Does your wifi ap have a route through the gateway / default route? Also does your wifi ap allow management outside the local subnet?
Unless it has a default gateway it won't know where to send the packets back to in order to reach you. If it doesn't allow management from remote addresses you may need to allow "remote management" and a remote range to allow to manage. In this case dst nat changes the packet destination as you saw but the source is still your own IP address so it will be outside the subnet and also "remote" Try check those to and if it's still not working let us know. Regards Alexander Alexander Neilson Neilson Productions Ltd [email protected] 021 329 681 > On 23/05/2014, at 4:26 pm, Grand Avenue Broadband <[email protected]> > wrote: > > I'm buffaloed by port translation, which is supposedly very simple. > > I set all my subscribers up with a NATted LAN at 192.168.10.0/24, the router > at .1, the DHCP range at .100-.115 or so, and if they have a WiFi router, I > hardcode it to .2 and configure it as an access point, no NAT. The CPE (SXT > or other) does all the NAT. > > I want to be able to access the setup screen on each household WiFi AP so I > can handle additional classes of problems without driving out. > > I set up NAT as so (10.2.1.251 is the WAN of the CPE I am testing with): > > /ip firewall nat > add action=dst-nat chain=dstnat dst-address=10.2.1.251 dst-port=8080 > protocol=tcp to-addresses=192.168.10.2 to-ports=80 > add action=masquerade chain=srcnat out-interface=WLAN to-addresses=0.0.0.0 > > When I browse to 10.2.1.251:8080 at the NOC, I see the packet come in the > WAN, I see it get NATted to 192.168.10.2:80, I see a response come in the > ether from the WiFi, and then... nothing. Connection stays at SYN, then dies. > > I know it's not a firewall issue, because I temporarily bypassed the firewall > with unconditional ACCEPT statements for all chains at the top. > > I have no problems setting up a PPTP VPN on the CPE, logging into it, > becoming a member of the LAN, and accessing the WiFi that way, but it burns > me that I should be able to make it work the simpler way and I just can't do > it. > > Any ideas? Thanks in advance. > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6151 bytes Desc: not available URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140523/6fcb051c/attachment.bin> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
