Page 1 of 1

firewall port forwarding help

Posted: Wed Dec 16, 2015 6:31 pm
by khaloudy
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.5 (c) 1999-2013 http://www.mikrotik.com/


i have in my mikrotik 3 interface working

1- WAN >>> modem and isp as 192.168.1.99/24
2 - LAN >>> clients and access point's as 10.0.0.2/24
3- LAN3>>>my PC and home use as 6.6.6.1/24
========================================
i want to open access point from browser such as 10.0.0.53 & 10.0.0,54

i work now by unplug cable from mikrotik LAN to PC LAN and obtain access point's and back it again
a friend tell me that you can make port forwarding to do that but i don't know how

please help me to do that
i work with Hotspot
best regards

Re: firewall port forwarding help

Posted: Wed Dec 16, 2015 6:37 pm
by ZeroByte
1- WAN >>> modem and isp as 192.168.1.99/24
2 - LAN >>> clients and access point's as 10.0.0.2/24
3- LAN3>>>my PC and home use as 6.6.6.1/24
========================================
i want to open access point from browser such as 10.0.0.53 & 10.0.0,54

i work now by unplug cable from mikrotik LAN to PC LAN and obtain access point's and back it again
a friend tell me that you can make port forwarding to do that but i don't know how

please help me to do that
i work with Hotspot
best regards
You probably have a filter rule blocking the connectivity.
Check your ip firewall filter rules, specifically look at the forward chain.

Imagine a packet with the source = 6.6.6.x:TCP/12345 and the dst = 10.0.0.53:TCP/80
Now read your forward chain rules one by one and follow the actions - assume the connection state will be "new" for the first packet from the PC to the AP....

If you reach an "accept" rule (or no rules match, which means 'accept') then the request is reaching the AP.

Then imagine the reply packet from the AP to the PC, which means the src and dst addresses and port numbers will be reversed. Now follow the forward chain again, but this time, the state will be "established"

If all of that seems correct, then make sure the APs have default gateway set to 10.0.0.2

Re: firewall port forwarding help

Posted: Wed Jan 13, 2016 9:05 pm
by khaloudy
sorry sir for long time to search and looking for answers but i don't find !

i am rest my router now to default factory

isp modem is 192.168.1.1


mikrotik is
wan = 192.168.1.99/24
lan = 7.7.7.1/24
route = 192.168.1.1

hotspot (user name and password for clients)
ok?

i work good now
network.jpg
-----------------------------------------------------------------------------------------
what i want
i uploade image for my network

i can access AP when i use pc1
i can access modem isp when i use pc1
i want access AP1 and AP2 when i use pc2
please any one help me by code to add in winbox terminal
i am not good in mikrotik

Re: firewall port forwarding help

Posted: Wed Jan 13, 2016 10:04 pm
by ZeroByte
You need to use a different IP range for guest PC (pc2) because 192.168.1.xxx is controlled by the ISP router, and not your Mikrotik. If you want to block guest network from reaching LAN network, then a simple pair of firewall rules will prevent this, and you won't need to do anything complicated or strange to accomplish the goal of keeping guest users away from the LAN.

I assume that the APs are Mikrotik devices as well. If not, then you'll have to find out how to do a second SSID + VLAN for that type of equipment.

On the Mikrotik, whatever interface is your LAN interface, add a new vlan interface, set the vlan-id to something, say 10, name it "guest" and connect this interface to the LAN interface. (if the LAN is a bridge, put it on the bridge. If the LAN is ether2-master-local, with ether3-ether5 as slaves, then choose ether2-master-local)

Add a new IP address on "guest" interface - e.g. 192.168.50.1/24

Then after you have the interface and IP address configured, run the hotspot setup wizard and choose "guest" as the hotspot interface. The wizard will choose the correct settings for DHCP, NAT, etc.

Then if the APs are Mikrotik devices, I assume they are configured as simple bridges with a bridge1 interface that uses ether1 and wlan1 as ports. Create a second bridge: bridge2 (or guest-bridge), and a vlan interface on ether1 - name this one "guestvlan" and use the same VLAN-ID that you used on the main Mikrotik (10).

Now in the wireless configuration, add an interface "virtual AP" and configure it with its own security profile and whatever SSID you want your guests to use. Finally, in the bridge configuration, connect the virtual AP and the guestvlan interfaces as ports on the bridge2 bridge.

This should get you going.

Re: firewall port forwarding help

Posted: Wed Jan 13, 2016 10:40 pm
by khaloudy
3ip.jpg
but 192.168.1.xxx not ip for isp
isp wan ip like 173.133.11.xxx
this is lan for modem range between 192.168.1.2 :192.168.1.254
there is 2 ip in modem

i work direct from the modem alon not use mikrotik not used in miikrotik
pc direct from modem is 192.168.1.222

and mikrotik from modem work too in network in the same time
i can access mikrotik via winbox by pc1 and pc2
i can acess modem via pc1 and pc2
i can acess apps from pc1
but
i can;t acess apps from pc2

Re: firewall port forwarding help

Posted: Thu Jan 14, 2016 12:39 am
by khaloudy
please help
i can;t acess apps from pc2
up

Re: firewall port forwarding help

Posted: Mon Jan 18, 2016 10:18 pm
by khaloudy
i try to do that
add action=dst-nat chain=dstnat dst-address=192.168.1.222 dst-port=0-65535 \
    in-interface=WAN protocol=tcp to-addresses=7.7.7.55 to-ports=0-65535
    add action=dst-nat chain=dstnat dst-address=192.168.1.222 dst-port=0-65535 \
    in-interface=WAN protocol=tcp to-addresses=7.7.7.66 to-ports=0-65535
but i can't connect from 192.168.1.222 pc to 7.7.7.55 Ap or 7.7.7.66 App

what is true code?

Re: firewall port forwarding help

Posted: Tue Jan 19, 2016 10:28 pm
by khaloudy
oooooooooooooooooooooooh
i did that
i can connect now to any app or pc or remote desktop
every thing is right
wooooooooow

first i add this code via terminal
add action=dst-nat chain=dstnat dst-address=192.168.1.222 dst-port=0-65535 \
    in-interface=WAN protocol=tcp to-addresses=7.7.7.55 to-ports=0-65535
    add action=dst-nat chain=dstnat dst-address=192.168.1.222 dst-port=0-65535 \
    in-interface=WAN protocol=tcp to-addresses=7.7.7.66 to-ports=0-65535

then i add this code via terminal

/ip hotspot ip-binding
add address=7.7.7.66 type=bypassed
/ip hotspot ip-binding
add address=7.7.7.77 type=bypassed