The Mikrotik RouterOS config, tips and tricks thread

smee again

1. Try edit your 2nd nat rule so it does not include a to address

/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade out-interface=ether1-gateway

2. Are you sure it's listening on 8080? Can you get to it from lan on port 8080? Check /ip services that the routers web login isn't listening on port 8080

Mattie112

Hi,

Thanks for your reply. It totally forget i changed the webinterface of the router to 8080, this works now! However the hairpin nat still doesn't work. Do i need to add some firewall rules for it to work?

smee again

Mattie112 wrote: »

Hi,

Thanks for your reply. It totally forget i changed the webinterface of the router to 8080, this works now! However the hairpin nat still doesn't work. Do i need to add some firewall rules for it to work?

No, it should just work as long as you have the destination nat portforward rules pointing to the same private IP. Try momentarily disabling the first nat rule sfp1-gateway, perhaps you could better explain what this is and why you are natting to it.

Also, a neat trick with these is to copy the hairpin nat rule, change to action to log on this copied rule and place it just before the hairpin nat rule. You will get then get detailed logs as it happens which may provide the info you need to fix it.

Mattie112

The SPF is from the SPF interface (not used), the rule is already disabled (marked by an X). Thanks for the tip about logging, i will try to get some usefull information!

Mattie112

Unfortunatley i don't get any information in the log. In my previous (consumer model) router i didn't need to do anything to have my external IP work from the inside. Do you have an other tip? I now have #1 -> masquerade ether1-gateway, #2 -> hairpin log, #3 -> hairpin masquerade

VenomIreland

Have my router running roughly a week now, added some basic firewall rules (to stop bots trying to use SSH) and some port forwarding rules, I'm wondering now are there any handy things I should do or any quality of life improvements? I was thinking of setting up a RasPi as a syslog server also, as I noticed the built in logs don't go back very far.

smee again

VenomIreland wrote: »

Have my router running roughly a week now, added some basic firewall rules (to stop bots trying to use SSH) and some port forwarding rules, I'm wondering now are there any handy things I should do or any quality of life improvements? I was thinking of setting up a RasPi as a syslog server also, as I noticed the built in logs don't go back very far.

Pointless really, it would just fill up with DHCP requests, wireless association and disconnection and other useless info.

You would be better put your time into figuring out bandwidth allocation and queues. You could give all your individual devices priorities and allocate a minimum target bandwidth and max bandwidth attained by each device (bandwidth shape). You can also use /ip firewall mangle to add connection and packet marks and add these marked packets to certain queues and give these queues priorities higher (or lower) than everything else (QOS).

Mattie112

Anybody any more ideas about my hairpin NAT problem?

smee again

Mattie112 wrote: »

Anybody any more ideas about my hairpin NAT problem?

This is puzzling, here's a few suggestions

I have an accept lan filter rule

/ip firewall filter
add chain=input comment="acccept lan" in-interface=!ether1-gateway src-address=192.168.80.0/24

other than that try disabling filter rule 5 and removing the to-addresses=0.0.0.0 from your main masq nat rule

Mattie112

No, still no luck

However, i CAN ping my own address (don't know if that didn't worked before)

jdee99

Hi folks just brought a 9516 and am trying to connect it to UTVinterent broadband service. I can connect to the router wirelessly and wired with no problems what i can't seem to do is connect via pppoe to utv' servers. Can some one cast their eye over the export file and see if there is anything that i am doing wrong - heck of a step learning curve but if i can get it working it will hopefully sort out some of the access problems I have been having.

