It's entirely possible. However I wonder if you do a packet capture on the LAN interface of your Mikrotik look inside the packets.
Also you should then see if any packets are generated in reply. In the case of exposing a web server the web server has a default route and so it knows to send it's replies to the default gateway. In the case of your wifi ap I still strongly believe that having no route would mean it couldn't generate the packets. can you telnet into it on the inside of the network and see if you can try a ping / traceroute. Or even expose the route table. More often than that I usually find a limit on management outside the subnet on by default that you need to turn off or modify. If you are concerned please feel free to share your config to see if more eyes find it. Regards Alexander Alexander Neilson Neilson Productions Ltd [email protected] 021 329 681 > On 23/05/2014, at 8:34 pm, Grand Avenue Broadband <[email protected]> > wrote: > > I've tried, but the NAT rule never even logs a hit. > > What I'm attempting to do (with the added detail of port translation instead > of port forwarding) is precisely equivalent to the wiki examples of exposing > a LAN web server out to the WAN. According to all the examples, the one > dst-nat rule is all that is needed. There's never any discussion of > difficulty for the server on the LAN to "get back" to the WAN invoker. > > I'm wondering if some other part of my standard CPE configuration is > sabotaging this mechanism. I know it's not the firewall, but I can't shake > the feeling that there's something else simple and stupid that I'm missing. > >> On May 23, 2014, at 12:19 AM, Alexander Neilson <[email protected]> >> wrote: >> >> Ok. So it probably can't get back to you. Maybe need to source NAT your >> packets. >> >> Regards >> >> Alexander >> >> Alexander Neilson >> Neilson Productions Ltd >> [email protected] >> 021 329 681 >> >>> On 23/05/2014, at 6:53 pm, Grand Avenue Broadband >>> <[email protected]> wrote: >>> >>> The WiFi box is configured as an AP, not a router, so it doesn't have any >>> routes. It's just a glorified unmanaged switch with a radio in it. Only >>> the LAN ports are used. >>> >>>> On May 22, 2014, at 10:52 PM, Alexander Neilson <[email protected]> >>>> wrote: >>>> >>>> Does your wifi ap have a route through the gateway / default route? >>>> >>>> Also does your wifi ap allow management outside the local subnet? >>>> >>>> Unless it has a default gateway it won't know where to send the packets >>>> back to in order to reach you. >>>> >>>> If it doesn't allow management from remote addresses you may need to allow >>>> "remote management" and a remote range to allow to manage. >>>> >>>> In this case dst nat changes the packet destination as you saw but the >>>> source is still your own IP address so it will be outside the subnet and >>>> also "remote" >>>> >>>> Try check those to and if it's still not working let us know. >>>> >>>> Regards >>>> >>>> Alexander >>>> >>>> Alexander Neilson >>>> Neilson Productions Ltd >>>> [email protected] >>>> 021 329 681 >>>> >>>>> On 23/05/2014, at 4:26 pm, Grand Avenue Broadband >>>>> <[email protected]> wrote: >>>>> >>>>> I'm buffaloed by port translation, which is supposedly very simple. >>>>> >>>>> I set all my subscribers up with a NATted LAN at 192.168.10.0/24, the >>>>> router at .1, the DHCP range at .100-.115 or so, and if they have a WiFi >>>>> router, I hardcode it to .2 and configure it as an access point, no NAT. >>>>> The CPE (SXT or other) does all the NAT. >>>>> >>>>> I want to be able to access the setup screen on each household WiFi AP so >>>>> I can handle additional classes of problems without driving out. >>>>> >>>>> I set up NAT as so (10.2.1.251 is the WAN of the CPE I am testing with): >>>>> >>>>> /ip firewall nat >>>>> add action=dst-nat chain=dstnat dst-address=10.2.1.251 dst-port=8080 >>>>> protocol=tcp to-addresses=192.168.10.2 to-ports=80 >>>>> add action=masquerade chain=srcnat out-interface=WLAN to-addresses=0.0.0.0 >>>>> >>>>> When I browse to 10.2.1.251:8080 at the NOC, I see the packet come in the >>>>> WAN, I see it get NATted to 192.168.10.2:80, I see a response come in the >>>>> ether from the WiFi, and then... nothing. Connection stays at SYN, then >>>>> dies. >>>>> >>>>> I know it's not a firewall issue, because I temporarily bypassed the >>>>> firewall with unconditional ACCEPT statements for all chains at the top. >>>>> >>>>> I have no problems setting up a PPTP VPN on the CPE, logging into it, >>>>> becoming a member of the LAN, and accessing the WiFi that way, but it >>>>> burns me that I should be able to make it work the simpler way and I just >>>>> can't do it. >>>>> >>>>> Any ideas? Thanks in advance. >>>>> _______________________________________________ >>>>> Mikrotik mailing list >>>>> [email protected] >>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>> >>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>> RouterOS >>>> -------------- next part -------------- >>>> A non-text attachment was scrubbed... >>>> Name: smime.p7s >>>> Type: application/pkcs7-signature >>>> Size: 6151 bytes >>>> Desc: not available >>>> URL: >>>> <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140523/6fcb051c/attachment.bin> >>>> _______________________________________________ >>>> Mikrotik mailing list >>>> [email protected] >>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>> >>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>> RouterOS >>> >>> _______________________________________________ >>> Mikrotik mailing list >>> [email protected] >>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>> >>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: smime.p7s >> Type: application/pkcs7-signature >> Size: 6151 bytes >> Desc: not available >> URL: >> <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140523/337f768c/attachment.bin> >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6151 bytes Desc: not available URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140523/d07c2de2/attachment.bin> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
