Hi

We recently replaced our L2 switches on each location with the MikroTik CRS125-24G-15-RM (switch) to enable extra configuration capabilities. They are connected to a RB2011UiAS-2HnD-IN (router) via SFP which is bridged with 2 VDSL modems. The router is responsible for the PPPoE connection via 2 eth ports. A network schema is included below.

I want to be able to manage the switch externally so I added a NAT rule as I did in the past.
When I surf to <PPPOE2IP>:81 I would expect that the webfig login screen of the CRS is shown but it won't connect. When I open the detail page for the NAT rule on the router, I see data coming in but not going out... So It seems that I'm overlooking something... On the router's side the SFP port is in the LAN bridge together with the other eth ports.

Any idea what I could have forgot? If you would need more information, just ask . Thank you for your time !

Have a look at http://mum.mikrotik.com/presentations/US12/tomas.pdf

Most probably you aren't making sure traffic entering one WAN is leaving by the same one?

No need for dst-nat, enable RoMON on both routers, and you'll be able to connect directly to any of them from Winbox.

Hi, yes that actually is set. Btw, the problem also exists when only 1 PPPoE is active.

I managed to get in the switch by using the tools > telnet function on the router and then giving in the IP address of the switch. So I figured, if I can telnet from the router to the switch, this should also work via NAT... I changed the NAT rule to forward a certain port to the switch's telnet but this also doesn't work.

I think I'm missing something here...

The SFP port of the CRS is configured as the master for the rest of the ports in the LAN bridge and the ip address of the switch is assigned to the SFP port. No idea what else I could be forgetting here.

Thanks for the RoMON tip, I'll try that now. If there are any other tips, please give them! Your help is appreciated.

Anyone ?

Dear All

I am also facing the same issue, i have DVR connected to RB2011UIAS-2hnd-In. i am trying to connect it externally by using NO-IP.com DDNS service, i am reaching the Routerboard Webfig page but not able to reach DVR which is on port 8000. I have checked that port 8000 is open but i am missing something in NAT Firewall setup.

I tried dnstat from PPOE to Dnstat IP address of the DVR but nothing is happening, please help

Pity that no one seems to care...

I can't be the only one facing this issue?

I've made a test setup at home, connecting a CRS via SFP to an rb2011.

When connecting via the WAN of the RB2011 it's not possible to go to the CRS webfig...

If added a NAT rule in the RB2011 to forward incomfing traffic on port 8080 to port 80 on the CRS. I see traffic coming in when surfing to the address, but it doesn't get further then that ...

btw, WinBox never works for some reason. It always gives an error.

Without an export of the configs, specially IP > Firewall Filter / NAT all we can do is just speculating.

Which firewall ruleset are you using?

However, if you are able to remotely connect to the RB2011 from the outside using Winbox, you should be able to use it to connect to any Romon enabled device inside the network.

Did you enable RoMON on both devices?

What do you see on each (rb2011 and CRS) on Tools > Romon [Discovery]?

If the CRS is visible there, and you are able to connect remotely using winbox to the rb2011, instead of connecting directly,

1.- Add the RB2011 connection on winbox, so that you see it on your "Managed" tab.
2.- Select (highlight) the 2011 entry on the managed tab
3.- Click on "Connect to Romon" button on winbox

If the connection succeeds, Winbox will switch to a "Romon Neighbors" tab, where all Romon enabled neighbors the RB2011 can "see" will be displayed.

Highlight the CRS on that list, fill in the proper credentials, then click on Connect; a Winbox should open connected directly to the CRS.

OK! Thanks for your response, I'll follow up on this later this week and I'll also post the configs then.