Community discussions

MikroTik App
 
slaz
newbie
Topic Author
Posts: 33
Joined: Mon Jun 08, 2020 11:14 am

Access device from local network through WAN

Mon Jun 20, 2022 2:19 pm

Hello,

I am trying to access some devices on local network going through the WAN but this doesn't seem to work anymore. Previously on ros6 I was able to have this 2 rules that were taking care of this and it worked like a charm
4 ;;; Camere Dahua internal
chain=srcnat action=masquerade protocol=tcp src-address=192.168.200.0/24 dst-address=192.168.200.4 out-interface=bridge-lan dst-port=5013

5 ;;; Camere Dahua internal
chain=dstnat action=dst-nat to-addresses=192.168.200.4 to-ports=5013 protocol=tcp in-interface=bridge-lan dst-port=5013
Just to give more context. I have a PC using ip 192.168.200.31 and I want to access the 192.168.200.4 device going through WAN ( dynamic dns). If I try to connect to the device from outside the 192.168.200.0 network it works without issues using the dynamic dns but if I try to do the same from within the network it's not possible

Any chance someone could help me out on this please? It's driving me nuts from some time and I tried multiple things without success

Here it's my current running config
# jun/20/2022 14:11:48 by RouterOS 7.1.1
# software id = WCPF-BHYF
#
# model = RB5009UG+S+
# serial number = EC190E454AB4
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=ch6 tx-power=10
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5300 name=ch60 tx-power=40
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=ch1 tx-power=20
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=ch11 tx-power=15
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5220 name=ch44 tx-power=20
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5180 name=ch36 tx-power=20
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5260 name=ch52 tx-power=40
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ceee frequency=5500 name=ch100 tx-power=40
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ceee frequency=5580 name=ch116 tx-power=40
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2427 name=ch4 tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2417 name=ch2 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2422 name=ch3 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2432 name=ch5 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=ch6 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2442 name=ch7 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2447 name=ch8 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2452 name=ch9 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2457 name=ch10 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=ch12 tx-power=15
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=ch13 tx-power=15
/interface bridge
add name=bridge-guest
add name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan
set [ find default-name=ether2 ] name=eth2-lan
set [ find default-name=ether3 ] name=eth3-lan
set [ find default-name=ether4 ] name=eth4-lan
set [ find default-name=ether5 ] name=eth5-lan
set [ find default-name=ether6 ] name=eth6-lan
set [ find default-name=ether7 ] name=eth7-lan
set [ find default-name=ether8 ] name=eth8-lan
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth1-wan keepalive-timeout=disabled name=digi user=xxxxxx
/caps-man interface
add disabled=no l2mtu=1600 mac-address=74:4D:28:DF:E9:42 master-interface=none name=cap1 radio-mac=74:4D:28:DF:E9:42 radio-name=744D28DFE942
add disabled=no l2mtu=1600 mac-address=6C:3B:6B:CC:01:01 master-interface=none name=cap2 radio-mac=6C:3B:6B:CC:01:01 radio-name=6C3B6BCC0101
/interface wireguard
add listen-port=51820 mtu=1420 name=Wireguard_wg0
/interface vlan
add interface=eth2-lan name=eth2-vlan-guest vlan-id=15
add interface=eth8-lan name=eth8-vlan-guest vlan-id=15
/caps-man datapath
add bridge=bridge-guest local-forwarding=yes name=SSD_guest_path vlan-id=15 vlan-mode=use-tag
add bridge=bridge-lan client-to-client-forwarding=yes local-forwarding=yes name=SSD_path
