http://www.dslreports.com/forum/r23301575 en Wed, 10 Feb 2010 11:05:59 EDT Wed, 10 Feb 2010 11:05:59 EDT http://www.dslreports.com/forum/remark,23311598 viperm : Hahah I have been trying that as well with one of our hotspots. I cant get the scripting to work correctly with our DNS server.

The mikrtoik Wiki site has a decent script but the password config just wont work with simple DNS or visa versa. Simple DNS spits out a unique password with special chractors that mikrotik doesnt understand and thnks its some kind of command and will nto run it.

Oh well I just get a down notification when it changes and I have a PPTP VPN connection runnign from the hotspto to one of our core routers. So when I get apage its down I look in the core router to see what IP address the PPTP sesion is coming from and then I know what the ip address is of my hot spot etc...

I then go into wireless orbit and chage it manually so radius starts working again
--
ComTrain Certified Tower Climber. American Tower Certified approved contractor. Wireless consultants.]]> http://www.dslreports.com/forum/remark,23311598 Sun, 08 Nov 2009 19:31:16 EDT http://www.dslreports.com/forum/remark,23311572 livewireless : Thanks again Viperm, You nailed it. :)
If you notice in the 2nd pic at top. I've got the outside interface visible. "192.168.1.5", should have been "public IP" address.
Previously I had tried using "80" instead of "0-6535". But I didn't have the public IP inserted.
Bottom line you corrected it.
Now, to figure out how to update rule to update the DHCP.
Wonder if there's a script to do same.
Untill I buy a static!]]> http://www.dslreports.com/forum/remark,23311572 Sun, 08 Nov 2009 19:26:16 EDT http://www.dslreports.com/forum/remark,23308515 viperm : It was a simple fix he had port 8081 forwarding to ALL TCP ports on his Bullet. You have to be specific on what ports you want to forward to what other ports on your internal devices.

All I did was tweak his existing dst firewall rule to tell his public ip port 8081 to forward to port 80 of his bullet and bingo bango he is good!

Took me 30 seconds with a chip and dip in one hand hahaha if he would have posted the pic of the actual rule itself I think we would have seen it right away.
--
ComTrain Certified Tower Climber. American Tower Certified approved contractor. Wireless consultants.]]> http://www.dslreports.com/forum/remark,23308515 Sat, 07 Nov 2009 23:17:03 EDT http://www.dslreports.com/forum/remark,23307772 livewireless : ABBO bloody lutely! Mate!

(absolutely)

You guys are incredible. I've learned more here than one could imagine. I know Viperm will nail it.

Very generous peeps.]]> http://www.dslreports.com/forum/remark,23307772 Sat, 07 Nov 2009 19:52:50 EDT http://www.dslreports.com/forum/remark,23307757 TomS_ : Make sure you post the solution so others know what was wrong and how to fix it! :-)]]> http://www.dslreports.com/forum/remark,23307757 Sat, 07 Nov 2009 19:49:22 EDT http://www.dslreports.com/forum/remark,23307177 livewireless : Wow,
Thanks so very much.
You know it's gonna be something simple. But, yes the AP is directly behind the RouterOS.
Internet------->DSL Modem PPPoE------> RouterOS----->ethernet---->BulletM2HP AP------->Wireless clients.
I'd really appreciate it Viperm.
I was just playing with it. I disabled the "use DNS peer" on the PPoE client now it's down or at least I can't see it from remote. I'll be local to the hotspot shortly. Login and fix that, so I can get to it.
It's 2:30.
Be up and running @ 4:30. I'll get you later.
Tim]]> http://www.dslreports.com/forum/remark,23307177 Sat, 07 Nov 2009 17:09:54 EDT http://www.dslreports.com/forum/remark,23307075 viperm : Is the AP direclty behind the Mikrotik or is there another router etc?

If you want to hit me off list and give me remote access I can take a look to see if I can get it to work for you.

Its probably something simple I wont be able to do it till later this evening I have stuff I need to do..
PS/ Try gettign rid of the "TO" address in the binding rule we do the same type of setup but never had to put in the TO ip address just the address and thats it

Thanks
--
ComTrain Certified Tower Climber. American Tower Certified approved contractor. Wireless consultants.]]> http://www.dslreports.com/forum/remark,23307075 Sat, 07 Nov 2009 16:38:16 EDT http://www.dslreports.com/forum/remark,23306391 livewireless : OK, Tried putting the public ip inplace of the 192.168.1.5 ip. NO luck.
If you notice my pic attached. The ip in the "network" column is the DSL gateway.
Everything works going out with that config, but just can't get in to access AP IP. Sorry but this is getting outa hand, all the pics... hope it makes.
Thanks :uhh:

Public IP and gateway

]]> http://www.dslreports.com/forum/remark,23306391 Sat, 07 Nov 2009 13:17:55 EDT http://www.dslreports.com/forum/remark,23306336 livewireless : Thanks,
I'm trying what you suggested. I think I've been there though.
So, you suggest I use my real WAN IP?
You know it changes daily (don't have static IP).I Im using DSP PPPoE dynamic. I have a Changeip script to update.
But, I'll try using the present "public" WAN IP as dst-address.
Also I've attached pics of the IP binding. I'm not sure if I got this right. I had the 10.10.0.99 bound to the Hotspot server IP 10.10.0.1. Then changed it back. to 10.10.0.99 bound to itself..? Right/Wrong?

