Community discussions

MikroTik App
 
MTikSeekeroe
newbie
Topic Author
Posts: 43
Joined: Fri Nov 06, 2009 5:12 am

Access to printer behind MikroTik router from another network

Thu Aug 18, 2022 9:42 am

Hi,

I have a printer behind a MikroTik router with an IP of 192.168.22.40

I want to be able to print to this printer from various PCs which are behind another (ISP supplied) router with IP address network of 192.168.85.0/24).

I have tried various port forwarding on MikroTik router but unable to use the printer.

Settings used:
add action=accept chain=forward comment="access to printer from outside" dst-address=192.168.22.40 src-address=192.168.185.0/24

Can someone be so kind giving me some help, pls.

Thks.
 
erlinden
Forum Guru
Forum Guru
Posts: 2630
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Access to printer behind MikroTik router from another network

Thu Aug 18, 2022 10:17 am

Port forwarding should work in this scenario (make very sure that source address is configured to prevent that the rest of the world is using your printer as well).
You might understand that the rule is totally incorrect, Internet won't route private IP addresses. You would need to change it to something like

add action=accept chain=forward comment="access to printer from outside" dst-address=[Your public IP Address] dst-port=[port] src-address=[IP address of ISP supplied outer] to-address=192.168.22.40 protocol=[TCP or UDP] action=dst-nat

Haven't tested the above line, you can do that... If you turn on logging, you will be able to log connections (and can see if the forward is working).
 
MTikSeekeroe
newbie
Topic Author
Posts: 43
Joined: Fri Nov 06, 2009 5:12 am

Re: Access to printer behind MikroTik router from another network

Thu Aug 18, 2022 12:54 pm

Sorry for my ignorance being a newbie.

But is the CLI you suggested to be done in Firewall NAT or in Firewall Filter Rules.

Its syntax seems to be contradictory to me.
 
erlinden
Forum Guru
Forum Guru
Posts: 2630
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Access to printer behind MikroTik router from another network

Thu Aug 18, 2022 1:06 pm

The dst-nat part of the code should have given you a good hint. No problem, we all started somewhere. Hope you understand the explanation regarding the source address.

Herewith the MikroTik wiki with an example of port 21 (FTP server):
https://wiki.mikrotik.com/wiki/Manual%3 ... FTP_server
https://help.mikrotik.com/docs/display/ ... inationNAT
 
MTikSeekeroe
newbie
Topic Author
Posts: 43
Joined: Fri Nov 06, 2009 5:12 am

Re: Access to printer behind MikroTik router from another network

Thu Aug 18, 2022 1:35 pm

Thanks. I'll have a look.
 
MTikSeekeroe
newbie
Topic Author
Posts: 43
Joined: Fri Nov 06, 2009 5:12 am

Re: Access to printer behind MikroTik router from another network

Fri Aug 19, 2022 3:52 am

After several hours reading the suggested documents and trying various settings, I am still unable to print to printer behind MikroTik router from another network.

Last settings:

/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Forwarding to Printer" \
dst-address=192.168.145.4 dst-port=9100 protocol=tcp to-addresses=\
192.168.222.40 to-ports=9100

Where:
- 192.168.145.2 is the public IP of MikroTik router (from IP DHCP Client). 192.168.222.1 is its IP on LAN side.
- 192.168.222.40 is IP of printer

Could be something else that prevents printing but my limited knowledge does not extend that far.

Can someone be so kind giving me some help, pls.

Thank you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21930
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access to printer behind MikroTik router from another network

Fri Aug 19, 2022 3:57 pm

Instead of beating around the bush, can you provide a network diagram to show the connected or unconnected devices.
Also complete config
/export hide-sensitive file=anynameyouwish { just ensure the use actual numbers for WANIP or WAN gatewayIP etc are NOT visibile.}
 
MTikSeekeroe
newbie
Topic Author
Posts: 43
Joined: Fri Nov 06, 2009 5:12 am

Re: Access to printer behind MikroTik router from another network

Sat Aug 20, 2022 7:07 am

Here are the requested info:


1. Network diagram:
Image

2. Extract of MikroTik settings:
 /ip firewall filter
add action=accept chain=input comment=\
    "R10.05---->> Accept established, connected & untracked input traffic" \
    connection-state=established,related,untracked
add action=drop chain=input comment=\
    "R10.10----X---->> Drop invalid connections" connection-state=invalid \
    log=yes log-prefix=Invalid
add action=accept chain=input comment="R10.15---->> Accept ICMP" protocol=icmp
add action=accept chain=input comment="R20.05---->> Allow ovpn via port 1194" \
    dst-port=53229 protocol=tcp
add action=accept chain=input comment="R20.10---->> Allow winbox via p 8291" \
    dst-port=8291 protocol=tcp
add action=drop chain=input comment=\
    "R30.05----x---->>  Drop all traffic not coming from LAN" \
    in-interface-list="!List A"
add action=accept chain=forward comment=\
    "R30.10---->> Accept established, connected & untracked forward traffic" \
    connection-state=established,related,untracked
add action=drop chain=forward comment=\
    "R30.15----x---->> Drop invalid forward traffic" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "R30.20----X---->> Drop all from WAN not DSTNated" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment=\
    "R40.05----X---->> Minimize amplification attack" dst-port=53 \
    protocol=udp
add action=drop chain=input comment=\
    "R40.10----X---->> Minimize amplification attack" dst-port=53 \
    protocol=tcp
add action=drop chain=forward comment="R40.35---------X----> GuestWifi & IoT (\
    Src) isolated fr HomeLANS - I M P O R T A N T" connection-limit=0,27 \
    dst-address-list="Restricted HLANs" src-address-list="Guest Wifi & IoT"
add action=drop chain=forward comment="R40.40---------X----> GuestWifi & IoT (\
    Dst) isolated fr HomeLANS - I M P O R T A N T" connection-limit=0,27 \
    dst-address-list="Guest Wifi & IoT" src-address-list="Restricted HLANs"
add action=drop chain=forward comment=\
    "R50.05----X---->>  banned sites -src" src-address-list=\
    "banned sites"
add action=drop chain=forward comment=\
    "R50.10----X---->>  banned sites -dst" dst-address-list=\
    "banned sites"
add action=accept chain=forward comment=\
    "R60.05--->> Accept traffic initiated fr All LANs" connection-state=new \
    src-address-list=All_LANs
add action=drop chain=input comment=\
    "R60.10----X---->> Drop everything else "
add action=drop chain=forward comment=\
    "R60.15----X---->> Drop everything else"
-------------

/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN src-address-list=""
add action=accept chain=dstnat comment=\
    "Keep tcp/1194 for OpenVPN on the router" dst-port=1194 in-interface=\
    eth10-Gateway protocol=tcp
add action=dst-nat chain=dstnat comment="Port Forwarding to Col Printer" \
    dst-address=172.16.185.1 dst-port=9100 in-interface=eth10-Gateway log=\
    yes protocol=tcp to-addresses=172.16.222.40 to-ports=9100
I have these rules set up years ago from my reading of various posts online and adopted with modifications for my situation. To an expert, they are less than perfect. But i am no expert. Appreciate your help.

Regards
 
erlinden
Forum Guru
Forum Guru
Posts: 2630
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Access to printer behind MikroTik router from another network

Sat Aug 20, 2022 10:15 am

Kudos to anav!
Two options:
  • Explain to the ISP router that all 172.16.222.40 should be routed to the WAN IP of the RB (think this is the desired situation)
  • Configure the RB as switch
What is the purpose of having the RB act as router? Security? Dividing networks?
 
User avatar
jvanhambelgium
Forum Guru
Forum Guru
Posts: 1117
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Access to printer behind MikroTik router from another network

Sat Aug 20, 2022 10:41 am

All depends on "what is the WAN between both RB's".
On your picture it could be point-to-point circuit from a provider. Definitely not "Internet" I would say looking at the IP's ? IF so, please adjust your drawing to resemble this correct.

In addition, the "LAN" on the Router1 has 192.168.145.1 while the "WAN" part on Router2 has 192.168.145.124 ??
Is this subnetted ? What are the subnet-masks used here etc.

From what see, you don't even NEED "DNAT" as this might be even solved with some correct routing in place. (and some rules in hte "forward" chains on both RB's)
 
MTikSeekeroe
newbie
Topic Author
Posts: 43
Joined: Fri Nov 06, 2009 5:12 am

Re: Access to printer behind MikroTik router from another network

Sat Aug 20, 2022 11:32 am

All depends on "what is the WAN between both RB's".
On your picture it could be point-to-point circuit from a provider. Definitely not "Internet" I would say looking at the IP's ? IF so, please adjust your drawing to resemble this correct.

While written as 1.2.3.4 for privacy reason, it is a true public IP, i.e. it's not even a CGNAT address. I can ping that IP from anywhere.
---------------------------

In addition, the "LAN" on the Router1 has 192.168.145.1 while the "WAN" part on Router2 has 192.168.145.124 ?? Is this subnetted ? What are the subnet-masks used here etc.

From router 1, i gave router 2 that 'fixed' IP address (WAN port), i.e. tied to its MAC address. Internet traffic flows to/from R2 normally with no issue whatsoever. But i wouldn't think Netmask (/25) is relevant here.
----------------------------

From what see, you don't even NEED "DNAT" as this might be even solved with some correct routing in place. (and some rules in hte "forward" chains on both RB's)

That's why I came here for help. BTW, the first router is not a MikroTik.
 
