Need help with Mikrotik router config plus other questions

Chat about just about anything else
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
Locked
User avatar
jimallyn
Level 19
Level 19
Posts: 9075
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Need help with Mikrotik router config plus other questions

Post by jimallyn »

I live in a canyon a few miles out of town, where dialup has long been the only internet available. Well, now we have a Mikrotik RB750GL router down towards town, connected to the fiber, and we distribute the internet to everybody in the canyon over 2.4 GHZ, 5.8 GHz, and 900 MHz radio links (mostly Ubiquiti Bullets). It works well, but I would like to have remote ssh and vnc and possibly other access to my home computers. If I understand the network correctly, there is only one "outside world" IP address for the system, and internally we all have 10.10.xxx.xxx addresses inside the local net. Which brings me to one of the points I don't have a good grasp on. When I connect to a website, I'm guessing that both the router external IP address and my local network IP address is included in all transmissions. So something I send out might be identified as coming from <(localIPaddress).(externalIPaddress)>. Is this basically correct? Next question: I can establish an ftp connection with the router, and I assume if I go into the router and enable ssh, telnet, or other protocols, I would also be able to connect to the router that way? But how do I get to my 10.10.xxx.xxx address on the internal canyon network? I'm guessing I need to configure something in the router to pass through the desired ports? But then would that make all ssh connections go through the router, and the router itself would not respond to them? Anybody able to help me with this? Or maybe someone can recommend a website or book I could read to get informed on this stuff?

I used to be quite familiar with AX.25, an amateur radio version of X.25, but that was a long time ago.
Last edited by LockBot on Wed Dec 07, 2022 4:01 am, edited 1 time in total.
Reason: Topic automatically closed 30 days after creation. New replies are no longer allowed.
“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan
User avatar
xenopeek
Level 25
Level 25
Posts: 29531
Joined: Wed Jul 06, 2011 3:58 am

Re: Need help with Mikrotik router config plus other questions

Post by xenopeek »

jimallyn wrote:When I connect to a website, I'm guessing that both the router external IP address and my local network IP address is included in all transmissions. So something I send out might be identified as coming from <(localIPaddress).(externalIPaddress)>. Is this basically correct?
That's not correct. Basically how it works is your router uses connection tracking. Your computer opens a port and send a request for a page from a website. As your router is the default gateway, the request is sent there. The router determines this request needs to go to Internet so sends the request on to the Internet. It opens a port on the Internet side and sends a request using its own Internet IP address. The router keeps a table of connections. Basically saying "I sent a packet to the Internet from port X to IP address Y, on behalf of a computer on the local network that send this request to me from port A on IP address B". So when the router gets a response back from the website on the port it opened to send the request, it can look up in that table to which IP address and port on the local network it should forward the response.
jimallyn wrote:I can establish an ftp connection with the router, and I assume if I go into the router and enable ssh, telnet, or other protocols, I would also be able to connect to the router that way? But how do I get to my 10.10.xxx.xxx address on the internal canyon network? I'm guessing I need to configure something in the router to pass through the desired ports? But then would that make all ssh connections go through the router, and the router itself would not respond to them?
If everybody has a 10.10.xxx.xxx IP address and that is also the IP address of the router used by everybody (the one you connect to using FTP) then why would you need to pass anything through? You only need to pass through anything if you are on the other side of the router. You may have to configure the router's firewall for the local network side to open the SSH port so, like with FTP, computers on the local network can connect to the router itself on its SSH port. That doesn't affect other SSH connections. Only if you SSH to <local network IP address of your router>:<ssh port of router> do you go to the SSH server on the router.

Or are you saying you have a local network in your home that connects with a router in your home to the canyon network that connects to the Mikrotik router that connects to the Internet?
Image
User avatar
jimallyn
Level 19
Level 19
Posts: 9075
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: Need help with Mikrotik router config plus other questions