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.6 (c) 1999-2013 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambigous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > export compact
# jan/02/1970 00:42:42 by RouterOS 6.6
# software id = XZQD-NEE5
#
/interface bridge
add admin-mac=D4:CA:6D:BB:62:BB auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway name=pppoe-out1 password=xxxxxxxxxx use-peer-dns=yes user=cxxxxxxx@adsl.utvinternet.ie
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=XXXXXXXX wpa2-pre-shared-key=XXXXXXX
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=ipad supplicant-identity="" unicast-ciphers=tkip,aes-ccm \
wpa-pre-shared-key=XXXXXXXX wpa2-pre-shared-key=XXXXXXX
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=ireland disabled=no distance=indoors frequency=2427 ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge \
security-profile=ipad ssid=Mirotik wireless-protocol=802.11
/ip neighbor discovery
set wlan1 discover=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=dhcp ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.2.1/24 comment="default configuration" interface=bridge-local network=192.168.2.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=194.46.192.136,194.46.192.137
/ip dns static
add address=192.168.2.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1 to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment="For Fixed Camera" dst-port=5300 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.23 to-ports=5300
add action=dst-nat chain=dstnat comment="For WebServer" dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.20 to-ports=80
add action=dst-nat chain=dstnat comment="For PlanePlotter" dst-port=9742 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.25 to-ports=9742
add action=dst-nat chain=dstnat comment="For Calibre" dst-port=8081 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.2 to-ports=8081
add action=dst-nat chain=dstnat comment="For Flight Radar" dst-port=30003 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.25 to-ports=30003
add action=dst-nat chain=dstnat comment="For basestation" dst-port=10001 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.17 to-ports=10001
add action=dst-nat chain=dstnat comment="For Blitzortung Red" dst-port=8880 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.10 to-ports=8880
/ip route
add comment="Default route" distance=1 gateway=194.46.193.69
/ip service
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no enabled=yes
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=Europe/Dublin
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=194.164.127.6 secondary-ntp=130.88.203.12
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
[admin@MikroTik] >

The IP firewall Nat rules are for stuff i run for my website.

Many thanks

JD

smee again

Is it attempting to dial pppoe in the logs?

jdee99

Hi - yes it is initialising dialling and then terminating - disconnected. The user name and password that I have came from UTV

whowantstwoknow

Hi,

Have been configuring my routerOS on and off over the last week or so. Have come across a LAN issue which seems to be router related.

If I reset the router back to the default setting is it secure enough while I leave it like that and see if my LAN issue remains?

Thanks

W.

smee again

whowantstwoknow wrote: »

Hi,

Have been configuring my routerOS on and off over the last week or so. Have come across a LAN issue which seems to be router related.

If I reset the router back to the default setting is it secure enough while I leave it like that and see if my LAN issue remains?

Thanks

W.

Yes, if you accept the default script the masquerade nat rule will protect your lan, ie drop packets from the internet it does not know about.

whowantstwoknow

Right,

After much playing around with routerOS, went back to my old router setup to check. My problem is around the use of WHS and its clients. In this old setup I changed the WHS IP address to see if that was the cause (as thats the main difference to RouterOS as its default setup uses a different set of addresses). Turns out this change also had the same behaviour. I cant be bothered (WHS can be high maintenance sometimes) getting to the bottom of it.

Therefore I will change RouterOS to mimic my old LAN IP setup. So is it just the gateway address and the DHCP Server IP range that needs changing? I need to change from 192.168.88.x to 192.168.61.x

Thanks
W.

smee again

whowantstwoknow wrote: »

Right,

After much playing around with routerOS, went back to my old router setup to check. My problem is around the use of WHS and its clients. In this old setup I changed the WHS IP address to see if that was the cause (as thats the main difference to RouterOS as its default setup uses a different set of addresses). Turns out this change also had the same behaviour. I cant be bothered (WHS can be high maintenance sometimes) getting to the bottom of it.

Therefore I will change RouterOS to mimic my old LAN IP setup. So is it just the gateway address and the DHCP Server IP range that needs changing? I need to change from 192.168.88.x to 192.168.61.x

Thanks
W.

Simple, export the config with the export compact command, copy it into notepad++ and do ctrl + f search for 192.168.88. and replace all with 192.168.61. and paste that back into the router and reboot.

http://notepad-plus-plus.org/

whowantstwoknow

Thanks,

I did it the hard way and spent a good while not knowing why my VOIP wasnt working, eventually found the hidden old reference in ip DNS static!!! I'll be using the above in future.

I've read this thread and probably put stuff in that is either:

1) not working
2) not necessary.

So will problem post some of the export compact command for people to review, if they dont mind!!!