/caps-man rates
add basic=6Mbps name=gn_only_no_b_rates supported=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=SSD_sec
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=SSD_guest_sec
/caps-man configuration
add channel=ch6 country=romania datapath=SSD_path mode=ap name=SSD_2g4 rates=gn_only_no_b_rates security=SSD_sec ssid=SSD
add channel=ch60 country=romania datapath=SSD_path mode=ap name=SSD_5g_ch60 security=SSD_sec ssid=SSD
add country=romania datapath=SSD_guest_path mode=ap name=SSD_guest_2g4 security=SSD_guest_sec ssid=SSD_guest
add channel=ch52 country=romania datapath=SSD_path mode=ap name=SSD_5g_ch52 security=SSD_sec ssid=SSD
add channel=ch100 country=romania datapath=SSD_path mode=ap name=SSD_5g_ch100 security=SSD_sec ssid=SSD
add channel=ch11 country=romania datapath=SSD_path mode=ap name=SSD_2g4_ch11 rates=gn_only_no_b_rates security=SSD_sec ssid=SSD
add channel=ch4 country=romania datapath=SSD_path mode=ap name=SSD_2g4_ch4 rates=gn_only_no_b_rates security=SSD_sec ssid=SSD
add channel=ch116 channel.band=2ghz-b country=romania datapath=SSD_path mode=ap name=SSD_5g_ch116 security=SSD_sec ssid=SSD
add channel.band=5ghz-n/ac .control-channel-width=20mhz .extension-channel=XXXX country=romania datapath.client-to-client-forwarding=yes \
    .local-forwarding=yes name=cfg-5ghz-ac security=SSD_sec ssid=""
add channel.band=5ghz-onlyn .control-channel-width=20mhz .extension-channel=XX country=romania datapath.client-to-client-forwarding=yes \
    .local-forwarding=yes name=cfg-5ghz-an security=SSD_sec ssid=""
add channel=ch10 country=romania datapath=SSD_path mode=ap name=SSD_2g4_ch10 security=SSD_sec ssid=SSD
/interface list
add name=WAN
add name=LAN
add name=MULLVAN-VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.200.150-192.168.200.200
add name=pool-guest ranges=50.0.0.2-50.0.0.100
add name=pool-vpn ranges=10.10.10.2-10.10.10.7
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge-lan name=dhcp-lan
add address-pool=pool-guest interface=bridge-guest name=dhcp-guest
/queue simple
add dst=digi max-limit=50M/50M name=guest_traffic queue=default/default target=50.0.0.0/24,2a02:2f09:3418:f303::/64 total-queue=default
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp,rest-api
/caps-man manager
set enabled=yes package-path=/downloads/ upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge-lan
/caps-man provisioning
add action=create-dynamic-enabled comment=2g4_802.11g_capable_radios hw-supported-modes=g identity-regexp=CAPac_Etaj master-configuration=SSD_2g4_ch11 \
    name-format=prefix-identity name-prefix=2g4_ch11 slave-configurations=SSD_guest_2g4
add action=create-dynamic-enabled comment=5g_ch52_802.11ac_capable_radios hw-supported-modes=ac identity-regexp=CAPac_Parter master-configuration=\
    SSD_5g_ch52 name-format=prefix-identity name-prefix=5g_ch52
add action=create-dynamic-enabled comment=5g_ch100_802.11ac_capable_radios hw-supported-modes=ac identity-regexp=CAPac_Etaj master-configuration=\
    SSD_5g_ch100 name-format=prefix-identity name-prefix=5g_ch100
add action=create-dynamic-enabled comment=2g4_802.11g_capable_radios hw-supported-modes=g identity-regexp=CAPac_Parter master-configuration=SSD_2g4_ch4 \
    name-format=prefix-identity name-prefix=2g4_ch4 slave-configurations=SSD_guest_2g4
add action=create-dynamic-enabled comment=5g_ch60_802.11ac_capable_radios disabled=yes identity-regexp=Mikrotik master-configuration=SSD_2g4_ch11 \
    name-format=prefix-identity name-prefix=2g_ch11
add action=create-dynamic-enabled comment=5g_ch116_802.11ac_capable_radios hw-supported-modes=ac identity-regexp=CAPac_Parter master-configuration=\
    SSD_5g_ch116 name-format=prefix-identity name-prefix=5g_ch116
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn master-configuration=SSD_5g_ch116 name-format=prefix-identity name-prefix=2ghz
add action=create-dynamic-enabled disabled=yes hw-supported-modes=ac master-configuration=cfg-5ghz-ac name-format=prefix-identity name-prefix=5ghz-ac
add action=create-dynamic-enabled disabled=yes hw-supported-modes=an master-configuration=cfg-5ghz-an name-format=prefix-identity name-prefix=5ghz-an
