To make the hairpin NAT work, you need to make the cameras think that Mikrotik is the client, so that they would send their responses to Mikrotik rather than directly to the real client. It cannot help access cameras' port 8086 from LAN via the public IP of the 'Tik because in your configuration, out-interface=ether1 is never true simultaneously with dst-address=128.10.5.50 src-address=128.10.5.0/24. The problem is that I cannot understand why this rule should have any effect at all. Gratitude is accepted on WebMoney Z399578297824 or BTC 14qiYkk3nUg\Īdd action=masquerade chain=srcnat dst-address=128.10.5.50 dst-port=8086 out-interface=ether1 protocol=tcp src-address=128.10.5.0/24 Set note="The security flaw for Hajime is closed by the firewall. Set supplicant-identity=MikroTikĪdd authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=\Īllowed mode=dynamic-keys name="WLAN WORK" supplicant-identity=""Īdd add-arp=yes disabled=no interface=BridgeOffice name=DHCPServerLANĪdd name=PoolGuest ranges=10.10.5.2-10.10.5.30Īdd name=dhcp_pool1 ranges=10.10.10.2-10.10.10.30Īdd address-pool=dhcp_pool1 disabled=no interface=BridgeVlan5 name=\Īdd add-arp=yes address-pool=PoolFatima disabled=no interface=Fatima name=\Īdd local-address=10.5.5.5 name=**** remote-address=10.6.6.6Īdd max-limit=10M/10M name=queue1 target=10.10.10.16/32Īdd max-limit=5M/5M name=QueueVLAN5 target=BridgeVlan5Īdd max-limit=3M/3M name=QueueFatima target=Fatima Set arp=reply-onlyĪdd arp=reply-only interface=ether2 name=vlan5 vlan-id=5 Just add a rule in firewall before the first input-drop rule to accept the port where you are using Winbox, don't change anything else.Code: Select all # may/22/2018 05:12:53 by RouterOS 6.39.2 Under those circumstances it can be understandable and sometimes even needed to allow access to Winbox from WAN. In that case it's not a true WAN because you're still in a controlled environment. Of course I could just use static IPs to connect from the "WAN", but an autodetection can have it's benefits. So the computers in the separated networks cannot reach each other but the routers can be maintained from the "WAN". The WAN interfaces of several routers should be connected to a private LAN to create small, separated networks. in block of flats, every flat has its own MT router managed by landlord via WAN interface).Īctually it's something like this. Which is IMO very stupid idea, but might have a valid reason for doing it (e.g. I guess is trying to get MNDP working on WAN interface.
0 Comments
Leave a Reply. |