I am pulling my hair out. Here is the situation:
My Public Internet IP (71.89.xx.xxx)-> Cable Modem (192.168.0.10) Mikrotik router (192.168.0.1) -> DVR cam (192.168.0.106)
I have the following Filter rule:
And the following NAT rule:
My DVR requires port 2050. Puttig any value in the Dst. Port (either 2050, or 1-10000 range in this case does not work). No matter what I do, I cannot access the camera feed from outside my network. Can someone please help? I have read every tutorial and every youtube video I can with zero luck.
Solved.
I was able to figure it out....must allow outside traffic to the Mikrotik on port 9000 as well.
Related
I'm working in a building where you rent a room for the office work. We have our server in one of the rooms and other employees in other rooms. The problem is that server needs its own network (don't ask why. Too much to explain) so we set up a VPN on the Mikrotik router (RouterOS 6.48.1). While connecting from home works perfectly, doing that from other rooms does not work. I was searching a lot about firewall and NAT rules but I can't find anything that will help me. In the picture cut-out area is the external address. Let's say it's 2.2.2.2
So I want employees from other rooms to be able to connect to VPN from My room to 192.168.43.2 router so he/she will be able to connect to devices available there.
There are many ways by which you can do this. One of the easiest way is add a rule of allowing incoming and outgoing traffic of your subnet in firewall rules. Here allow 192.168.0.0 , 0.0 will work as wildcard so be careful while using it. Also if you have manually configured routing configuration on router for vpn add both the network address in route table to make them communicate.
After 20 pages of SO results about Mikrotik and some more google results, I'm come here, down on my knees to request some enlightment.
I have a network with static IP and some public IP (248 mask).
So far I've configured the network to use one of those public IP and use it for 2 subnets (192.168.85.X and 192.168.5.X) wich are isolated from each other and both can access internet.
What I'm trying to achieve is to add a second WAN ip to the router, and route traffic to a specific server to use that IP.
What i mean is:
Any PC from 192.168.85.X should use WAN IP1 and use internet with it.
Any PC from 192.168.85.X trying to access www.facebook.com should use WAN IP2 to browse and navigate to that website (while all the rest of the traffic goes through WAN IP1).
The device that gives me the WAN link only has 1 "out" port, so there is no way to put 2 cables from the "modem" to the Mikrotik, right now there is 1 cable going from the modem to the Mikrotik device. I've seen some forum post where the first part can be solved by just connecting 2 cables and then assign different IP for each interface.
As you may notice, I'm really raw in networking and routing, so any GUI/Winbox instruction is appreciated, but CLI commands would be just fine.
This info is for reference for anyone who may want to do this in the future:
1.- If you assing the IP to the WAN interface using the same notation X.X.X.X/29, the router will know that you want to use all the IP but set the default route to use the given IP as the prefered. This can be looked up in IP > Routes.
2.- If you want to use different IP for different traffic, you have to a) Mark that traffic and b) Force that traffic to go out by an specific IP. You do this in IP > Firewall > Mangle to mark the traffic and IP > Routes to add the new route for that traffic. There are contradictory info about if you need or not to add NAT (IP > Firewall > NAT) rules for the traffic and i'm really lost about it (it doesn't work with or without, but sometimes does work).
This is all i can contribute to this, i'll keep trying to find and answer in serverfault as #SergGr suggested.
We are attempting to use a Cisco ASA as a VPN as well as forward traffic to two servers.
Our ISP has given us a range of IP addresses that are sequential.
154.223.252.146-149
default GW of 154.223.252.145, we're using netmask 255.255.255.240
We have the first of these, 154.223.252.146, assigned to the external interface on our ASA and it’s successfully hosting our VPN service. It works great.
The next and final goal is to have 154.223.252.147 forward https traffic to 10.1.90.40 and 154.223.252.148 forward https traffic to 10.1.94.40.
Our current blocker is our inability to get the outside interface of the asa to respond to these ip addresses.
We’ve been able to use 154.223.252.146 to forward https traffic correctly. So we know that works.
I’ve plugged my laptop into the switch from our ISP and have successfully manually assigned 154.223.252.147 and 154.223.252.148 with the default gw of 154.223.252.145 and was happily connected. So we know the IP’s are there and available, we just need to convince the ASA to respond to them and use them to forward https.