User avatar
jvanhambelgium
Forum Guru
Forum Guru
Posts: 1117
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Access to printer behind MikroTik router from another network

Sat Aug 20, 2022 12:07 pm

Ah, OK, soo...R1 you don't manage yourself ?
Basically a port of R2 is probably plugged by direct (ethernet) cable into a free port on R1 ?
Probably R1 has a bunch of ports configured as a little switch and 192.168.145.1 is the "default gateway" for that.

Soooo...did you ever just ADD A ROUTE on the Workstation PC pointing to the 172.16.222.0/24 network with a gateway 192.168.145.124 ??
This will deliver the packets straight to the Mikrotik R2 and only a correct "forward" chain rule is need to allow this traffic to "pass" R2.
To my knowledge, no DNAT/NAT needed in this scenario.

AGAIN, only if my assumption is correct that R2 is plugged in directly with ethernet-cable into a port of R1, but your drawing suggests this.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21930
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access to printer behind MikroTik router from another network

Sat Aug 20, 2022 3:58 pm

First commend is that I didnt ask for an extract, so please dont be cute and think you know whats best.........reminder you are looking for assistance not the other way around.
Full MT config please.

(1) In general this is a no no.............. but since your not plugged into the internet directly
add action=accept chain=input comment="R20.10---->> Allow winbox via p 8291" \
dst-port=8291 protocol=tcp { missing in-interface-list=LAN }
add action=drop chain=input comment=\
"R30.05----x---->> Drop all traffic not coming from LAN" \
in-interface-list="!List A"


One should not give external access to winbox normally. It also defeats the purpose of the next rule which I am supposing is to allow access to the router only to LAN devices.

(2) Since you have no control over the first router, then not sure if setting the second MT device as a router is the best choice as the first router is not under your control.
Two options.....

-i- keep as router, PC user types in 192.168.145.124:9100 it should reach the printer you have designated. The dstnat rule looks fine, but need to see full config.

a. Ensure the dest address is correct NOT 172.16.185.1 . As noted, to ensure only the PC user you want to access the printer, you have two choices.
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Forwarding to Printer" \
dst-address=192.168.145.124 dst-port=9100 protocol=tcp to-addresses=\
172.16.222.40 to-ports=9100
src-address=192.168.145.25 [/b] OR src-address-list=printer_authorized

Where you need a number of PCs behind the first router to have access to the printer

b. The rest of your firewall rules are garbage but will clean that up later.

c. Since your WANIP is fixed in this case you should probably use for the source nat config.
add action=src-nat chain=srcnat to-addresses=192.168.145.124 out-interface=ether1

--ii-- The other option is to run the MT device as a switch only with all being on the same subnet, but will not go down that path until
its something you express a need for, as assuming there is a reason why you have the current device setup as a router.
Last edited by anav on Sun Aug 21, 2022 3:29 am, edited 1 time in total.
 
MTikSeekeroe
newbie
Topic Author
Posts: 43
Joined: Fri Nov 06, 2009 5:12 am

Re: Access to printer behind MikroTik router from another network

Sun Aug 21, 2022 1:41 am

Truth be told. My network is actually more complicated than i wanted shown earlier. I simply wanted to avoid unnecessary details in order to quicken the parth to a solution. So sorry about that, anav. BTW, the first router was a Netgear running DDWRT. It is behind a HFC modem (Harris CM8200).

Luckily, i managed to get my situation resolved. I can now send a print job to the printer (behind MikroTik as Router 2) from a device behind DDWRT (as Router 1) with the following firewall commands:

add action=accept chain=forward comment=\
"Allow traffic from network x.x.145.0/25 to printer" \
dst-address=172.16.222.40 in-interface=eth10-Gateway src-address=\
192.168.145.0/25

add action=accept chain=forward comment=\
"Allow traffic from printer to network x.x.145.0/25" \
dst-address=192.168.145.0/25 out-interface=eth10-Gateway \
src-address=172.16.222.40

It's what jvanhambelgium said in an earlier post. drtnat was not even needed in my case.

Last thing, you're right, anav, my firewall settings is a bit messy. It has been kinda cobbled together. I have all service ports in firewall blocked though. I might ask for a good set of eyes like yours over it sometime, but not today. I got some guests coming for lunch. :-).

I take this opportunity to thank you all. Wishing you all a good day.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21930
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access to printer behind MikroTik router from another network

Sun Aug 21, 2022 3:31 am

Yup, I keep forgetting that dstnat is not required just a port forward rule, not sure its needed both ways but if it works it works!

Who is online

Users browsing this forum: EnglishInfix, starcake, yccit and 22 guests