Now I'm at the point of why I'm switching my router to Mikrotik, I need to be able to wake up my WHS server from the WAN. I spent all night trying to configure the ip filter nat rule to allow the likes of http://www.remotewakeup.com/en/ to wake up my WHS. Just couldnt get it to work. The router was able to wake it using the wol tool once I specified the bridge-local interface. Read various threads etc but whatever way the filter nat rule was configured it never registered any packets.

Any pointers/ideas?

Thanks again
W

PS: in the ip address section the LAN address reference 192.168.61.x is on the wlan1 interface, is that right?

smee again

whowantstwoknow wrote: »

Thanks,

I did it the hard way and spent a good while not knowing why my VOIP wasnt working, eventually found the hidden old reference in ip DNS static!!! I'll be using the above in future.

I've read this thread and probably put stuff in that is either:

1) not working
2) not necessary.

So will problem post some of the export compact command for people to review, if they dont mind!!!

Now I'm at the point of why I'm switching my router to Mikrotik, I need to be able to wake up my WHS server from the WAN. I spent all night trying to configure the ip filter nat rule to allow the likes of http://www.remotewakeup.com/en/ to wake up my WHS. Just couldnt get it to work. The router was able to wake it using the wol tool once I specified the bridge-local interface. Read various threads etc but whatever way the filter nat rule was configured it never registered any packets.

Any pointers/ideas?

Thanks again
W

PS: in the ip address section the LAN address reference 192.168.61.x is on the wlan1 interface, is that right?

The ip address and dhcp server should be on the bridge. Your wireless and your master ethernet interface should be ports in this bridge

whowantstwoknow

Thanks for that, have made those necessary changes. Below is my export compact output. Went a bit made on the firewall filters!!!

Still no luck with the WOL over the internet. Think I'm using the tool sniffer correctly, but see nothing coming in for udp port 9? I'm sure I've something wrong.

Also had to disable the hairpin rule, should that be expected?

Forgive all the queries, but is a bit of a learning curve

# nov/27/2013 00:13:47 by RouterOS 6.6
# software id = 4X3Q-QATT
#
/interface bridge
add admin-mac=00:0C:42:B7:XX:XX auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
    20/40mhz-ht-above disabled=no distance=indoors frequency=2437 \
    ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=\
    SSID wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys wpa-pre-shared-key=XXX wpa2-pre-shared-key=\
    XXX
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=dhcp ranges=192.168.61.9-192.168.61.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.61.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.61.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.61.9 client-id=1:0:25:90:c:53:1c mac-address=\
    00:25:90:0C:XX:XX server=default
add address=192.168.61.10 client-id=1:0:f:b5:db:84:17 mac-address=\
    00:0F:B5:DB:XX:XX server=default
/ip dhcp-server network
add address=192.168.61.0/24 comment="default configuration" dns-server=\
    192.168.61.1 gateway=192.168.61.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-udp-packet-size=512 \
    servers=89.101.160.5,89.101.160.4
/ip dns static
add address=192.168.61.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" disabled=yes \
    in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add chain=input comment="allow ICMP" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login \
    address-list-timeout=1d chain=input comment=\
    "list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=\
    ether1-gateway protocol=tcp
add chain=input comment="accept vpn gre" in-interface=ether1-gateway \
    protocol=gre
add action=drop chain=input comment="drop ftp" dst-port=21 protocol=tcp
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid
add chain=forward comment="allow already established connections" \
    connection-state=established
add chain=forward comment="allow related connections" connection-state=\
    related
add action=drop chain=input comment="drop Invalid connections" \
    connection-state=invalid
add chain=input comment="allow established connections" connection-state=\
    established
add chain=input comment="acccept lan" in-interface=!ether1-gateway \
    src-address=192.168.61.0/24
add action=drop chain=input comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment=\
    "tcp from port 443 to 443 (lan ip 192.168.61.9)" dst-port=443 \
    in-interface=ether1-gateway protocol=tcp to-addresses=192.168.61.9 \
    to-ports=443
add action=dst-nat chain=dstnat comment="WOL WHS" \
    dst-port=9 port="" protocol=udp to-addresses=\
    192.168.61.255 to-ports=9
add action=masquerade chain=srcnat comment="hairpin nat rule" disabled=yes \
    dst-address=192.168.61.9 src-address=192.168.61.0/24 to-addresses=0.0.0.0
/ip service
set www disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1-gateway type=external
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=140.203.204.77
/system scheduler
add interval=4w2d name="backup config" on-event=\
    "/system script run backup\r\
    \n" policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    start-time=startup
/system script
add name=backup policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    source="/export file=([/system identity get name] . \"-\" . \\\
    \n[:pick [/system clock get date] 7 11] . [:pick [/system clock get date] \
    0 3] . [:pick [/system clock get date] 4 6]); \\\
    \n/tool e-mail send to=\"address@email.com\" subject=([/system identity g\
    et name] . \" Backup \" . \\\
    \n[/system clock get date]) file=([/system identity get name] . \"-\" . [:\
    pick [/system clock get date] 7 11] . \\\
    \n[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4\
    \_6] . \".rsc\"); :delay 10; \\\
    \n/file rem [/file find name=([/system identity get name] . \"-\" . [:pick\
    \_[/system clock get date] 7 11] . \\\
    \n[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4\
    \_6] . \".rsc\")]; \\\
    \n:log info (\"System Backup emailed at \" . [/sys cl get time] . \" \" . \
    [/sys cl get date])"
/tool e-mail
set address=173.194.66.108 from=<>MikroTik@gmail.com.com password=\
    pwd port=465 start-tls=yes user=address@email.com
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local

