livewireless
join:2006-11-03
La Jolla, CA
4 edits | Remote access
Addresses | 
Firewall | 
Interfaces | 
Route list |
I just purchased a license and supposedly get 30 days support.
Can anyone suggest a solution
I'm simply trying to remotely access an AP (bullet M2HP) behind the hotspot setup on RouterOS4.2.
The AP has static IP and binding to the Hotspot server with "bypass" rule.
I've done a "nat-dst" rule and a "port forward".
I just cannot get it right seemingly. The only thing I see different than the standard Hotspot setup is my PPPoE client.
I'm wondering if the hotspot needs to be made aware of this to get packets out correctly?
Internet------>DSL PPPoE Modem--------->RouterOS4.2----->PPPoE client------->public interface (192.168.1.5)-------->Hotspot server local interface (10.10.0.1)------ethernet----->BulletM2HP Wireless AP (10.10.0.99)---------->Wireless clients.
---------------------------------------------------
Here's the firewall /NAT rules:
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=10.10.0.0/24
2 chain=.... action=accept
3 chain=dstnat action=dst-nat to-addresses=10.10.0.99 to-ports=80
protocol=tcp dst-address=192.168.1.5 dst-port=8081
---------------------------------------------------------
Route
---------------------------------------------------------
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 151.164.184.154 1
1 ADC 10.10.0.0/24 10.10.0.1 ether2 0
2 ADC 151.164.184.154/32 76.244.162.133 pppoe-out1 0
3 ADC 192.168.1.0/24 192.168.1.5 ether1 0
-------------------------------------------------------
Help please, anyone.
Thanks, |
|
Rhaas
Premium
join:2005-12-19
Bernie, MO
1 edit | reply to livewireless
Re: Remote access
I *think* you have this backwards, the to-address should be 192.168.1.5 (address of the hotspot) and the dst-address should be 10.10.0.99 (address of the M2) |
|
viperm
Carpe Diem
Premium
join:2002-07-09
Winchester, CA
| reply to livewireless
Try using the mac address instead of the IP address in the Hotspot Bypass rules I have had that issue before using the IP not sure why.
Also to make sure your firewall rules work shut off hotspot for a few min and try if it still does not work you need to work on your firewall rules then enable hotspot again after you get it working.
I think his rules are correct we just public to private and this is how we have ours.. We just leave this server wide open heheheh
5 ;;; XYZ server
chain=dstnat action=dst-nat to-addresses=10.10.10.2 protocol=tcp
dst-address=208.xxx.xxx.xxx dst-port=0-65535
--
ComTrain Certified Tower Climber. American Tower Certified approved contractor. Wireless consultants. |
|
surfergeek
join:2004-02-28
La Jolla, CA
2 edits | Thanks,
But, The Hotspot IP is: 10.10.0.1
The Wan IP is: 192.168.1.5
The Access Point IP behind the Hotspot is: 10.10.0.99
and is "bound" and bypassing authorization.
So, trying to get that to work...hmmm
OKeee, I'll try just the mac address... |
|
livewireless
join:2006-11-03
La Jolla, CA | No luck with just Mac. |
|
Airnode
join:2006-09-01
Germany
| your public ore wan iface is ether1 right? and its configured as pppoe
client ?
but you still gave the ether1 a privat address.. so something is confusing my by that . Not that you can't do that but then the rule never will work since the ether-address *192.168.1.5 is not your really
reachible address from outside |
|
livewireless
join:2006-11-03
La Jolla, CA
1 edit | I think I understand what your saying.
But this is standard setup with mikrotik. To allow remote access a dst-nat rule is applied as shown.
the Hotspot has an "IP binding" which allows the IP behind the Hotspot to get out without authorizing.
I've done that and Add below to get to proper port
---------------
chain=dstnat action=dst-nat to-addresses=10.10.0.99 to-ports=80
protocol=tcp dst-address=192.168.1.5 dst-port=8081
------------------
And I still can't access AP remotely... |
|
Airnode
join:2006-09-01
Germany
| chain=dstnat action=dst-nat to-addresses=10.10.0.99 to-ports=0-65535
protocol=tcp dst-address=192.168.1.5 dst-port=8081
try this one...should work as long your hotspot binding is right and your
try to reach the device from the 192.168.1.0 network ..
once again if your trying to reach WAN you have to use your real WAN address as dst-address. |
|
livewireless
join:2006-11-03
La Jolla, CA
1 edit | 
IP binding |
I'm trying what you suggested. I think I've been there though.
