Changing Mikrotik settings to provide access to internal devices
Our main Golden Hill network uses a gateway box running MikroTik software. If we want to monitor boxes via snmp or access the admin interfaces of a device within the network, we configure MikroTIk to forward traffic appropriately.
The general approach is to pick a port number and then have MikroTik forward all traffic that comes into that port on the main IP to the specfic device, remapping the port in the process.
Typically we need either http, https or ssh access and also snmp. As the former are tcp protocols and the latter is udp, we use the same port number for both to simplify things a little.
Here are the basic steps for adding a new device to forwarded list sing the MikroTik winbox interface.
For the following example, we assume port 1234 and an internal destination IP of 10.0.0.250.
- Go to IP -> Firewall -> Destination NAT
- click on the '+' symbol and fill in the following on the resulting dialog
- 'In Interface' choose Wan
- 'Dst Address' enter the outside IP, 188.8.131.52 / 32
- 'Protocol' select tcp
- 'Dst Port' select the right hand side checkbox and enter 1234
- Click on the 'Action' tab (previously on General) and
- Action is set to nat
- Both to Dst Addresses are set to 10.0.0.250
- To Dst Ports is set to 80 for http (or 22 for ssh, or 443 for https)
- Click on OK to save the rule
- Scroll to the bottom of the list where the new rule will appear
- Select the rule by clicking on it, then click on the yellow 'comment' button on the toolbar and name the rule (e.g. HTTP to SH ap2)
- drag the rule up match to the other similar rules.
Note that the winbox UI gets confused with dragging sometimes. If you suspect this, log out of winbox and log back in again - its possible to cause major damage to rulesets by dragging them when the UI is messed up.
Now the outside world can get into the AP, but it can't get out because of the captive portal. The following steps allow it to bypass the portal:
- On the IP -> Firewall window, click on the Filter Rules tab
- In the dropdown on the right hand side, choose "Hotspot temp"
- Click on the red '+' and in the resulting box:
- Under the 'Action' tab, change Action to 'return'
- Under the 'General' tab change, set Src Address to 10.0.0.250 / 32
- Click on OK
- In the resulting rule list, drag the rule above the last rule and add a comment using the Yellow comment button
That's it. You should now be able to access the box from the outside using an url like https://184.108.40.206:1234.