The official Mikrotik router thread

rorz0r

Executive Member
Joined
Feb 10, 2006
Messages
7,782
#21
You need "hairpin NAT". There's a few pages/videos out there but the exact setup comes down to your particular settings.

You basically need a rule to masquerade any packets with a destination of your external IP, but coming from the internal interface. You then need another rule (filtered to the port it would be trying to connect on) to mangle that and set the source as the internal router IP and the destination as the CCTV IP. You need a rule for each port that you forward to mangle it to the right destination.

Note that for dynamic IPs you can add hostnames to address lists. If you do that with the "mynetname" hostname from Mikrotik you have an address list that always resolves to your external IP to be used by that first rule.
 

mister

Executive Member
Joined
Jul 21, 2008
Messages
6,948
#22
I have a device on the LAN, CCTV. I have a rule that allows incoming traffic to CCTV which works.

I connect to CCTV using dyndns name on my apps. Problem is when I am inside the network, it doesn't work. The IP is being resolved as the external IP of the router ..
I'm lazy so I just set a static DNS entry in the Mikrotik that resolves the dyndns name to the local address
 

rorz0r

Executive Member
Joined
Feb 10, 2006
Messages
7,782
#23
I'm lazy so I just set a static DNS entry in the Mikrotik that resolves the dyndns name to the local address
That can work as long as you use the same ports. I prefer to use the default ports for the devices "internally" then pick a random one from outside to forward.
 
Joined
Feb 23, 2016
Messages
1,107
#24
Would appreciate if someone could provide screenshot of said configuration using web console. I have restricted access to my router which is managed by Vox telecom so I cant use CLI
Edit: most stuff I find on net show CLI commands but I cant use that facility
 

DWPTA

Expert Member
Joined
Jul 28, 2006
Messages
3,767
#25
Would appreciate if someone could provide screenshot of said configuration using web console. I have restricted access to my router which is managed by Vox telecom so I cant use CLI
Edit: most stuff I find on net show CLI commands but I cant use that facility
Which config?
 
Joined
Feb 23, 2016
Messages
1,107
#26
You need "hairpin NAT". There's a few pages/videos out there but the exact setup comes down to your particular settings.

You basically need a rule to masquerade any packets with a destination of your external IP, but coming from the internal interface. You then need another rule (filtered to the port it would be trying to connect on) to mangle that and set the source as the internal router IP and the destination as the CCTV IP. You need a rule for each port that you forward to mangle it to the right destination.

Note that for dynamic IPs you can add hostnames to address lists. If you do that with the "mynetname" hostname from Mikrotik you have an address list that always resolves to your external IP to be used by that first rule.
Would appreciate if someone could provide screenshot of said configuration using web console. I have restricted access to my router which is managed by Vox telecom so I cant use CLI
Edit: most stuff I find on net show CLI commands but I cant use that facility
For this
 

rubber_otter

Expert Member
Joined
May 25, 2009
Messages
1,367
#29
/subbed

Have a question? Is there a basic guide on how to do NAT / PAT .

I have a device on the LAN, CCTV. I have a rule that allows incoming traffic to CCTV which works.

I connect to CCTV using dyndns name on my apps. Problem is when I am inside the network, it doesn't work. The IP is being resolved as the external IP of the router ..

I think it doesn't like seeing the traffic coming from inside to go out and then coming back in.

Don't know how to fix this :(
First: IP > Cloud > Enable. Free DNS service that all mikrotiks have.
Second: /ip firewall nat add action=masquerade chain=srcnat disabled=yes out-interface=all-ethernet

Masquerading your ethernet interfaces will allow connections to exit and enter your network again without a hairpin NAT.
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
35,073
#32
I have a mikrotik with custom firmware. (or RouterOS, I think it is a custom routerOS)

How do I remove it?
I tried netinstall, but the device does not pick up, I suspect they blocked it. I also cannot upgrade from within winbox they seem to override it.
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
35,073
#34
@Thor,

As far as I am aware, I do not think it is possible to load a custom RouterOS.
RouterOS is developed by MikroTik.

If you cannot upgrade, make sure your router isn't hacked.
Check the user you are logging in with, does it have full access?

Here is a Wiki entry that could help you to upgrade:
https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS
You can we've done it before.

In this case it's a bunch of Mikrotiks I bought of Alibaba.

When I open the terminal you know where it has the Mikrotik text logo?

It says Shenzhen Electric in Text.
 

AirWolf

Honorary Master
Joined
Aug 18, 2006
Messages
21,920
#35
You can we've done it before.

In this case it's a bunch of Mikrotiks I bought of Alibaba.

When I open the terminal you know where it has the Mikrotik text logo?

It says Shenzhen Electric in Text.
Not good.
 

McGuywer

Executive Member
Joined
Jun 28, 2006
Messages
6,053
#36
Most probably it just changing the logo:

You could use this if you u want something to be displayed after a user has logged in... eg a company logo or contact info..

/system note edit note

Type anything you want there... You can even use fancy ASCII graphics..
From
https://forum.mikrotik.com/viewtopic.php?t=19993#p95602

So nothing strange.

Do you mind answering my question regarding the user rights?
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
35,073
#37
It is not. this is custom firmware.

system note does not change the name of routerOS to SenzhenOS
Most probably it just changing the logo:



From
https://forum.mikrotik.com/viewtopic.php?t=19993#p95602

So nothing strange.

Do you mind answering my question regarding the user rights?
Code:
[admin@Shenzhen] > user print
Flags: X - disabled
 #   NAME              GROUP              ADDRESS            LAST-LOGGED-IN     
 0   ;;; system default user
     admin             full                                  jan/02/1970 00:36:42
 
Last edited:

McGuywer

Executive Member
Joined
Jun 28, 2006
Messages
6,053
#38
It is not. this is custom firmware.

system note does not change the name of routerOS to SenzhenOS


Code:
[admin@Shenzhen] > user print
Flags: X - disabled
#   NAME              GROUP              ADDRESS            LAST-LOGGED-IN    
0   ;;; system default user
     admin             full                                  jan/02/1970 00:36:42
Sure, but this will:
/system identity set name=SenzhenOS
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
35,073
#39
Sure, but this will:
/system identity set name=SenzhenOS
No, that won't.

I am not talking about the identity.
I am talking about this:
download.png

I do not have the device with me atm, but that ^ is Senzhen Electric and then it is Senzhen Electric SenzhenOS 6.40 www.alibaba.com

That is custom firmware and not some system edit.
 
Last edited:
Top