So, you suggest I use my real WAN IP?
You know it changes daily (don't have static IP).I Im using DSP PPPoE dynamic. I have a Changeip script to update.
But, I'll try using the present "public" WAN IP as dst-address.
Also I've attached pics of the IP binding. I'm not sure if I got this right. I had the 10.10.0.99 bound to the Hotspot server IP 10.10.0.1. Then changed it back. to 10.10.0.99 bound to itself..? Right/Wrong? |
|
livewireless
join:2006-11-03
La Jolla, CA
| reply to Airnode
Public IP and gateway |
If you notice my pic attached. The ip in the "network" column is the DSL gateway.
Everything works going out with that config, but just can't get in to access AP IP. Sorry but this is getting outa hand, all the pics... hope it makes.
Thanks  |
|
viperm
Carpe Diem
Premium
join:2002-07-09
Winchester, CA
1 edit | reply to livewireless
Is the AP direclty behind the Mikrotik or is there another router etc?
If you want to hit me off list and give me remote access I can take a look to see if I can get it to work for you.
Its probably something simple I wont be able to do it till later this evening I have stuff I need to do..
PS/ Try gettign rid of the "TO" address in the binding rule we do the same type of setup but never had to put in the TO ip address just the address and thats it
Thanks
--
ComTrain Certified Tower Climber. American Tower Certified approved contractor. Wireless consultants. |
|
livewireless
join:2006-11-03
La Jolla, CA
1 edit | Wow,
Thanks so very much.
You know it's gonna be something simple. But, yes the AP is directly behind the RouterOS.
Internet------->DSL Modem PPPoE------> RouterOS----->ethernet---->BulletM2HP AP------->Wireless clients.
I'd really appreciate it Viperm.
I was just playing with it. I disabled the "use DNS peer" on the PPoE client now it's down or at least I can't see it from remote. I'll be local to the hotspot shortly. Login and fix that, so I can get to it.
It's 2:30.
Be up and running @ 4:30. I'll get you later.
Tim |
|
TomS_
debugger it
Premium,MVM
join:2002-07-19
Australia | reply to livewireless
Make sure you post the solution so others know what was wrong and how to fix it!  |
|
livewireless
join:2006-11-03
La Jolla, CA
1 edit | ABBO bloody lutely! Mate!
(absolutely)
You guys are incredible. I've learned more here than one could imagine. I know Viperm will nail it.
Very generous peeps. |
|
viperm
Carpe Diem
Premium
join:2002-07-09
Winchester, CA
| reply to livewireless
It was a simple fix he had port 8081 forwarding to ALL TCP ports on his Bullet. You have to be specific on what ports you want to forward to what other ports on your internal devices.
All I did was tweak his existing dst firewall rule to tell his public ip port 8081 to forward to port 80 of his bullet and bingo bango he is good!
Took me 30 seconds with a chip and dip in one hand hahaha if he would have posted the pic of the actual rule itself I think we would have seen it right away.
--
ComTrain Certified Tower Climber. American Tower Certified approved contractor. Wireless consultants. |
|
livewireless
join:2006-11-03
La Jolla, CA
1 edit | Thanks again Viperm, You nailed it.
If you notice in the 2nd pic at top. I've got the outside interface visible. "192.168.1.5", should have been "public IP" address.
Previously I had tried using "80" instead of "0-6535". But I didn't have the public IP inserted.
Bottom line you corrected it.
Now, to figure out how to update rule to update the DHCP.
Wonder if there's a script to do same.
Untill I buy a static! |
|
viperm
Carpe Diem
Premium
join:2002-07-09
Winchester, CA
| reply to livewireless
Hahah I have been trying that as well with one of our hotspots. I cant get the scripting to work correctly with our DNS server.
The mikrtoik Wiki site has a decent script but the password config just wont work with simple DNS or visa versa. Simple DNS spits out a unique password with special chractors that mikrotik doesnt understand and thnks its some kind of command and will nto run it.
Oh well I just get a down notification when it changes and I have a PPTP VPN connection runnign from the hotspto to one of our core routers. So when I get apage its down I look in the core router to see what IP address the PPTP sesion is coming from and then I know what the ip address is of my hot spot etc...
I then go into wireless orbit and chage it manually so radius starts working again
--
ComTrain Certified Tower Climber. American Tower Certified approved contractor. Wireless consultants. |
|