add action=create-dynamic-enabled disabled=yes identity-regexp=HAP master-configuration=SSD_2g4_ch11
add action=create-dynamic-enabled hw-supported-modes=g identity-regexp=HAP master-configuration=SSD_2g4_ch4 name-format=prefix-identity name-prefix=\
    2g4_ch4 slave-configurations=SSD_guest_2g4
/interface bridge port
add bridge=bridge-lan interface=eth2-lan
add bridge=bridge-lan interface=eth3-lan
add bridge=bridge-lan interface=eth4-lan
add bridge=bridge-lan interface=eth5-lan
add bridge=bridge-lan interface=eth6-lan
add bridge=bridge-lan interface=eth7-lan
add bridge=bridge-lan interface=eth8-lan
add bridge=bridge-guest interface=eth2-vlan-guest pvid=15
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set accept-router-advertisements=yes
/interface list member
add interface=eth1-wan list=LAN
add interface=eth2-lan list=LAN
add interface=eth3-lan list=LAN
add interface=eth4-lan list=LAN
add interface=eth5-lan list=LAN
add interface=eth6-lan list=LAN
add interface=eth7-lan list=LAN
add interface=eth8-lan list=LAN
add interface=digi list=WAN
add interface=eth1-wan list=WAN
add interface=bridge-lan list=LAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.200.1/24 interface=eth2-lan network=192.168.200.0
add address=50.0.0.1/24 interface=bridge-guest network=50.0.0.0
add address=192.168.201.1/24 interface=Wireguard_wg0 network=192.168.201.0
/ip arp
add address=192.168.200.11 disabled=yes interface=bridge-lan mac-address=FF:FF:FF:FF:FF:FF
add address=192.168.200.25 disabled=yes interface=bridge-lan mac-address=68:A4:0E:1C:AB:7D
/ip dhcp-server lease
add address=192.168.200.31 client-id=1:70:85:c2:a7:d5:73 comment=RTX mac-address=70:85:C2:A7:D5:73 server=dhcp-lan
add address=192.168.200.4 comment=Dahua mac-address=3C:EF:8C:36:B4:D4 server=dhcp-lan
/ip dhcp-server network
add address=50.0.0.0/24 comment=dhcp-guest dns-server=50.0.0.1,8.8.8.8 gateway=50.0.0.1
add address=192.168.200.0/24 boot-file-name=netboot.xyz.kpxe comment=dhcp-lan dns-server=192.168.200.1 gateway=192.168.200.1 next-server=192.168.200.11
/ip dns
set allow-remote-requests=yes cache-size=6048KiB max-concurrent-queries=200 max-concurrent-tcp-sessions=40 servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.200.1 name=mikrotik.lan
add address=192.168.200.4 name=camere.lan
/ip firewall address-list
add address=192.168.200.0/24 comment=Management list=LANs
add address=test.no-ip.org list=WANs
/ip firewall filter
add action=accept chain=forward disabled=yes in-interface=bridge-lan out-interface=Wireguard_wg0
add action=drop chain=input comment="Drop telnet traffic" dst-port=23 in-interface=eth1-wan log=yes protocol=tcp
add action=drop chain=input comment="Drop Mikrotik Web Gui External" dst-port=80 in-interface=eth1-wan log=yes protocol=tcp
add action=drop chain=input comment="Drop Mikrotik WINBOX from External" dst-port=8291 in-interface=eth1-wan log=yes log-prefix=WINBOX protocol=tcp
add action=accept chain=input comment="Allow Wireguard" dst-port=51820 in-interface=digi protocol=udp
add action=accept chain=forward src-address=192.168.201.0/24
add action=accept chain=forward dst-address=192.168.201.0/24
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 in-interface=eth1-wan protocol=tcp
add action=drop chain=input comment=SSH dst-port=4040 in-interface=eth1-wan log=yes protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=input comment=openvpn dst-port=443 in-interface=eth1-wan protocol=tcp
add action=reject chain=input comment="drop access to mikrotik on guest network" dst-address=50.0.0.1 in-interface=bridge-guest reject-with=\
    icmp-network-unreachable
add action=accept chain=forward comment="no fasttrack for guest traffic upload" connection-state=established,related src-address=50.0.0.0/24
add action=accept chain=forward comment="no fasttrack for guest traffic download" connection-state=established,related dst-address=50.0.0.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=reject chain=forward comment="drop guest traffic" in-interface=bridge-guest out-interface=bridge-lan reject-with=icmp-network-unreachable