IP binding

]]> http://www.dslreports.com/forum/remark,23306336 Sat, 07 Nov 2009 13:02:05 EDT http://www.dslreports.com/forum/remark,23306263 Airnode : chain=dstnat action=dst-nat to-addresses=10.10.0.99 to-ports=0-65535
protocol=tcp dst-address=192.168.1.5 dst-port=8081

try this one...should work as long your hotspot binding is right and your
try to reach the device from the 192.168.1.0 network ..
once again if your trying to reach WAN you have to use your real WAN address as dst-address.]]> http://www.dslreports.com/forum/remark,23306263 Sat, 07 Nov 2009 12:41:39 EDT http://www.dslreports.com/forum/remark,23306114 livewireless : I think I understand what your saying.
But this is standard setup with mikrotik. To allow remote access a dst-nat rule is applied as shown.
the Hotspot has an "IP binding" which allows the IP behind the Hotspot to get out without authorizing.
I've done that and Add below to get to proper port
---------------
chain=dstnat action=dst-nat to-addresses=10.10.0.99 to-ports=80
protocol=tcp dst-address=192.168.1.5 dst-port=8081
------------------
And I still can't access AP remotely... ]]> http://www.dslreports.com/forum/remark,23306114 Sat, 07 Nov 2009 11:59:11 EDT http://www.dslreports.com/forum/remark,23306031 Airnode : your public ore wan iface is ether1 right? and its configured as pppoe
client ?

but you still gave the ether1 a privat address.. so something is confusing my by that . Not that you can't do that but then the rule never will work since the ether-address *192.168.1.5 is not your really
reachible address from outside]]> http://www.dslreports.com/forum/remark,23306031 Sat, 07 Nov 2009 11:37:22 EDT http://www.dslreports.com/forum/remark,23305845 livewireless : No luck with just Mac.]]> http://www.dslreports.com/forum/remark,23305845 Sat, 07 Nov 2009 10:53:03 EDT http://www.dslreports.com/forum/remark,23303685 surfergeek : Thanks,

But, The Hotspot IP is: 10.10.0.1

The Wan IP is: 192.168.1.5

The Access Point IP behind the Hotspot is: 10.10.0.99
and is "bound" and bypassing authorization.

So, trying to get that to work...hmmm

OKeee, I'll try just the mac address...]]> http://www.dslreports.com/forum/remark,23303685 Fri, 06 Nov 2009 18:31:04 EDT http://www.dslreports.com/forum/remark,23303051 viperm : Try using the mac address instead of the IP address in the Hotspot Bypass rules I have had that issue before using the IP not sure why.

Also to make sure your firewall rules work shut off hotspot for a few min and try if it still does not work you need to work on your firewall rules then enable hotspot again after you get it working.

I think his rules are correct we just public to private and this is how we have ours.. We just leave this server wide open heheheh

5 ;;; XYZ server
chain=dstnat action=dst-nat to-addresses=10.10.10.2 protocol=tcp
dst-address=208.xxx.xxx.xxx dst-port=0-65535
--
ComTrain Certified Tower Climber. American Tower Certified approved contractor. Wireless consultants.]]> http://www.dslreports.com/forum/remark,23303051 Fri, 06 Nov 2009 16:05:04 EDT http://www.dslreports.com/forum/remark,23302519 Rhaas : 3 chain=dstnat action=dst-nat to-addresses=10.10.0.99 to-ports=80protocol=tcp dst-address=192.168.1.5 dst-port=8081
I *think* you have this backwards, the to-address should be 192.168.1.5 (address of the hotspot) and the dst-address should be 10.10.0.99 (address of the M2)
]]> http://www.dslreports.com/forum/remark,23302519 Fri, 06 Nov 2009 14:23:16 EDT http://www.dslreports.com/forum/remark,23301575 livewireless : I can't get Mikrotik support to get an answer to my problem.
I just purchased a license and supposedly get 30 days support.
Can anyone suggest a solution
I'm simply trying to remotely access an AP (bullet M2HP) behind the hotspot setup on RouterOS4.2.
The AP has static IP and binding to the Hotspot server with "bypass" rule.
I've done a "nat-dst" rule and a "port forward".
I just cannot get it right seemingly. The only thing I see different than the standard Hotspot setup is my PPPoE client.
I'm wondering if the hotspot needs to be made aware of this to get packets out correctly?

Internet------>DSL PPPoE Modem--------->RouterOS4.2----->PPPoE client------->public interface (192.168.1.5)-------->Hotspot server local interface (10.10.0.1)------ethernet----->BulletM2HP Wireless AP (10.10.0.99)---------->Wireless clients.
---------------------------------------------------
Here's the firewall /NAT rules:

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=10.10.0.0/24

2 chain=.... action=accept

3 chain=dstnat action=dst-nat to-addresses=10.10.0.99 to-ports=80
protocol=tcp dst-address=192.168.1.5 dst-port=8081
---------------------------------------------------------
Route
---------------------------------------------------------
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 151.164.184.154 1
1 ADC 10.10.0.0/24 10.10.0.1 ether2 0
2 ADC 151.164.184.154/32 76.244.162.133 pppoe-out1 0
3 ADC 192.168.1.0/24 192.168.1.5 ether1 0
-------------------------------------------------------
Help please, anyone.
Thanks,

Addresses

Firewall

Interfaces

Route list

]]> http://www.dslreports.com/forum/remark,23301575 Fri, 06 Nov 2009 11:47:36 EDT