Hi.
I encountered a network with such a structure:
Internet ---> Keenetik(main router) ----> Mikrotik ---> LocalNetwork
Keenetik Local IP: 192.168.1.1
Mikrotik eth1 IP: 192.168.1.103
eth2 IP: 192.168.88.1
LocalNetwork SubNet: 192.168.88.0
Mikrotik RouterOS 6.47.1
I reset mikrotik, so it is default settings
Problem: I can't map ports to the LocalNetwork through Mikrotik to 192.168.88.3 - LocalComp where started nginx(for test)
1. I mapped ports 80 & 8291 on Keenetik to Mikrotik IP : 192.168.1.103 - all works fine, I can connect to Mikrotik from Internet via WinBox
2. I mapped ports on Mikrotik with /ip firewall nat add chain=dstnat dst-port=80 action=dst-nat protocol=tcp to-address=192.168.88.3 to-port=80 -- nothing work - I can't open web page on LocalMachine from Internet
I have thought it's because I don't need nat but need forward packet to next node(192.168.88.3), or probably I need add rule to input chain, as Keenetik send packets to 192.168.1.103(to input Mikrotik)
I've turned off all drop rules in firewall, then have tried:
/ip firewall filter add chain=forward action=add-dst-to-address-list protocol=tcp dst-address=192.168.1.103 address-list=192.168.88.3 dst-port=80
not working. With input not working too.
Please hint me, which rules I must to add to reach from Internet LocalComp
Thanks
Re: Mikrotik as a second router behind the main. Mapping problem
Your dstnat rule is incomplete, only two conditions are protocol=tcp dst-port=80. So if something local LocalNetwork tries to open some web page, it's also connection to tcp port 80 and will be forwarded to 192.168.88.3. So you need to add dst-address=192.168.1.103 as another condition.
As for forwarding to internal server, with default firewall and dstnat rule it should just work. If not, you need to allow it through firewall. Simple way for all forwarded ports is:
Another way, if you don't want NAT on Mikrotik, you can add static route to its subnet (destination 192.168.88.0/24, gateway 192.168.1.103) and forward ports to 192.168.88.3 directly from main router.
As for forwarding to internal server, with default firewall and dstnat rule it should just work. If not, you need to allow it through firewall. Simple way for all forwarded ports is:
Code: Select all
/ip firewall filter
add chain=forward connection-nat-state=dstnat action=acceptRe: Mikrotik as a second router behind the main. Mapping problem
Thanks Sob, I made second(route to 192.168.88.0) and very strange, ping pass through(from keenetic) but packets to 80 port don't
I've tried this: chain=dstnat action=dst-nat to-addresses=192.168.88.3 to-ports=80 protocol=tcp dst-address=192.168.1.103 dst-port=80 log=no log-prefix="" don't work
Anyway, thank you
I've tried this: chain=dstnat action=dst-nat to-addresses=192.168.88.3 to-ports=80 protocol=tcp dst-address=192.168.1.103 dst-port=80 log=no log-prefix="" don't work
Anyway, thank you
Last edited by u10root on Fri Jun 10, 2022 9:08 pm, edited 2 times in total.
Re: Mikrotik as a second router behind the main. Mapping problem
If you go with the second option, then there isn't (shouldn't be) any NAT, neither dstnat rules, nor anything in srcnat chain (src-nat/masquerade). But depending on your firewall filters, you may need to allow connections using:
Code: Select all
/ip firewall filter
add chain=forward dst-address=192.168.88.3 protocol=tcp dst-port=80 action=acceptRe: Mikrotik as a second router behind the main. Mapping problem
P.S. Problem wasn't with mikrotik, it was with keenetik. Dunno why, it don't working with 80 port, dunno why it work only with mapping: not 80 -> 80
Thank you)
Thank you)
Who is online
Users browsing this forum: No registered users and 27 guests