Port forwarding for SONY IPELA with MikroTik

Say, we have SONY IPELA video conference system sitting at 192.168.101.2 right after our MikroTik router. We want to do the port forwarding so that people from outside can call us.

Quick and dirty solution:

  • /ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=1720-1720 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.101.2 to-ports=1720-1720 place-before=0
  • /ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=2253-2255 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.101.2 to-ports=2253-2255 place-before=0
  • /ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=49152-49159 in-interface=ether1-gateway protocol=udp to-addresses=192.168.101.2 to-ports=49152-49159 place-before=0

See more on SONY IPELA port numbers here.


Set up MikroTik SNTP client

In Webfig interface use two of the menus listed below to select time zone, enable SNTP (Simple Network Time Protocol) client and enter time server addresses it should talk to:

  • System:Clock
  • System:SNTP_Client

For some reason time server address controls may be greyed out. Then use the terminal:

  • /system ntp client set enabled=yes primary-ntp=###.###.###.### secondary-ntp=###.###.###.###
  • /system ntp client print

You can find the server addresses by using nslookup for server names found here.


Port forwarding when connecting from LAN to external address

So, you have a WEB server sitting in your LAN, with the IP address of 192.168.101.11.

You set up the port forwarding at your MikroTik router and anyone from the Internet can now connect to your WEB server quite happily.

Except for yourself.

None of the requests to the external address of your WEB server ever gets a response as long as your computer has its IP address from the internal address pool of LAN.

Now, fire up the MikroTik console or log in with SSH and run these two commands:

  • ip firewall nat add chain=dstnat dst-address-type=local protocol=tcp dst-port=80 action=dst-nat to-address=192.168.101.11 to-port=80
  • ip firewall nat add chain=srcnat src-address=192.168.101.0/24 dst-address=192.168.101.11 protocol=tcp dst-port=80 out-interface=bridge-local action=masquerade

Why is this happening? You may want to read about hairpin NAT.

The idea in a nutshell is that while your client computer is requesting data from the server via router, the server is sending the response back to the client directly, so the client computer gets confused, as it does not know what to do with the data it (as much as it is aware of) had never requested, and drops it. So we tell the router to pretend to the server that it was the router itself who had requested the data from the server (we tell nothing about the client to the server) and upon receiving the response pass it further to the client. In short, we ask the router to remain a middle-man for all the length of the communication, not only for the requests from the client, as it is normally done when the requests come from the external networks with their foreign addresses.

Side effect of this is that all requests to the server will seem to come from the same IP address – from that of the router. So you will not be able, for example, to tell who exactly of your colleagues had browsed the web pages of the local server. As long as your colleagues are connecting to the external IP address of the router.


DMZ with MikroTik router

We have MikroTik router with WAN IP 192.168.0.9 and a PC with LAN IP 192.168.88.249, connected to router by a patch cord. We want to establish a DMZ so that all requests to 192.168.0.9 proceed straight ahead to 192.168.88.249.

  • ip firewall nat add action=dst-nat chain=dstnat in-interface=ether1-gateway to-addresses=192.168.88.249 

In web interface that would be IP / Firewall / NAT.


Port forwarding with MikroTik router

Say, the router has IP 192.168.0.9 on the WAN side, on the LAN side there is a PC connected to it by patch cable as 192.168.88.249 with a web server listening on port 8080. We want to access the web server on router’s WAN interface as 192.168.0.9:88.

The following enables access to the port on the WAN side first and then sets up forwarding of traffic to the PC on LAN:

  • ip firewall filter add action=accept chain=input disabled=no dst-port=88 protocol=tcp place-before=0
  • ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=88 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.249 to-ports=8080

In the web interface that would be respectively IP / Firewall / Filter Rules and then IP /  Firewall / NAT.

Alternatively, a typical way to grant access from Internet to your web server on LAN. This will block the port 80 where the MikroTik’s HTTP web interface is by default:

  • ip firewall filter add action=accept chain=input disabled=no dst-port=80 protocol=tcp place-before=0
  • ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.249 to-ports=80

 


Enable remote access to MikroTik router

To enable access to MikroTik router’s web interface on the Internet’s side:

  • ip firewall filter add action=accept chain=input disabled=no dst-port=80 protocol=tcp place-before=0

Well, it is not really a good idea to use HTTP as it can be easily read by a sniffer, so HTTPS would be better, but there is a weird error when trying to use it : ssl_error_no_cypher_overlap .

So better leave HTTP for demonstration purposes only and use SSH instead. Enable access to SSH from the internet:

  • ip firewall filter add action=accept chain=input disabled=no dst-port=22 protocol=tcp place-before=0

P.S.

That would be IP / Firewall / Filter Rules in the web interface.