Page 1 of 1
Access to printer behind MikroTik router from another network
Posted: Thu Aug 18, 2022 9:42 am
by MTikSeekeroe
Hi,
I have a printer behind a MikroTik router with an IP of 192.168.22.40
I want to be able to print to this printer from various PCs which are behind another (ISP supplied) router with IP address network of 192.168.85.0/24).
I have tried various port forwarding on MikroTik router but unable to use the printer.
Settings used:
add action=accept chain=forward comment="access to printer from outside" dst-address=192.168.22.40 src-address=192.168.185.0/24
Can someone be so kind giving me some help, pls.
Thks.
Re: Access to printer behind MikroTik router from another network
Posted: Thu Aug 18, 2022 10:17 am
by erlinden
Port forwarding should work in this scenario (make very sure that source address is configured to prevent that the rest of the world is using your printer as well).
You might understand that the rule is totally incorrect, Internet won't route private IP addresses. You would need to change it to something like
add action=accept chain=forward comment="access to printer from outside" dst-address=[Your public IP Address] dst-port=[port] src-address=[IP address of ISP supplied outer] to-address=192.168.22.40 protocol=[TCP or UDP] action=dst-nat
Haven't tested the above line, you can do that... If you turn on logging, you will be able to log connections (and can see if the forward is working).
Re: Access to printer behind MikroTik router from another network
Posted: Thu Aug 18, 2022 12:54 pm
by MTikSeekeroe
Sorry for my ignorance being a newbie.
But is the CLI you suggested to be done in Firewall NAT or in Firewall Filter Rules.
Its syntax seems to be contradictory to me.
Re: Access to printer behind MikroTik router from another network
Posted: Thu Aug 18, 2022 1:06 pm
by erlinden
The dst-nat part of the code should have given you a good hint. No problem, we all started somewhere. Hope you understand the explanation regarding the source address.
Herewith the MikroTik wiki with an example of port 21 (FTP server):
https://wiki.mikrotik.com/wiki/Manual%3 ... FTP_server
https://help.mikrotik.com/docs/display/ ... inationNAT
Re: Access to printer behind MikroTik router from another network
Posted: Thu Aug 18, 2022 1:35 pm
by MTikSeekeroe
Thanks. I'll have a look.
Re: Access to printer behind MikroTik router from another network
Posted: Fri Aug 19, 2022 3:52 am
by MTikSeekeroe
After several hours reading the suggested documents and trying various settings, I am still unable to print to printer behind MikroTik router from another network.
Last settings:
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Forwarding to Printer" \
dst-address=192.168.145.4 dst-port=9100 protocol=tcp to-addresses=\
192.168.222.40 to-ports=9100
Where:
- 192.168.145.2 is the public IP of MikroTik router (from IP DHCP Client). 192.168.222.1 is its IP on LAN side.
- 192.168.222.40 is IP of printer
Could be something else that prevents printing but my limited knowledge does not extend that far.
Can someone be so kind giving me some help, pls.
Thank you.
Re: Access to printer behind MikroTik router from another network
Posted: Fri Aug 19, 2022 3:57 pm
by anav
Instead of beating around the bush, can you provide a network diagram to show the connected or unconnected devices.
Also complete config
/export hide-sensitive file=anynameyouwish { just ensure the use actual numbers for WANIP or WAN gatewayIP etc are NOT visibile.}
Re: Access to printer behind MikroTik router from another network
Posted: Sat Aug 20, 2022 7:07 am
by MTikSeekeroe
Here are the requested info:
1.
Network diagram:
2.
