MikroTik

Community discussions
https://forum.mikrotik.com/

How can I access remotely MT behind a modem?

https://forum.mikrotik.com/viewtopic.php?t=210079

Page 1 of 1

How can I access remotely MT behind a modem?

Posted: Mon Aug 12, 2024 12:15 pm
by ramirez
I am trying to set up port forwarding on a MT to be able to access it remotely and have failed to do so .

I have set up a firewall rule and a dst-nat rule from port 8899 to port 8291 but like mentioned the port is not open.

I have also configured the modem to port forward 8899 => 8899 to 192.168.1.152 (MT's local address)

Can someone please offer advice ?

P.S. ISP modem is on Dynamic address
Code: Select all
/ip firewall filter
add action=accept chain=input dst-port=8899 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 \
    protocol=udp src-address=0.0.0.0/0
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=8899 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.1.152 to-ports=8291

Re: How can I access remotely MT behind a modem?

Posted: Mon Aug 12, 2024 1:12 pm
by erlinden
I would prefer through VPN over making a service available publically.
Is your MT behind NAT, or does it have a publically available IP address?
Who removed all filter rules that are part of the default?

Re: How can I access remotely MT behind a modem?

Posted: Mon Aug 12, 2024 1:14 pm
by rextended
input ≠ forward

Re: How can I access remotely MT behind a modem?

Posted: Mon Aug 12, 2024 1:33 pm
by ramirez
I would prefer through VPN over making a service available publically.
Is your MT behind NAT, or does it have a publically available IP address?
Who removed all filter rules that are part of the default?
Indeed a vpn is preferable but for know I am looking to explore this option as well. Yes it is behind NAT and does not have a public IP address. This is an old MT so I wouldn't know...after I try the changes I will restore default rules.

Re: How can I access remotely MT behind a modem?

Posted: Mon Aug 12, 2024 2:23 pm
by ramirez
input ≠ forward
Changed it to forward but still the port remains closed...

Re: How can I access remotely MT behind a modem?

Posted: Mon Aug 12, 2024 2:33 pm
by erlinden
Yes it is behind NAT and does not have a public IP address.
Did you do port forwarding on the NAT device as well?

Re: How can I access remotely MT behind a modem?

Posted: Mon Aug 12, 2024 2:46 pm
by ramirez
Yes it is behind NAT and does not have a public IP address.
Did you do port forwarding on the NAT device as well?
Yes !

Re: How can I access remotely MT behind a modem?

Posted: Mon Aug 12, 2024 2:48 pm
by erlinden
Can you change this rule, where the to port is the default Winbox port?

And change this rule in the firewall as well:
Code: Select all
/ip firewall filter
add action=accept chain=input dst-port=8291 in-interface=ether1 protocol=tcp

Re: How can I access remotely MT behind a modem?

Posted: Mon Aug 12, 2024 3:00 pm
by ramirez
Can you change this rule, where the to port is the default Winbox port?

And change this rule in the firewall as well:
Code: Select all
/ip firewall filter
add action=accept chain=input dst-port=8291 in-interface=ether1 protocol=tcp
Ok I changed both to 8291 and both ports remain closed as before but now I see packets coming on that filter rule .

Re: How can I access remotely MT behind a modem?

Posted: Tue Aug 13, 2024 10:13 am
by ramirez
Ok so I was able to open port 42225 (could have been any other) and redirect it to 8291 and I want your thoughts if this is something I wasn't understanding towards my modem (see attached screen shot).

I was under the impression that I had to specify the source port as well, in this example 42225 and the destination port (also 42225) . No matter what combinations 42225 => 42225 / 42225 => 8291 etc. the port remained closed . Then I said what the heck and decided to leave the source port as any and define only the destination port and ...voila port is open now ! So what is I am not understanding about my modem's settings ?

Re: How can I access remotely MT behind a modem?

Posted: Tue Aug 13, 2024 12:25 pm
by abbio90
also evaluate back to home.
https://help.mikrotik.com/docs/display/ROS/Back+To+Home

Re: How can I access remotely MT behind a modem?

Posted: Tue Aug 13, 2024 12:45 pm
by tdw
The source port is picked by the remote client initiating the connection, typically anything greater than 1023 but not fixed.

Re: How can I access remotely MT behind a modem?

Posted: Tue Aug 13, 2024 2:21 pm
by ramirez
also evaluate back to home.
https://help.mikrotik.com/docs/display/ROS/Back+To+Home
Hmmm didn't know about that ! Very interesting! Thank you !

Re: How can I access remotely MT behind a modem?

Posted: Tue Aug 13, 2024 2:26 pm
by ramirez
The source port is picked by the remote client initiating the connection, typically anything greater than 1023 but not fixed.
Ok thank you ! The way I was understanding it was (in the event no MT router is involved) if you have a camera for example and you want to use a known port to access it from WAN, to enter as source port one of your preference and then as destination port the "known" one (something like dst-nat MT does).
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/