Re: [Mikrotik] Porty Forwarding Issues

Rory McCann Fri, 29 Oct 2010 14:43:41 -0700

When he is attempting to view the cameras, is he doing so using theirpublic IPs? Is he having trouble viewing the local camera but can viewthe remote camera?

If the answer to both is yes, it could be a situation where you need toimplement hairpin NAT. I was unable to view a local webserver using thepublic IP address on MT until I implemented these rules.


My hairpin rule looks like this:

add action=masquerade chain=srcnat comment="" disabled=nodst-address-type="" dst-port=80 protocol=tcp src-address=192.168.1.0/24 \

    src-address-type=""

You'd just need to modify it for your ports.

Rory McCann
*Minn-Kota Ag Products
P*: 218-643-8464*| E*: [email protected]

On 10/29/2010 3:40 PM, Alan Bryant wrote:

Yes, they are public's, we are not double nating.

We will try switching one of the LAN subnets on Monday and see if that
makes a difference.

Thanks for the suggestions.

On Fri, Oct 29, 2010 at 12:56 PM, Jeromie Reeves<[email protected]>  wrote:

What IP each lan is trying to access, It looks to be xxx.xxx.199.157
and xxx.xxx.11.2 ? are these Publics? We have a number of BigDog
security DVR's on the network and they did not like double NAT where
each NAT had the same ip range.  I would change the LAN IP's on one
side or the other (something 10.x/24) and setup a PPtP and just route
the single IP needed to each side.


On Fri, Oct 29, 2010 at 10:41 AM, Terri Kelley<[email protected]>  wrote:

Subnets the same on both LANs?

They are each behind NAT. Personally do 10./24's everyplace.

Terri Kelley
Network Engineer
254-697-6710 x 1140
Farm to Market Broadband
www.farm-market.net



On Oct 29, 2010, at 12:11 PM, Alan Bryant wrote:

I'm having issues with some port forwarding rules.

I have two locations which both have RB750's. I am forwarding ports so
that the customer can view his cameras at both locations.

The problem is, he is unable to view the cameras from one location at
the other location and vice versa. Basically, he cannot view the
cameras between the two.

Any suggestions or advice would be greatly appreciated.

Here is the /ip firewall filter export of the first one:

/ip firewall filter
add action=accept chain=input comment="Added by webbox" disabled=no
protocol=icmp
add action=accept chain=input comment="Winbox from Gtek" disabled=no
dst-port=8291 protocol=tcp src-address=xxx.xxx.11.2
add action=accept chain=input comment="SSH from Gtek" disabled=no
dst-port=9122 protocol=tcp src-address=xxx.xxx.11.2
add action=accept chain=input comment="Added by webbox"
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="Added by webbox"
connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="Added by webbox" disabled=no
in-interface=ether1-gateway
add action=jump chain=forward comment="Added by webbox" disabled=no
in-interface=ether1-gateway jump-target=customer
add action=accept chain=customer comment="Camera Server" disabled=no
dst-address=192.168.1.250 dst-port=80,1111,2222,3333,4444,6666
in-interface=ether1-gateway protocol=tcp
add action=accept chain=customer comment="Added by webbox"
connection-state=established disabled=no
add action=accept chain=customer comment="Added by webbox"
connection-state=related disabled=no
add action=drop chain=customer comment="Added by webbox" disabled=no

/ip firewall nat for the first one:

/ip firewall nat
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=xxx.xxx.199.157 dst-port=80 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.250 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=xxx.xxx.199.157 dst-port=1111 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.250 to-ports=1111
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=xxx.xxx.199.157 dst-port=2222 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.250 to-ports=2222
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=xxx.xxx.199.157 dst-port=3333 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.250 to-ports=3333
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=xxx.xxx.199.157 dst-port=4444 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.250 to-ports=4444
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=xxx.xxx.199.157 dst-port=6666 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.250 to-ports=6666
add action=masquerade chain=srcnat comment="Added by webbox"
disabled=no out-interface=ether1-gateway

/ip firewall export from the second one:

/ip firewall filter
add action=accept chain=input comment="Added by webbox" disabled=no
protocol=icmp
add action=accept chain=input comment="Winbox from Gtek" disabled=no
dst-port=8291 protocol=tcp src-address=xxx.xxx.11.2
add action=accept chain=input comment="SSH from Gtek" disabled=no
dst-port=9122 protocol=tcp src-address=xxx.xxx.11.2
add action=accept chain=input comment="Added by webbox"
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="Added by webbox"
connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="Added by webbox" disabled=no
in-interface=ether1-gateway
add action=jump chain=forward comment="Added by webbox" disabled=no
in-interface=ether1-gateway jump-target=customer
add action=accept chain=customer comment="Added by webbox"
connection-state=established disabled=no
add action=accept chain=customer comment="Added by webbox"
connection-state=related disabled=no
add action=accept chain=customer comment="Camera Server" disabled=no
dst-address=192.168.1.212 dst-port=80,1111,2222,3333,4444,6666
protocol=tcp
add action=accept chain=customer comment="" disabled=yes
dst-address=192.168.1.100 dst-port=5631-5632 protocol=tcp
add action=accept chain=customer comment="" disabled=yes
dst-address=192.168.1.200 dst-port=5634-5635 protocol=tcp
add action=accept chain=customer comment="" disabled=yes
dst-address=192.168.1.150 dst-port=7000-7001 protocol=tcp
add action=drop chain=customer comment="Added by webbox" disabled=no

/ip firewall nat from the second one:

/ip firewall nat
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=xxx.xxx.11.245 dst-port=80 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.212 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=yes
dst-address=xxx.xxx.11.245 dst-port=5631-5632
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.100
to-ports=5631-5632
add action=dst-nat chain=dstnat comment="" disabled=yes
dst-address=xxx.xxx.11.245 dst-port=5634-5635
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.200
to-ports=5634-5635
add action=dst-nat chain=dstnat comment="" disabled=yes
dst-address=xxx.xxx.11.245 dst-port=7000-7001
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.150
to-ports=7000-7001
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=xxx.xxx.11.245 dst-port=1111 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.212 to-ports=1111
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=xxx.xxx.11.245 dst-port=2222 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.212 to-ports=2222
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=xxx.xxx.11.245 dst-port=3333 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.2.212 to-ports=3333
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=xxx.xxx.11.245 dst-port=4444 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.212 to-ports=4444
add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=xxx.xxx.11.245 dst-port=6666 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.2.212 to-ports=6666
add action=masquerade chain=srcnat comment="Added by webbox"
disabled=no out-interface=ether1-gateway

--
Alan Bryant
Gtek Computers&  Wireless L.L.C.
Office: 361-777-1400 | Fax: 361-777-1405
[email protected] | www.gtek.biz

CONFIDENTIALITY NOTICE: This communication (including any attachments)
may contain privileged or confidential information intended for a
specific individual and purpose, and is protected by law. If you are
not the intended recipient, you should delete this communication
and/or shred the materials and any attachments and are hereby notified
that any disclosure, copying, or distribution of this communication,
or the taking of any action based on it, is strictly prohibited. Thank
you.
_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

-------------- next part --------------
An HTML attachment was scrubbed...
URL:<http://www.butchevans.com/pipermail/mikrotik/attachments/20101029/5d229ba9/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20101029/9e063340/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Porty Forwarding Issues

Reply via email to