I've tried, but the NAT rule never even logs a hit. What I'm attempting to do (with the added detail of port translation instead of port forwarding) is precisely equivalent to the wiki examples of exposing a LAN web server out to the WAN. According to all the examples, the one dst-nat rule is all that is needed. There's never any discussion of difficulty for the server on the LAN to "get back" to the WAN invoker.
I'm wondering if some other part of my standard CPE configuration is sabotaging this mechanism. I know it's not the firewall, but I can't shake the feeling that there's something else simple and stupid that I'm missing. On May 23, 2014, at 12:19 AM, Alexander Neilson <[email protected]> wrote: > Ok. So it probably can't get back to you. Maybe need to source NAT your > packets. > > Regards > > Alexander > > Alexander Neilson > Neilson Productions Ltd > [email protected] > 021 329 681 > >> On 23/05/2014, at 6:53 pm, Grand Avenue Broadband >> <[email protected]> wrote: >> >> The WiFi box is configured as an AP, not a router, so it doesn't have any >> routes. It's just a glorified unmanaged switch with a radio in it. Only >> the LAN ports are used. >> >>> On May 22, 2014, at 10:52 PM, Alexander Neilson <[email protected]> >>> wrote: >>> >>> Does your wifi ap have a route through the gateway / default route? >>> >>> Also does your wifi ap allow management outside the local subnet? >>> >>> Unless it has a default gateway it won't know where to send the packets >>> back to in order to reach you. >>> >>> If it doesn't allow management from remote addresses you may need to allow >>> "remote management" and a remote range to allow to manage. >>> >>> In this case dst nat changes the packet destination as you saw but the >>> source is still your own IP address so it will be outside the subnet and >>> also "remote" >>> >>> Try check those to and if it's still not working let us know. >>> >>> Regards >>> >>> Alexander >>> >>> Alexander Neilson >>> Neilson Productions Ltd >>> [email protected] >>> 021 329 681 >>> >>>> On 23/05/2014, at 4:26 pm, Grand Avenue Broadband >>>> <[email protected]> wrote: >>>> >>>> I'm buffaloed by port translation, which is supposedly very simple. >>>> >>>> I set all my subscribers up with a NATted LAN at 192.168.10.0/24, the >>>> router at .1, the DHCP range at .100-.115 or so, and if they have a WiFi >>>> router, I hardcode it to .2 and configure it as an access point, no NAT. >>>> The CPE (SXT or other) does all the NAT. >>>> >>>> I want to be able to access the setup screen on each household WiFi AP so >>>> I can handle additional classes of problems without driving out. >>>> >>>> I set up NAT as so (10.2.1.251 is the WAN of the CPE I am testing with): >>>> >>>> /ip firewall nat >>>> add action=dst-nat chain=dstnat dst-address=10.2.1.251 dst-port=8080 >>>> protocol=tcp to-addresses=192.168.10.2 to-ports=80 >>>> add action=masquerade chain=srcnat out-interface=WLAN to-addresses=0.0.0.0 >>>> >>>> When I browse to 10.2.1.251:8080 at the NOC, I see the packet come in the >>>> WAN, I see it get NATted to 192.168.10.2:80, I see a response come in the >>>> ether from the WiFi, and then... nothing. Connection stays at SYN, then >>>> dies. >>>> >>>> I know it's not a firewall issue, because I temporarily bypassed the >>>> firewall with unconditional ACCEPT statements for all chains at the top. >>>> >>>> I have no problems setting up a PPTP VPN on the CPE, logging into it, >>>> becoming a member of the LAN, and accessing the WiFi that way, but it >>>> burns me that I should be able to make it work the simpler way and I just >>>> can't do it. >>>> >>>> Any ideas? Thanks in advance. >>>> _______________________________________________ >>>> Mikrotik mailing list >>>> [email protected] >>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>> >>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>> RouterOS >>> -------------- next part -------------- >>> A non-text attachment was scrubbed... >>> Name: smime.p7s >>> Type: application/pkcs7-signature >>> Size: 6151 bytes >>> Desc: not available >>> URL: >>> <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140523/6fcb051c/attachment.bin> >>> _______________________________________________ >>> Mikrotik mailing list >>> [email protected] >>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>> >>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS >> >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 6151 bytes > Desc: not available > URL: > <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140523/337f768c/attachment.bin> > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