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
add action=reject chain=input comment="drop guest traffic to router" dst-address=192.168.200.0/24 in-interface=bridge-guest reject-with=\
    icmp-network-unreachable
add action=accept chain=input comment=WINBOX disabled=yes dst-port=8291 log=yes protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark connections for hairpin NAT" dst-address-list=WANs new-connection-mark="Hairpin NAT" \
    passthrough=yes src-address-list=LANs
add action=mark-routing chain=prerouting comment=Mullvad disabled=yes passthrough=no src-address=192.168.200.9
add action=log chain=prerouting comment="Logging for wireguard" disabled=yes dst-address=192.168.200.0/24 src-address=192.168.201.3
add action=log chain=forward comment="Logging for wireguard" disabled=yes dst-address=192.168.200.0/24 src-address=192.168.201.3
add action=log chain=postrouting comment="Logging for wireguard" disabled=yes dst-address=192.168.200.0/24 src-address=192.168.201.3
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT"
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Camere Dahua internal" dst-address=192.168.200.4 dst-port=5013 out-interface=bridge-lan protocol=tcp \
    src-address=192.168.200.0/24
add action=dst-nat chain=dstnat comment="Camere Dahua internal" dst-port=5013 in-interface=bridge-lan protocol=tcp to-addresses=192.168.200.4 to-ports=\
    5013
add action=dst-nat chain=dstnat comment="Camere Dahua" dst-port=5013 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.4 to-ports=5013
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat comment="proxy dns" disabled=yes dst-port=53 protocol=tcp to-ports=53
/ip route
add disabled=yes distance=1 gateway=eth1-wan
add comment="Wireguard range" disabled=yes distance=1 dst-address=192.168.201.0/24 gateway=bridge-lan pref-src=192.168.200.1 routing-table=main scope=\
    10 suppress-hw-offload=no target-scope=10
/ip service
set telnet address=192.168.200.0/24 disabled=yes
set ftp address=192.168.200.0/24
set www address=192.168.200.0/24
set ssh address=192.168.200.0/24 port=4040
set api address=192.168.200.0/24
set api-ssl disabled=yes
/ipv6 address
add address=::2ec8:1bff:feff:d5ea eui-64=yes from-pool=myipv6 interface=bridge-lan
add address=::2ec8:1bff:feff:d5ea eui-64=yes from-pool=myipv6 interface=bridge-guest
/ipv6 dhcp-client
add interface=digi pool-name=myipv6 request=prefix
/ipv6 firewall filter
add action=drop chain=input comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment=openvpn dst-port=443 in-interface=eth1-wan protocol=tcp
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface=!bridge-lan
add action=drop chain=forward disabled=yes in-interface=bridge-lan src-address=2a02:1810:480c:4600:70f4:5102:9fab:c901/128
add action=reject chain=forward comment="reject guest to lan traffic" in-interface=bridge-guest out-interface=bridge-lan reject-with=\
    icmp-address-unreachable
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/snmp
set contact=Sami enabled=yes
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=Mikrotik_router
/system logging
add disabled=yes topics=!ssh
add disabled=yes topics=wireless
add disabled=yes topics=dhcp
add disabled=yes topics=debug
add disabled=yes topics=dns
add topics=script
add disabled=yes topics=dhcp
add disabled=yes topics=ovpn
add disabled=yes topics=!snmp
add action=GMAIL topics=critical,!ovpn
add action=GMAIL disabled=yes prefix="<addr 7" topics=pppoe
add action=YAHOO topics=critical,!ovpn
/system ntp client
set enabled=yes
/system ntp client servers
add address=ro.pool.ntp.org
/system routerboard settings
set cpu-frequency=auto
/tool bandwidth-server
set authenticate=no
/tool graphing interface
add
add interface=eth1-wan
/tool sniffer
set file-limit=100000KiB file-name=cameras_local.pcap filter-interface=all filter-ip-address=192.168.200.4/32 memory-limit=10000KiB
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Access device from local network through WAN