Extract of MikroTik settings:
/ip firewall filter
add action=accept chain=input comment=\
"R10.05---->> Accept established, connected & untracked input traffic" \
connection-state=established,related,untracked
add action=drop chain=input comment=\
"R10.10----X---->> Drop invalid connections" connection-state=invalid \
log=yes log-prefix=Invalid
add action=accept chain=input comment="R10.15---->> Accept ICMP" protocol=icmp
add action=accept chain=input comment="R20.05---->> Allow ovpn via port 1194" \
dst-port=53229 protocol=tcp
add action=accept chain=input comment="R20.10---->> Allow winbox via p 8291" \
dst-port=8291 protocol=tcp
add action=drop chain=input comment=\
"R30.05----x---->> Drop all traffic not coming from LAN" \
in-interface-list="!List A"
add action=accept chain=forward comment=\
"R30.10---->> Accept established, connected & untracked forward traffic" \
connection-state=established,related,untracked
add action=drop chain=forward comment=\
"R30.15----x---->> Drop invalid forward traffic" connection-state=\
invalid
add action=drop chain=forward comment=\
"R30.20----X---->> Drop all from WAN not DSTNated" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment=\
"R40.05----X---->> Minimize amplification attack" dst-port=53 \
protocol=udp
add action=drop chain=input comment=\
"R40.10----X---->> Minimize amplification attack" dst-port=53 \
protocol=tcp
add action=drop chain=forward comment="R40.35---------X----> GuestWifi & IoT (\
Src) isolated fr HomeLANS - I M P O R T A N T" connection-limit=0,27 \
dst-address-list="Restricted HLANs" src-address-list="Guest Wifi & IoT"
add action=drop chain=forward comment="R40.40---------X----> GuestWifi & IoT (\
Dst) isolated fr HomeLANS - I M P O R T A N T" connection-limit=0,27 \
dst-address-list="Guest Wifi & IoT" src-address-list="Restricted HLANs"
add action=drop chain=forward comment=\
"R50.05----X---->> banned sites -src" src-address-list=\
"banned sites"
add action=drop chain=forward comment=\
"R50.10----X---->> banned sites -dst" dst-address-list=\
"banned sites"
add action=accept chain=forward comment=\
"R60.05--->> Accept traffic initiated fr All LANs" connection-state=new \
src-address-list=All_LANs
add action=drop chain=input comment=\
"R60.10----X---->> Drop everything else "
add action=drop chain=forward comment=\
"R60.15----X---->> Drop everything else"
-------------
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN src-address-list=""
add action=accept chain=dstnat comment=\
"Keep tcp/1194 for OpenVPN on the router" dst-port=1194 in-interface=\
eth10-Gateway protocol=tcp
add action=dst-nat chain=dstnat comment="Port Forwarding to Col Printer" \
dst-address=172.16.185.1 dst-port=9100 in-interface=eth10-Gateway log=\
yes protocol=tcp to-addresses=172.16.222.40 to-ports=9100
I have these rules set up years ago from my reading of various posts online and adopted with modifications for my situation. To an expert, they are less than perfect. But i am no expert. Appreciate your help.
Regards
Re: Access to printer behind MikroTik router from another network
Posted: Sat Aug 20, 2022 10:15 am
by erlinden
Kudos to anav!
Two options:
- Explain to the ISP router that all 172.16.222.40 should be routed to the WAN IP of the RB (think this is the desired situation)
- Configure the RB as switch
What is the purpose of having the RB act as router? Security? Dividing networks?
Re: Access to printer behind MikroTik router from another network
Posted: Sat Aug 20, 2022 10:41 am
by jvanhambelgium
All depends on "what is the WAN between both RB's".
On your picture it could be point-to-point circuit from a provider. Definitely not "Internet" I would say looking at the IP's ? IF so, please adjust your drawing to resemble this correct.
In addition, the "LAN" on the Router1 has 192.168.145.1 while the "WAN" part on Router2 has 192.168.145.124 ??
Is this subnetted ? What are the subnet-masks used here etc.
From what see, you don't even NEED "DNAT" as this might be even solved with some correct routing in place. (and some rules in hte "forward" chains on both RB's)
Re: Access to printer behind MikroTik router from another network
Posted: Sat Aug 20, 2022 11:32 am
by MTikSeekeroe
All depends on "what is the WAN between both RB's".
On your picture it could be point-to-point circuit from a provider. Definitely not "Internet" I would say looking at the IP's ? IF so, please adjust your drawing to resemble this correct.
While written as 1.2.3.4 for privacy reason, it is a true public IP, i.e. it's not even a CGNAT address. I can ping that IP from anywhere.
---------------------------
In addition, the "LAN" on the Router1 has 192.168.145.1 while the "WAN" part on Router2 has 192.168.145.124 ?? Is this subnetted ? What are the subnet-masks used here etc.
From router 1, i gave router 2 that 'fixed' IP address (WAN port), i.e. tied to its MAC address. Internet traffic flows to/from R2 normally with no issue whatsoever. But i wouldn't think Netmask (/25) is relevant here.
----------------------------
From what see, you don't even NEED "DNAT" as this might be even solved with some correct routing in place. (and some rules in hte "forward" chains on both RB's)
That's why I came here for help. BTW, the first router is not a MikroTik.