Post by jimallyn »

xenopeek wrote:You only need to pass through anything if you are on the other side of the router.
Yes, that is when I want to access computers at my house: when I am on the other side of the router. (At my mother's house, or at a friend's house, or possibly with my phone when I'm anywhere.)
xenopeek wrote:Or are you saying you have a local network in your home that connects with a router in your home to the canyon network that connects to the Mikrotik router that connects to the Internet?
Yep. I have a router in my home that provides connections for all the devices I use in my home. My router connects via the wireless network to the Mikrotik router, which is our only connection to the outside world. I know how to open up the needed ports on my home router, but I'm not sure how to make the Mikrotik pass through ssh/vnc/other connections from the outside. The Mikrotik is complex, at least compared to the typical home/small business router. It has a menu of settings you can change, and some of these settings open up another drop down menu of things you can change. There must be several hundred parameters you can change, some of which I have no idea whatsoever what the heck they are. I've been skimming the manual for the Mikrotik to figure out how I need to set things up to give myself remote access to my home computers. I would like to only pass through connections directed to my home network. At the moment, nobody on the canyon network can access their home computers remotely via ssh or anything, and as far as I know, nobody else has requested that. So, what I want to do is to pass only the stuff destined for my house, and leave those ports closed for everybody else on the network until such time that somebody asks to have those ports opened, which I suspect isn't likely to happen anytime soon. From what I've read so far, I think I have to make a "rule" for that, and I'm going to spend some time reading the manual on creating rules.

Then at some point I need to figure out why we aren't getting 100 Mbps that our fiber connection is supposed to be giving. I sat and watched the traffic going through the Mikrotik for a while, and the highest throughput I saw was 24 Mbps. But even that is wonderful for people who have only had dialup available in the past!

It is helpful to know about the connection table, so thank you for that. I almost certainly knew that once upon a time when I used to design data-over-radio devices, but a lot of stuff has slipped my mind in the intervening years. I worked for a company that made alphanumeric display pagers back in 1983. (I like to tell people we invented "texting.") The pagers used dedicated frequencies in the150 MHz, 450 MHz, and 900 MHz bands (depending on what country the system was to be installed in and a few other considerations). We also did a computerized dispatch system that was used by San Diego Gas and Electric and a few other utilities. When the service people finished their service call and got back to their truck, their next assignment had been printed out, all they had to do was read it. We did a system for one of the convenience store chains, but I can't remember which one any more. That one transmitted data that the main office wanted to get to the stores, and used a subcarrier on an FM broadcast station. Lots of fun stuff!

It's late, I'm going to bed!
“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan
User avatar
xenopeek
Level 25
Level 25
Posts: 29531
Joined: Wed Jul 06, 2011 3:58 am

Re: Need help with Mikrotik router config plus other questions

Post by xenopeek »

Right, so the general process of allowing a service running on a computer on the local network to be reached from the Internet can be applied in your case as well. You need to configure port forwarding on both the Mirkotek and your home router. Steps would be something like this:
  • Set up a port on the Internet side of the Mikrotek router that accepts traffic and forwards it to a specific port on your home router. You need to use the IP address of the home router on the Mikrotek network, so not the IP address of your home router as you see it from your home computer. Probably the easiest is to look up the MAC address of your home router and look in Mikrotek's list of connected devices and find the one with that MAC address and take the IP address from there.
  • Next up do the same thing on your home router. Open up the port on your home router that you configured the Mikrotek router to forward traffic to. Configure your home router to forward traffic from that port on to a specific port on your computer.
  • Lastly, open that port on your computer and make SSH server listen to it. I highly recommend you disallow root login on your SSH server and to only allow login with key pairs and not with passwords. If you are going to allow either root login or password based login, set up something like fail2ban to keep out all the attackers.
On your own computer it is fine to use port 22 for the SSH server. You don't want to use that port on either your home router or the Mikrotek router. Use a port higher than 1024 on these. For convenience you can use the same port number on both. You may want to give some thought to keep a register or using a numbering scheme, so if any of your neighbors want to do something similar you won't get all the wires crossed :)

So now if you connect to that specific port on the Mikrotek router, it forwards the traffic to your home router's specific port which in turn forwards it to the specific port on your computer.
Image
User avatar
jimallyn
Level 19
Level 19
Posts: 9075
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: Need help with Mikrotik router config plus other questions

Post by jimallyn »

Thanks, xenopeek. I should be able to do this. The procedure to open a port on the Mikrotik is a little more complicated than on my home router, but I'm sure I can figure it out. I have only ever used SSH/VNC/whatever locally and password based, so I'll have to figure out the key pair stuff. fail2ban sounds like another good suggestion, thanks. I have been thinking I'd start a spreadsheet that lists what hardware is at each node, node's IP address, what the usernames/passwords are, and so on, so I can just add a column to list any extra ports that are opened for other users of the network. This will take me a little while, but I can do it. Thanks, and if I get stuck anywhere in the process, I'll post back here.
“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan
Locked

Return to “Open Chat”