Community discussions

MikroTik App
 
kallquk
just joined
Topic Author
Posts: 24
Joined: Thu Jan 16, 2014 9:01 pm

port forwarding to dynamic ip is possible ?

Sat Jan 21, 2023 10:22 pm

Hello,

I have two routerboards,, the main one with pppoe server, and the second one with pppoe client

I need to make some ports forwarding from public ip in the main rb to the second rb, which has dynamic ip(different after any restart). I can take ddns from cloud of second rb, which is immediately resolved ok from the main routerboard, but how can use it? The classical dst-nat to dst-nat rule resolved it once only.

There are thousands of threads explaining same thing, portforwarding where wan ip is dynamic & lan ip constant, I did find no post explaining when lan ip is dynamic.
I can make in main rb the pool one ip smaller, and to secret make this pppoe client takes always same ip, and I did it in the past.
Can I do differently (keeping client ip dynamic)?

thanks in advance
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: port forwarding to dynamic ip is possible ?

Sun Jan 22, 2023 5:18 pm

I am not familiar with ppoe shenanigans, like how the pppoe client can get a different public IP behind the first router where one would think is the right public iP.

Nevertheless, if your second RB using IP cloud gets a unique public IP registered, the correct one and is reachable..............
Then nothing is required on the first router, simply set up port forwarding rules on the second one..

Typically need one forward chain rule - viewtopic.php?t=179343
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat

And a destination nat rule.............
add chain=dstnat action=dst-nat dst-address-list=updatedCloudIP address protocol=tcp dst-port=12566 to-addresses=192.168.88.68

Where>>>>>>>>>>
/ip cloud
set ddns-enabled=yes


/ip firewall address-list
add address=cloud.mikrotik.com list=updatedCloudIP
add address=cloud2.mikrotik.com list=updatedCloudIP
 
kallquk
just joined
Topic Author
Posts: 24
Joined: Thu Jan 16, 2014 9:01 pm

Re: port forwarding to dynamic ip is possible ?

Sun Jan 22, 2023 8:26 pm

thank you for helping me, I reading your recommended article, if this fit my case

I am trying to do the opposite. The wan ip is one constant but lan ip is dynamic
let give an example(that I need to do also).
I have the mikrotik with ONE wan ip public a.b.c.d, and a pppoe server on it, with ap 2000 clients.
I need to portforward port a.b.c.d:58291 to a specific client, port=8291, the ip of this client is dynamic,various through 2000 ips.

how can I do that? Using scripts maybe ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: port forwarding to dynamic ip is possible ?

Mon Jan 23, 2023 3:59 am

So what you are saying is that you do not know the TO-ADDRESS, where the traffic will land???

Too confusing for me and outside of my skill range......... :-(
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: port forwarding to dynamic ip is possible ?

Mon Jan 23, 2023 9:00 am

I need to portforward port a.b.c.d:58291 to a specific client, port=8291, the ip of this client is dynamic,various through 2000 ips.

None of ISPs I know will port forward to clients with dynamic addresses. And it doesn't matter if client addresses are public or private. If I was in your place, I'd fix client's address (make static DHCP lease or something) and then forward port to that IP address. Many ISPs will charge extra for static IP address and/or port forwarding (if it's out of ordinary for that ISP) and if you do the same, you'll have financial incentive to do things right :wink:
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: port forwarding to dynamic ip is possible ?

Mon Jan 23, 2023 10:04 am

I have no experience with PPPoE, but is there a possibility to forward to interface (PPPoE username) instead if the IP?
Or make a script that use the IP that the PPPoE get and changes the filter rules to use correct IP.


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:58 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: port forwarding to dynamic ip is possible ?

Mon Jan 23, 2023 4:13 pm

My experience is from client's point of view ... when PPPoE session successfully starts, ROS creates a L3 interface ... it automatically receives IPv4 address and point-to-point routing. Default route the uses interface name as gateway. When it comes to NAT, it's generic (to-address and to-ports) and doesn't care about interfaces.