Re: Access to printer behind MikroTik router from another network
Posted: Sat Aug 20, 2022 12:07 pm
by jvanhambelgium
Ah, OK, soo...R1 you don't manage yourself ?
Basically a port of R2 is probably plugged by direct (ethernet) cable into a free port on R1 ?
Probably R1 has a bunch of ports configured as a little switch and 192.168.145.1 is the "default gateway" for that.
Soooo...did you ever just ADD A ROUTE on the Workstation PC pointing to the 172.16.222.0/24 network with a gateway 192.168.145.124 ??
This will deliver the packets straight to the Mikrotik R2 and only a correct "forward" chain rule is need to allow this traffic to "pass" R2.
To my knowledge, no DNAT/NAT needed in this scenario.
AGAIN, only if my assumption is correct that R2 is plugged in directly with ethernet-cable into a port of R1, but your drawing suggests this.
Re: Access to printer behind MikroTik router from another network
Posted: Sat Aug 20, 2022 3:58 pm
by anav
First commend is that I didnt ask for an extract, so please dont be cute and think you know whats best.........reminder you are looking for assistance not the other way around.
Full MT config please.
(1) In general this is a no no.............. but since your not plugged into the internet directly
add action=accept chain=input comment="R20.10---->> Allow winbox via p 8291" \
dst-port=8291 protocol=tcp { missing in-interface-list=LAN }
add action=drop chain=input comment=\
"R30.05----x---->> Drop all traffic not coming from LAN" \
in-interface-list="!List A"
One should not give external access to winbox normally. It also defeats the purpose of the next rule which I am supposing is to allow access to the router only to LAN devices.
(2) Since you have no control over the first router, then not sure if setting the second MT device as a router is the best choice as the first router is not under your control.
Two options.....
-i- keep as router, PC user types in 192.168.145.124:9100 it should reach the printer you have designated. The dstnat rule looks fine, but need to see full config.
a. Ensure the dest address is correct NOT 172.16.185.1 . As noted, to ensure only the PC user you want to access the printer, you have two choices.
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Forwarding to Printer" \
dst-address=192.168.145.124 dst-port=9100 protocol=tcp to-addresses=\
172.16.222.40 to-ports=9100 src-address=192.168.145.25 [/b] OR src-address-list=printer_authorized
Where you need a number of PCs behind the first router to have access to the printer
b. The rest of your firewall rules are garbage but will clean that up later.
c. Since your WANIP is fixed in this case you should probably use for the source nat config.
add action=src-nat chain=srcnat to-addresses=192.168.145.124 out-interface=ether1
--ii-- The other option is to run the MT device as a switch only with all being on the same subnet, but will not go down that path until
its something you express a need for, as assuming there is a reason why you have the current device setup as a router.
Re: Access to printer behind MikroTik router from another network
Posted: Sun Aug 21, 2022 1:41 am
by MTikSeekeroe
Truth be told. My network is actually more complicated than i wanted shown earlier. I simply wanted to avoid unnecessary details in order to quicken the parth to a solution. So sorry about that, anav. BTW, the first router was a Netgear running DDWRT. It is behind a HFC modem (Harris CM8200).
Luckily, i managed to get my situation resolved. I can now send a print job to the printer (behind MikroTik as Router 2) from a device behind DDWRT (as Router 1) with the following firewall commands:
add action=accept chain=forward comment=\
"Allow traffic from network x.x.145.0/25 to printer" \
dst-address=172.16.222.40 in-interface=eth10-Gateway src-address=\
192.168.145.0/25
add action=accept chain=forward comment=\
"Allow traffic from printer to network x.x.145.0/25" \
dst-address=192.168.145.0/25 out-interface=eth10-Gateway \
src-address=172.16.222.40
It's what jvanhambelgium said in an earlier post.
drtnat was not even needed in my case.
Last thing, you're right, anav, my firewall settings is a bit messy. It has been kinda cobbled together. I have all service ports in firewall blocked though. I might ask for a good set of eyes like yours over it sometime, but not today. I got some guests coming for lunch.
.
I take this opportunity to thank you all. Wishing you all a good day.
Re: Access to printer behind MikroTik router from another network
Posted: Sun Aug 21, 2022 3:31 am
by anav
Yup, I keep forgetting that dstnat is not required just a port forward rule, not sure its needed both ways but if it works it works!