Mon Jun 20, 2022 3:21 pm

Do you remember why you have set these?

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes


I can see no reason for that, and it is known to break NAT processing of normal traffic.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Access device from local network through WAN

Mon Jun 20, 2022 3:26 pm

It's called hairpin NAT and it works the same way in v7 as it did in v6, nothing changed there.

Your "Camere Dahua internal" rule is slightly wrong, because it doesn't specify destination, so it intercepts all traffic to port 5013, even if it would be to some remote server. But it's not breaking access to yours. You don't need separate dstnat rules for internal and external traffic, you can have common one, just remove in-interface option and instead add dst-address-type=local.

Your firewall doesn't block it either, so it should work.
 
slaz
newbie
Topic Author
Posts: 33
Joined: Mon Jun 08, 2020 11:14 am

Re: Access device from local network through WAN

Mon Jun 20, 2022 9:56 pm

Like this?
[sami@Mikrotik_router] > ip firewall/nat/print 
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; Hairpin NAT
      chain=srcnat action=masquerade connection-mark=Hairpin NAT log=no log-prefix="" 

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 2 X  ;;; Wireguard hairpin nat
      chain=dstnat action=dst-nat to-addresses=192.168.200.1 to-ports=51820 protocol=udp dst-address-list=WANs dst-port=51820 log=no log-prefix="" 

 4    ;;; Camere Dahua internal
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.200.0/24 dst-address=192.168.200.4 out-interface=bridge-lan dst-port=5013 log=no 
      log-prefix="" 

 5    ;;; Camere Dahua internal
      chain=dstnat action=dst-nat to-addresses=192.168.200.4 to-ports=5013 protocol=tcp dst-address-type=local dst-port=5013 log=no log-prefix="" 

22 X  chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53 

23 X  ;;; proxy dns
      chain=dstnat action=redirect to-ports=53 protocol=tcp dst-port=53 

With this it doesn't work either
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Access device from local network through WAN

Mon Jun 20, 2022 11:09 pm

With this it doesn't work either
So maybe it's time to try the advice from my previous post?
 
slaz
newbie
Topic Author
Posts: 33
Joined: Mon Jun 08, 2020 11:14 am

Re: Access device from local network through WAN

Mon Jun 20, 2022 11:35 pm

With this it doesn't work either
So maybe it's time to try the advice from my previous post?
This is nice. Now it works like a charm. But now, what did I just disable? Me happy that it works but I want to learn also.
Many many thanks. Much appreciated
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Access device from local network through WAN

Tue Jun 21, 2022 12:08 am

But now, what did I just disable?
These settings force packets through the IP firewall as they are being bridged, which is only required if you need to apply QoS handling on bridged-only (i.e. not routed) traffic, and is known to break NAT handling. The names of the configuration parameters are a bit misleading.

So since you did not know why it was enabled, you did not actually need it.

Who is online

Users browsing this forum: Ahrefs [Bot], itsbenlol and 71 guests