Not a problem. Anytime. Always good to get a second set of eyes on a problem when it frustrates.
Regards Alexander Alexander Neilson Neilson Productions Ltd [email protected] 021 329 681 > On 24/05/2014, at 4:46 am, Grand Avenue Broadband <[email protected]> > wrote: > > You're right, of course. > > When I switched the dst-nat to the address of a computer that had a web > server available, it came up no hitch. I should have tried that much sooner. > > Turns out that the problem is not that the WiFi doesn't know how to route to > the WAN, it's that it intentionally refuses to respond to an address outside > the WAN. It has a remote administration feature you can turn on when it is a > NAT router, but when it isn't, the option goes away and so does the > permission. > > Thanks for your help. > > >> On May 23, 2014, at 1:42 AM, Alexander Neilson <[email protected]> >> wrote: >> >> It's entirely possible. However I wonder if you do a packet capture on the >> LAN interface of your Mikrotik look inside the packets. >> >> Also you should then see if any packets are generated in reply. >> >> In the case of exposing a web server the web server has a default route and >> so it knows to send it's replies to the default gateway. >> >> In the case of your wifi ap I still strongly believe that having no route >> would mean it couldn't generate the packets. can you telnet into it on the >> inside of the network and see if you can try a ping / traceroute. Or even >> expose the route table. >> >> More often than that I usually find a limit on management outside the subnet >> on by default that you need to turn off or modify. >> >> If you are concerned please feel free to share your config to see if more >> eyes find it. >> >> Regards >> >> Alexander >> >> Alexander Neilson >> Neilson Productions Ltd >> [email protected] >> 021 329 681 >> >>> On 23/05/2014, at 8:34 pm, Grand Avenue Broadband >>> <[email protected]> wrote: >>> >>> I've tried, but the NAT rule never even logs a hit. >>> >>> What I'm attempting to do (with the added detail of port translation >>> instead of port forwarding) is precisely equivalent to the wiki examples of >>> exposing a LAN web server out to the WAN. According to all the examples, >>> the one dst-nat rule is all that is needed. There's never any discussion >>> of difficulty for the server on the LAN to "get back" to the WAN invoker. >>> >>> I'm wondering if some other part of my standard CPE configuration is >>> sabotaging this mechanism. I know it's not the firewall, but I can't shake >>> the feeling that there's something else simple and stupid that I'm missing. >>> >>>> On May 23, 2014, at 12:19 AM, Alexander Neilson <[email protected]> >>>> wrote: >>>> >>>> Ok. So it probably can't get back to you. Maybe need to source NAT your >>>> packets. >>>> >>>> Regards >>>> >>>> Alexander >>>> >>>> Alexander Neilson >>>> Neilson Productions Ltd >>>> [email protected] >>>> 021 329 681 >>>> >>>>> On 23/05/2014, at 6:53 pm, Grand Avenue Broadband >>>>> <[email protected]> wrote: >>>>> >>>>> The WiFi box is configured as an AP, not a router, so it doesn't have any >>>>> routes. It's just a glorified unmanaged switch with a radio in it. Only >>>>> the LAN ports are used. >>>>> >>>>>> On May 22, 2014, at 10:52 PM, Alexander Neilson >>>>>> <[email protected]> wrote: >>>>>> >>>>>> Does your wifi ap have a route through the gateway / default route? >>>>>> >>>>>> Also does your wifi ap allow management outside the local subnet? >>>>>> >>>>>> Unless it has a default gateway it won't know where to send the packets >>>>>> back to in order to reach you. >>>>>> >>>>>> If it doesn't allow management from remote addresses you may need to >>>>>> allow "remote management" and a remote range to allow to manage. >>>>>> >>>>>> In this case dst nat changes the packet destination as you saw but the >>>>>> source is still your own IP address so it will be outside the subnet and >>>>>> also "remote" >>>>>> >>>>>> Try check those to and if it's still not working let us know. >>>>>> >>>>>> Regards >>>>>> >>>>>> Alexander >>>>>> >>>>>> Alexander Neilson >>>>>> Neilson Productions Ltd >>>>>> [email protected] >>>>>> 021 329 681 >>>>>> >>>>>>> On 23/05/2014, at 4:26 pm, Grand Avenue Broadband >>>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> I'm buffaloed by port translation, which is supposedly very simple. >>>>>>> >>>>>>> I set all my subscribers up with a NATted LAN at 192.168.10.0/24, the >>>>>>> router at .1, the DHCP range at .100-.115 or so, and if they have a >>>>>>> WiFi router, I hardcode it to .2 and configure it as an access point, >>>>>>> no NAT. The CPE (SXT or other) does all the NAT. >>>>>>> >>>>>>> I want to be able to access the setup screen on each household WiFi AP >>>>>>> so I can handle additional classes of problems without driving out. >>>>>>> >>>>>>> I set up NAT as so (10.2.1.251 is the WAN of the CPE I am testing with): >>>>>>> >>>>>>> /ip firewall nat >>>>>>> add action=dst-nat chain=dstnat dst-address=10.2.1.251 dst-port=8080 >>>>>>> protocol=tcp to-addresses=192.168.10.2 to-ports=80 >>>>>>> add action=masquerade chain=srcnat out-interface=WLAN >>>>>>> to-addresses=0.0.0.0 >>>>>>> >>>>>>> When I browse to 10.2.1.251:8080 at the NOC, I see the packet come in >>>>>>> the WAN, I see it get NATted to 192.168.10.2:80, I see a response come >>>>>>> in the ether from the WiFi, and then... nothing. Connection stays at >>>>>>> SYN, then dies. >>>>>>> >>>>>>> I know it's not a firewall issue, because I temporarily bypassed the >>>>>>> firewall with unconditional ACCEPT statements for all chains at the top. >>>>>>> >>>>>>> I have no problems setting up a PPTP VPN on the CPE, logging into it, >>>>>>> becoming a member of the LAN, and accessing the WiFi that way, but it >>>>>>> burns me that I should be able to make it work the simpler way and I >>>>>>> just can't do it. >>>>>>> >>>>>>> Any ideas? Thanks in advance. >>>>>>> _______________________________________________ >>>>>>> Mikrotik mailing list >>>>>>> [email protected] >>>>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>>>> >>>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>>>> RouterOS >>>>>> -------------- next part -------------- >>>>>> A non-text attachment was scrubbed... >>>>>> Name: smime.p7s >>>>>> Type: application/pkcs7-signature >>>>>> Size: 6151 bytes >>>>>> Desc: not available >>>>>> URL: >>>>>> <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140523/6fcb051c/attachment.bin> >>>>>> _______________________________________________ >>>>>> Mikrotik mailing list >>>>>> [email protected] >>>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>>> >>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>>> RouterOS >>>>> >>>>> _______________________________________________ >>>>> Mikrotik mailing list >>>>> [email protected] >>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>> >>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>> RouterOS >>>> -------------- next part -------------- >>>> A non-text attachment was scrubbed... >>>> Name: smime.p7s >>>> Type: application/pkcs7-signature >>>> Size: 6151 bytes >>>> Desc: not available >>>> URL: >>>> <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140523/337f768c/attachment.bin> >>>> _______________________________________________ >>>> Mikrotik mailing list >>>> [email protected] >>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>> >>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>> RouterOS >>> >>> _______________________________________________ >>> Mikrotik mailing list >>> [email protected] >>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>> >>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: smime.p7s >> Type: application/pkcs7-signature >> Size: 6151 bytes >> Desc: not available >> URL: >> <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140523/d07c2de2/attachment.bin> >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6151 bytes Desc: not available URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140524/97a9378e/attachment.bin> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