smee again

WOL will not just work from the internet this way, it uses raw socket, see this thread. You need some device on your lan or router to send this special packet. It's a feature available in RouterOS http://wiki.mikrotik.com/wiki/Manual:Tools/Wake_on_lan

whowantstwoknow

Hi Smee,

Thanks for that, I'll have a read and digest. I have the VOIP/ATA working behind the mikrotik, using the sip service, but cant seem to get the http admin access working. The ATA is connected to the LAN where the UPC modem use to be connected. I've enabled remote management specifying the ip address range of the LAN (ie 192.168.61.1->192.168.61.254) so that it can be controlled from any machine, but when I specify the ATA IP 192.168.61.x:38080, the browser doesnt reach the unit, just times out.

Any idea what I'm doing wrong?

smee again

whowantstwoknow wrote: »

Hi Smee,

Thanks for that, I'll have a read and digest. I have the VOIP/ATA working behind the mikrotik, using the sip service, but cant seem to get the http admin access working. The ATA is connected to the LAN where the UPC modem use to be connected. I've enabled remote management specifying the ip address range of the LAN (ie 192.168.61.1->192.168.61.254) so that it can be controlled from any machine, but when I specify the ATA IP 192.168.61.x:38080, the browser doesnt reach the unit, just times out.

Any idea what I'm doing wrong?

You sure it's not port 8080?

whowantstwoknow

smee again wrote: »

You sure it's not port 8080?

Well as per the image/link, it can be set to any value, the default is 8080, and I've tried that too.

My logic is the ATA is connected to the LAN ONLY on its WAN port (as the ATA is acting as a client to the routerOS DHCP server). In the ATA remote setup, one has to specify the connecting IP address(es). So I have given the LAN IP range.

But using the static IP address given to the ATA by the routerOS DHCP server, I cant ping the unit, (must double check but pretty sure I've this enabled on the ATA). I think thats the route of my problem. When the ATA is acting as the router, I have access to the admin screen via the LAN port...

Thanks for your patience!!

W.

VenomIreland

Hey lads, my RB951G has been running fine the past while, only recently the port forwarding seems to have stopped working and I cannot access some servers I have running, any idea what's going on?

[xxxx@yyyy] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=pppoe-out1 

 1   chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=9987 protocol=udp
     in-interface=pppoe-out1 dst-port=9987 

 2   chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=30033 protocol=tc
     in-interface=pppoe-out1 dst-port=30033 

 3   chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=8080 protocol=tcp
     in-interface=pppoe-out1 dst-port=8080 

 4   chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=5050 protocol=tcp
     in-interface=pppoe-out1 dst-port=5050 

 5   chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=8081 protocol=tcp
     in-interface=pppoe-out1 dst-port=8081 

 6   chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=32400 protocol=tc
     in-interface=pppoe-out1 dst-port=32400 

smee again

VenomIreland wrote: »

Hey lads, my RB951G has been running fine the past while, only recently the port forwarding seems to have stopped working and I cannot access some servers I have running, any idea what's going on?

