Community discussions

MikroTik App
  4. RouterOS
  5. General

Configuring DSTNAT to a server on a network with hotspot run

Post Reply
 
donv
just joined
Topic Author
Posts: 9
Joined: Tue May 08, 2007 1:32 am
Location: Iowa - USA
Contact:
Contact donv

Configuring DSTNAT to a server on a network with hotspot run

Thu Aug 09, 2007 4:29 pm

Configuring DSTNAT (inbound static NAT from a public IP address) to a server located on a network where Hotspot is configured.

By: Don Van Oort - R & D Industries, Inc. http://www.rdi1.com

Seems like an obvious thing to me to want to NAT traffic inbound to a network where Hotspot is bound to administrate access points, or access a web server or whatever. However, this problem stumped me for quite awhile and the solution was not obvious to me. I asked for help and didnt get this answer from anyone, so while I am certain this works, I am not certain if there is a better way to accomplish this.

In this example we will assume that we have a simple Mikrotik configuration as follows:

Public Interface:
bound to ether1
primary IP 1.1.1.1/24
gateway IP 1.2.3.4/24

Private Interface:
bound to ether2
primary IP 192.168.1.254/24
hotspot enabled on this interface
dhcp enabled on this interface handing out IP addresses from 192.168.1.10 >> 192.168.1.100

Wireless Access Point #1:
static IP 192.168.1.250/24
gateway IP 192.168.1.254
attached to hotspot lan on ether2

We will assume that your corporate network is at: 3.3.3.0/24 and that you want to allow any IP address on your corporate network, to manage Wireless Access Point #1. We will assume for the sake of discussion that we desire to NAT TCP:80 (HTTP) traffic inbound to Access Point #1, so that we can administrate it from our corporate network.

We will assume that we desire to bind a secondary IP address to the external interface (for simplicity), and that we will attach to that IP address on :80 to administrate the access point.

We will assume that we desire to have our normal hotspot traffic masquaraded outbound as: 1.1.1.1. When we bind the secondary IP address to the external interface of the firewall, we need to pay attention to this fact, because we risk having our traffic inadvertantly natted outbound as 1.1.1.2 (the secondary ip address of the external interface).

There are (5) things that need to happen to allow this.

1. Bind secondary IP address to the external interface of the Mikrotik:
open: IP - Addresses:
Add an IP address of: 1.1.1.2/24 to ether1
(this will be the address which we will connect to to administrate our access point).

2. Create a DSTNAT rule to NAT traffic sent to the public IP on port :80 (1.1.1.2:80) inbound to our wireless access point #1 at 192.168.1.250:80
open: IP - Firewall - NAT
create a new NAT rule:
1 ;;; inbound nat 1.1.1.2:80 >> 192.168.1.250:80 for remote admin of wireless access point #1
chain=dstnat dst-address=1.1.1.2 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.1.250 to-ports=80

Move this to the top of your NAT rules. Note that in the text above, that the first line beginning with: 1 ;;;, is just a comment for the NAT rule

3. Prevent general hotspot traffic from being masquaraded as the incorrect network
open: IP - Firewall - NAT
create a new NAT rule:
1;;; outbound nat 192.168.1.250 >> 1.1.1.2 for remote admin of wireless access point #1
chain=srcnat src-address=192.168.1.250 action=src-nat to-addresses=1.1.1.2 to-ports=0-65535

make sure this rule is ABOVE the normal hotspot masquarade rule which looks like this:
2 ;;; masquarade entire hotspot network
chain=srcnat out-interface=ether1 action=masquerade


4. Create a Firewall rule to allow your corporate network 3.3.3.0/24 traffic inbound:
5 ;;; allow ALL HTTP inbound traffic from our corporate network
chain=forward src-address=3.3.3.0/24 protocol=tcp dst-port=80 action=accept

This rule should be placed just below the standard Mikrotik rule that says, "allow related connections"
my rules look like this:

0 D chain=forward hotspot=from-client,!auth action=jump jump-target=hs-unauth
1 D chain=forward hotspot=to-client,!auth action=jump jump-target=hs-unauth-t>
2 ;;; drop invalid connections
chain=forward protocol=tcp connection-state=invalid action=drop
3 ;;; allow already established connections
chain=forward connection-state=established action=accept
4 ;;; allow related connections
chain=forward connection-state=related action=accept
5 ;;; allow ALL HTTP inbound traffic from our corporate network
chain=forward src-address=3.3.3.0/24 protocol=tcp dst-port=80 action=accept
(more rules follow.. which were omitted for clarity)

5. Create an 'IP Binding' in Hotspot, to allow Wireless Access Point #1 traffic to egress the LAN without having to authenticate to the Hotspot service on the Mikrotik.
open: IP - Hotspot - ip-binding
create rule:
0 P ;;; allow Wireless Access Point #1 to bypass hotspot
192.168.1.250

note: if you make this in Winbox, open IP - Hotspot - ip-bindings, create a new rule, specify the Address:
192.168.1.250, Server:all, Type: bypassed


In conclusion, in step #1 we bound a secondary Public IP address to the external interface (ether1) of the Mikrotik. Then in Step #2 we created a DSTNAT (DEStination NAT rule) to tell the Mikrotik that we want to forward port:80 traffic sent to the public address inbound to our Wireless Access Point. Then in Step #3, we created a SRCNAT (SouRCe NAT) rule, that NATTED our traffic outbound on the secondary IP address which we bound to the external interface. Then in step #4 we added a firewall rule to allow our corporate network to send traffic inbound. Then in step #5, we created a rule in Hotspot to allow the Wireless Access Point to bypass the hotspot service.

If anyone has any comment on this or has a better way to do this please let me know. However I figured it would be worth while to explain how I accomplished this as I couldnt find any documentation to tell me how to accomplish this when Hotspot is running and I have seen several people with the same question.

Thanks.

-donv
Top
Post Reply
  4. RouterOS
  5. General