the double NAT scenario ?

Sob and Anav .. thank you so much... you are my heroes !

@Anav..it is indeed double NAT. Your instructions were very helpful.

Won't leave you before asking.. the MT device is my Main CCR router giving connection to other Routers located at remote locations. I did not anticipate this challenge till there was a need to do port forwarding. How do I avoid the double NAT scenario ?

Well for example the edgerouter could be replaced by a managed switch and all subnets are on vlans.
However it would be less clear if the devices were remote and not wired directly to the CCR.
In which case why go through the CCR? Without understanding the use cases it is hard to determine.

There's nothing wrong with extra routers, you just need proper routes. So on RB you add:
and it's for RB to know where to find 192.168.1.x. And then you can remove NAT from Edge Router, tell it to allow access between interfaces as required, etc.

There's nothing wrong with extra routers, you just need proper routes. So on RB you add:

Code: Select all

/ip route add
dst-address=192.168.1.0/24 gateway=10.70.70.251

and it's for RB to know where to find 192.168.1.x. And then you can remove NAT from Edge Router, tell it to allow access between interfaces as required, etc.

Nice, so ROUTE required on MT Device,
Some rule STILL required on Edge device...

What would be the equivalent on MT, some sort of forward chain rule.........
add chain=forward action=accept in-interface=WAN dst-port=3389 dst-address=192.168.1.100 ????


In other words, what have we saved here really................
How is it more efficient I guess.........


Personally it matters little to me the only thing I would recommend on the initial rule on the MT is the following.
/ip firewall nat
chain=dstnat dst-address=<PUBLIC IP> protocol=tcp dst-port=5200 action=dst-nat to-addresses=192.168.1.100 to-ports=3389 \
src-address-list=authorized

Where
add address=PublicIP User1 list=authorized
add address=PublicIP User2 list=authorized
add address=dyndnsURL User3 list=authorized {router will resolve}
add address=dyndnsURL User4 list=authorized {router will resolve}
etc............

Since one can acquire free dnydns names there is no excuse for any user not to be documented

Sob and Anav .. thank you so much... you are my heroes !

@Anav..it is indeed double NAT. Your instructions were very helpful.

Won't leave you before asking.. the MT device is my Main CCR router giving connection to other Routers located at remote locations. I did not anticipate this challenge till there was a need to do port forwarding. How do I avoid the double NAT scenario ?

Well for example the edgerouter could be replaced by a managed switch and all subnets are on vlans.
However it would be less clear if the devices were remote and not wired directly to the CCR.
In which case why go through the CCR? Without understanding the use cases it is hard to determine.

The CCR is my main router supporting remote clients through VLANS who have subscribed to my Internet connection. The CCR gets Internet from three ISPs with one of them providing a static public IP.
My scenario looks like this:
1. Two clients are located in one area. I have created VLANS 60 (to ISP1 with Dynamic Public IP) & 70(to ISP2 with static Public IP going to the Edge Router ) on the CCR and installed a managed switch near their premises. Since it is quite far, I have used Ubiquiti Radios as PtP carrying their tagged VLANS from the CCR to the managed switch. Thereafter, the clients would get their respective connection from the Managed switch access ports. I was thinking of a way to put the CCR in bridge mode for the static link so that the Public IPs would be entered on the edgerouter WAN interface to avoid this Port forwarding nightmare I was going through. Not sure whether it is possible to configure such.

If you have dedicated public addresses for them, but they are currently at your router, it should be possible to give them to clients directly. Bridging would be one way. Or you can simply route the addresses to them, i.e. keep the internal subnet and then:
Or if they support point-to-point with /32 addresses, you can do:
Another way would be PPPoE.

Then depending on how you get addresses from ISP, you may need to do either nothing (if they are routed to you) or use proxy arp (if they are part of subnet on your WAN port).

If you have dedicated public addresses for them, but they are currently at your router, it should be possible to give them to clients directly. Bridging would be one way. Or you can simply route the addresses to them, i.e. keep the internal subnet and then:

Code: Select all

/ip route
add dst-address=<public address> gateway=10.70.70.251

Or if they support point-to-point with /32 addresses, you can do:

Code: Select all

/ip address
add interface=<to client> address=<any random address>/32 network=<public address>

Another way would be PPPoE.

Then depending on how you get addresses from ISP, you may need to do either nothing (if they are routed to you) or use proxy arp (if they are part of subnet on your WAN port).

Thanks Sob..
I have a dedicated Public IP for one client using the Edge Router. Is the first configuration being applied on my CCR or the client's Edge Router. Sorry to ask...Would try this in a Lab before going live.. Please also advise how the bridging configuration can be done to get the Public IPs on the clients Router.

Bridging can be done using the nice and simple (or terribly difficult; opinion is divided on the subject ) bridge VLAN filtering:

https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering

For example, if you have independent etherX as WAN port and etherY with VLANs to client, you can connect them together:
Then bridge-wan is your new WAN port, instead of previous etherX. Or the same thing in slightly different way, with bridge interface used only for L2 config:
And WAN would be vlan-wan. In both cases, you'll have tagged VLAN 10 on etherY, and anything connected in that VLAN will be as if it was directly connected to what etherX is connected to.

Sob is it just me, or does this not smack of a really good time to use zerotier??

If you think that it's good idea to forcefully stuff in something that I don't see how it could help, while additionally depending on some external service, then yes. Otherwise I'd say no.

If you think that it's good idea to forcefully stuff in something that I don't see how it could help, while additionally depending on some external service, then yes. Otherwise I'd say no.

Well it seems that he wants stuff to be accessible like a switch and your methods are clear plain connections between remote sites and zerotier is encrypted.........
TO me thats a HUGE difference.

As I understand it, OP needs to delived either public address to someone else's router, or at least forward some ports there, and it's up to the other party what they do with it. So nothing to get too much creative with.

As I understand it, OP needs to delived either public address to someone else's router, or at least forward some ports there, and it's up to the other party what they do with it. So nothing to get too much creative with.

Sorry, I seem to get lost in your technical expertise but I just wanted to know how to deliver the Public IPs to the client's router bearing in mind that the trunk link carries two VLANS and the settings on my CCR are that client 1 will use their Dedicated Public IP and the second client would go to his the Dynamic Public IP.

I gave you few ways how to do it. Take your pick, test it, undertand it, ask about details if something is not clear, ...

Is that legal, re-sell public IPs from an ISP??

Hi,

hope it is necro but for a good cause

I have similar scenario.
I have WAN connected to mikrotik device, which serves DHCP to my home devices.
I connected a pfsense box to serve my VM's under different subnet. All seem to be working out of the box.
However i need to forward specific port from WAN to a VM machine in second subnet. I did port forwarding in pfsense box, that's working fine for my LAN.
How to achieve this scenario on mikrotik box.
Is following this topic "answer" will work ?

Thanks for anything