ubnt aircontrol v2 & mikrotik ccr1016
Posted: Tue Mar 24, 2020 5:40 pm
Dear all,
This is my setup:
Each vlan of these vlans is of a remote tower, local tower is on ether4 (default vlan), air-control server is bridged on ether12, it can discover all devices on these vlans (local tower as well) and it can resolve network topology and update devices software as well, but it can not monitor them and this is my issue.
We have disabled the server firewall in order to focus on the router side only, so when we want to monitor a device the response from the server says "device cannot reach server via "http://10.20.30.151:9081/AC2/report please check your firewall setting".
As in this photo:
https://drive.google.com/open?id=1EarZK ... T7OS-KVsXp
As i understand from some online search the following ports should be allowed:
1- Port 22 TCP, for ssh access.
2- Port 10001 UDP, for discovery. (I think this one is working okay since i can discover all devices across all vlans)
3- The radio also needs to reach the AC2 server on port 9081 TCP for sending heartbeats.
So i have tried some port forwarding and came up with this firewall nat setting and testing it on vlan101 network only for now (10.46.233.0/24):
And this is the result:
https://drive.google.com/open?id=1gj4nM ... wKvmrLtW_q
Can you guys help me solve this please?
Thanks in advance...
This is my setup:
Code: Select all
/interface bridge
add fast-forward=no name=bridge-control
/interface ethernet
set [ find default-name=ether4 ] comment=trunk-vlans-in name=ether04
set [ find default-name=ether12 ] comment="server 10.20.30.151"
/interface vlan
add interface=ether04 name=vlan-hr101 vlan-id=101
add interface=ether04 name=vlan-hr102 vlan-id=102
add interface=ether04 name=vlan-hr103 vlan-id=103
add interface=ether04 name=vlan-hr104 vlan-id=104
add interface=ether04 name=vlan-hr105 vlan-id=105
/ip pool
add name=dhcp_pool1 ranges=10.20.30.100-10.20.30.140
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge-control name=dhcp1
/interface bridge port
add bridge=bridge-control horizon=1 interface=ether05
add bridge=bridge-control horizon=1 interface=ether06
add bridge=bridge-control interface=ether07
add bridge=bridge-control interface=ether08
add bridge=bridge-control interface=ether09
add bridge=bridge-control interface=ether10
add bridge=bridge-control interface=ether11
add bridge=bridge-control interface=ether12
/ip address
add address=10.102.100.2/24 comment=hahx interface=ether04 network=10.102.100.0
add address=10.46.233.254/24 comment=hr101 interface=vlan-hr101 network=10.46.233.0
add address=10.101.253.254/24 comment=hr102 interface=vlan-hr102 network=10.101.253.0
add address=10.96.129.254/24 comment=hr103 interface=vlan-hr103 network=10.96.129.0
add address=10.207.91.254/24 comment=hr104 interface=vlan-hr104 network=10.207.91.0
add address=10.214.77.254/24 comment=hr105 interface=vlan-hr105 network=10.214.77.0
add address=10.20.30.254/24 comment=lan-control interface=bridge-control network=10.20.30.0
/ip dhcp-server lease
add address=10.20.30.151 client-id=*************** comment=server mac-address=10.20.30.151 server=dhcp1
/ip dhcp-server network
add address=10.20.30.0/24 dns-server=10.20.30.254 gateway=10.20.30.254
/ip dns
set allow-remote-requests=yes servers=109.224.14.2,109.224.14.3
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.20.30.0/24
/ip route
add distance=1 gateway=10.102.100.1
We have disabled the server firewall in order to focus on the router side only, so when we want to monitor a device the response from the server says "device cannot reach server via "http://10.20.30.151:9081/AC2/report please check your firewall setting".
As in this photo:
https://drive.google.com/open?id=1EarZK ... T7OS-KVsXp
As i understand from some online search the following ports should be allowed:
1- Port 22 TCP, for ssh access.
2- Port 10001 UDP, for discovery. (I think this one is working okay since i can discover all devices across all vlans)
3- The radio also needs to reach the AC2 server on port 9081 TCP for sending heartbeats.
So i have tried some port forwarding and came up with this firewall nat setting and testing it on vlan101 network only for now (10.46.233.0/24):
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.20.30.0/24
add action=dst-nat chain=dstnat dst-address=10.46.233.0/24 dst-port=22 protocol=tcp to-addresses=10.20.30.0/24 to-ports=22
add action=dst-nat chain=dstnat dst-address=10.46.233.0/24 dst-port=10001 protocol=udp to-addresses=10.20.30.0/24 to-ports=10001
add action=dst-nat chain=dstnat dst-address=10.46.233.0/24 dst-port=9081 protocol=tcp to-addresses=10.20.30.0/24 to-ports=9081
https://drive.google.com/open?id=1gj4nM ... wKvmrLtW_q
Can you guys help me solve this please?
Thanks in advance...