We’ve tried plugging cables from the switch into other interfaces on the firewall. This failed because the netmask overlaps with our first outside interface 154.223.252.146 255.255.255.240, Cisco hates this and doesn’t allow it.
We’ve read documentation and have heard that it’s possible to assign a range of IPs to the ouside interface by defining a vlan. We do not know how to successfully make this work and out attempts have failed.
What's the best way to accomplish this configuration with a Cisco ASA?
You don't need to assign multiple IPs from the same range to more than one interface. That doesn't work with Cisco. Instead try a static one to one NAT for your Web server and terminate your VPN traffic on the IP address assigned to the interface.
Watch this video for one to one NAT:
https://www.youtube.com/watch?v=cNaEsZSsxcg
Cisco has an active scanning technology that was enabled on this ASA. We were able to diagnose it by intermittent bad behavior. After troubleshooting long enough we realized that some of the behavior couldn't be consistent with the changes we were making. So we started looking for things that the firewall would be trying to do by itself. That ended up helping us narrow it down. Disabling active scanning allowed our external vlan configurations to work. Now moving on to tightening up the configs.
My friend wanted to connect to my computer using Remote Desktop Connection. But the problem is I am confused what my Ip address is.
My computer is connected to the internet via router via broadband internet network. My ip address is dynamic.
Here, my main purpose is not only the remote connection but also learning how dynamic ip connect to another pc.
I searched for ip address on Google. They show me an ip address. But I think it is not mine, it's related with the router or broadband network. I also find a WAN ip (it is different from that i found on google) on router settings. It did't work.
I used Team Viewer. It worked perfectly. But I want to do that manually because I am going to make a multiplayer game on GM8.
It will helpful if someone explain about ip and port forwarding.
Teamviewer is a great tool, but uses different techniques than what you plan to do. Teamviewer always uses an outgoing connection and use a mediator on the Internet to connect you and the other PC.
You should ask your Internet provider if he technically enables you to be reachable from the outside Internet. Often this is not possible at all, even if you configure your router the correct way.
When you ask this you can ask him if you have a static IP.
It seems you are not aware of basics of IP networking, so I'd strongly advise against trying this on your router as wrong settings would render it useless. But here's for your information how port forwarding and IP Address and dynamic DNS can be used to solve your problem.
Basically your ISP is likely to give you a router having an IP address. If this IP address is a global IP address, it is possible to connect to this IP from outside. How do you find out whether your IP address is global? Look for your WAN IP address setting. If it is in 10.x.x.x or 192.168.x.x range, it's unlikely to be global and in that case it might not be possible to connect to your computer from outside - without help of a third server (some kind of a registration server, where you connect and register your application). The Registration server would determine your globally visible IP address and then convey it to another Application who is interested in connecting to it. This is somewhat complicated to make it work (but if you intend to make a game - this is something you'd have to do regardless). This is mostly how software like TeamViewer would work.
If you have a global IP address - it means it can technically be reached from anywhere in the world. In that case you could use port forwarding to make things work for you. Port forwarding works basically as follows - You expose a certain port (on TCP) to external world - say 8000 and then you make a setting like following on your router.
<TCP>-<RouterIP>-8000 --> <TCP>-<Your LAN IP><Your application Port>
(You can find you lan ip using ipconfig on windows or ifconfig on Linux).
Now all connections coming to port 8000 would be directed to your application. You might want to do it on UDP as well and the protocol above would change. That is how you 'open' a few ports to be accessible from outside, configure them on your router and then run corresponding applications on your network.
There's another thing called dynamic DNS, where the IP address you use if it is dynamic (and global) can be registered with a Dynamic DNS server so that you don't have to know and remember the current WAN IP Address. But that can be for later.
Hope that helps.
I installed Veency Server on my old Iphone 3GS. I can connect to it from my other devices in local network, using its 192.168.2.xxx adress, but i cant connect from another network. I know that my router uses NAT so i tried port forwarding for ports 5500,5900 and 5800, then i tried to forward all ports in range 0:7000 but none of them seemed to work. What can i do ?
Thanks a million in advance.
Shouldn't be too complicated.
Set a DHCP reservation in your router for the device.
Forward the VNC port (Usually 5900) to the IP you set.
If you don't have a static external IP, get something like No-IP or DynDNS so you can have an unchanging URL to connect to.
That's about it, it's no different than making any other service external.
You should know that this will not be secure, and very easy for a man in the middle attack to happen.