Which ones? Can you access them locally?

VenomIreland

smee again wrote: »

Which ones? Can you access them locally?

Everything but the first two entries couldn't be accessed outside my LAN. Tried this morning though (using my phone's 3G again) and it worked! No idea what was going on.

whowantstwoknow

whowantstwoknow wrote: »

Well as per the image/link, it can be set to any value, the default is 8080, and I've tried that too.

My logic is the ATA is connected to the LAN ONLY on its WAN port (as the ATA is acting as a client to the routerOS DHCP server). In the ATA remote setup, one has to specify the connecting IP address(es). So I have given the LAN IP range.

But using the static IP address given to the ATA by the routerOS DHCP server, I cant ping the unit, (must double check but pretty sure I've this enabled on the ATA). I think thats the route of my problem. When the ATA is acting as the router, I have access to the admin screen via the LAN port...

Thanks for your patience!!

W.

Well I've done some more testing, but still stuck...

1) ATA as Router; Put this back in and configured it for remote management using port 8080. From outside my home I can access the admin screens etc... On the WAN setup I've enabled the respond to Pings...(and this worked from the outside test)

2) So put the ATA back behind the routerOS, its acting as a DHCP client of the routerOS on its WAN port (nothing connected to its LAN port). I cant ping the dedicated static IP address from anywhere on the LAN, even in the winbox. This is my problem. As I have the RouterOS & ATA to function as a DHCP server using the same address range, switched the ATA as being the router connecting its LAN port and from a desktop did a ipconfig/renew. From here I could access the admin screen and see in the WAN setup that it had recorded the RouterOS's static IP address.

So basically any idea why the device cant be pinged from the LAN? If I can solve this, I'm sure I'll be able to access the ATA admin screens....

Thanks

W.

smee again

whowantstwoknow wrote: »

Well I've done some more testing, but still stuck...

1) ATA as Router; Put this back in and configured it for remote management using port 8080. From outside my home I can access the admin screens etc... On the WAN setup I've enabled the respond to Pings...(and this worked from the outside test)

2) So put the ATA back behind the routerOS, its acting as a DHCP client of the routerOS on its WAN port (nothing connected to its LAN port). I cant ping the dedicated static IP address from anywhere on the LAN, even in the winbox. This is my problem. As I have the RouterOS & ATA to function as a DHCP server using the same address range, switched the ATA as being the router connecting its LAN port and from a desktop did a ipconfig/renew. From here I could access the admin screen and see in the WAN setup that it had recorded the RouterOS's static IP address.

So basically any idea why the device cant be pinged from the LAN? If I can solve this, I'm sure I'll be able to access the ATA admin screens....

Thanks

W.

Set the Wan port of the ATA to receive it's IP through DHCP, then make that IP it gets static in the Mikrotik DHCP server and forward the management port to that IP (or enable UPnP if the ATA supports it)

whowantstwoknow

Actually, from all this testing/switching, my ATA would only work intermittently. Could never understand why but now have an explanation (though its not ideal).

For me to have a working ATA behind the RouterOS, I must 1st connect the ATA to the cable modem and have it do its stuff/register etc...

Then move it behind the RouterOS, only connected via the WAN port, noting that it doesnt reboot. In this setup, the WAN doesnt have a LAN IP address, but I can still make calls. So in this setup if the power goes or I reboot the ATA, the WAN gets the RouterOS ip address, and the ATA/VOIP now doesnt work!!

Is this expected behaviour for such a setup. As I said I can live with it but if the power ever goes and I'm not around, the other half wont have a phone line!!! :eek:

I wonder if I should change the ATA DHCP LAN address range and connect the LAN port in the hope to see the ATA admin screens while the RouterOS is the LAN router. Is this possible?

Thanks
W.