I somehow expect things to be similar on PPPoE server side (large number of PPPoE interfaces ... possibly without dedicated addresses attached because for routing one needs destination and gateway (which can be PtP interface name).

I don't know if it's possible to configure ROS to run a script on PPPoE interface up event ... and if it actually receives needed data (e.g. user name). If it's not possible, then schedulled script might do the trick but since it would be scheduled NAT update would be delayed.

I still think @OP should go for static IP addresses for clients which need port forwarding ...
 
kallquk
just joined
Topic Author
Posts: 24
Joined: Thu Jan 16, 2014 9:01 pm

Re: port forwarding to dynamic ip is possible ?

Mon Jan 23, 2023 5:06 pm

yes, it is fix that am trying to do.

My routerboard except secret username of the pppoe client, knows the ddns name of the client (xxx.sn.mynetname.net) also.
The routerboard resolves it ok, I can put it in address-list etc and the command:
add chain=dstnat action=dst-nat  dst-address=a.b.c.d protocol=tcp dst-port=58291 to-ports=8291 to-addresses=xxx.sn.mynetname.net
is accepted, but it resolves dns name immediately, and once only.

As I tried, TO-ADDRESSES accepts ranges, where I can put for example the pool of pppoe server, and then with a second rule drop all except toward this address-list. if this method is possible may be cpu expensive(for which I must care too)
Or, if are there pppoe evens, and any script identifies old nat rule, delete it, and creates a new one.
I don't know, any help I'll appreciate much

PS

I did till now as suggested by you, restricting the pool of pppoe server, and enforcing client to take same address always out of the pool..
I am asking if something else is possible.

thanking again for the help

.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: port forwarding to dynamic ip is possible ?

Mon Jan 23, 2023 11:22 pm

Here are how to do it.

1. Make the nat rule you like with the comment same as the user name.
192.1168.1.8 = your public ip. (Nat rules may be adopted to your situation)
1.1.1.1 = dummy IP that will be changed
hanson = pppoe user name that you like to give NAT for
/ip firewall nat
add action=dst-nat chain=dstnat comment=hanson dst-address=192.1168.1.8 dst-port=80 protocol=tcp to-addresses=1.1.1.1
2. Than add this code to the ppp->profiles->profile you user for your pppoeclients->scripts->on up
:if ($user = "hanson") do={ 
/ip firewall nat set [find where comment="hanson "] to-addresses=$"remote-address"
:log info message="NAT IP for user=\"$user\" changed"
}
This will then set the IP for the PPPoE client to the remote IP he did get when connected.
I only did a simple test, so some adjustment may be required.

If more than one needs this type of dynamic NAT, just repeat the script like this:
:if ($user = "hanson") do={ 
/ip firewall nat set [find where comment="hanson "] to-addresses=$"remote-address"
:log info message="NAT IP for user=\"$user\" changed"
}
:if ($user = "elvis") do={ 
/ip firewall nat set [find where comment="elivs"] to-addresses=$"remote-address"
:log info message="NAT IP for user=\"$user\" changed"
}
PS. they must have different ports, so a port can only be forwarded to one user.

Note. What gave me some headache was the variable remote-address. I could not get it to work, but after lots of googling find out that you need to quote it like this $"remote-address". A better approach would be to not use - in variable or support bash format like this ${remote-address}. Old documentation found here: https://wiki.mikrotik.com/wiki/Manual:PPP_AAA



----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:58 pm, edited 1 time in total.
 
kallquk
just joined
Topic Author
Posts: 24
Joined: Thu Jan 16, 2014 9:01 pm

Re: port forwarding to dynamic ip is possible ?

Tue Jan 24, 2023 9:12 pm

thank you very much Jotne, it is a complete success
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: port forwarding to dynamic ip is possible ?

Tue Jan 24, 2023 9:54 pm

You are welcome :)

Learning RuterOS script and a big world will open up.
With log message, you can use external tools (like Splunk) and monitor when PPPoE user logs inn and out.


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk

Who is online

Users browsing this forum: Batterio and 44 guests