Preface
Accessing the Mikrotik router GUI web management interface is reserved for advanced users. Be careful when manipulating the router directly. Changing settings directly in the MikroTik router management interface may cause conflicts with Optigo OneView™, and cause instability or incorrect behavior. In particular, changes to settings such as VLAN, WAN, routes and user access are likely to cause problems.
In some cases, you may want to directly access the router management interface for Mikrotik router. To do so, follow the steps below. You must be running OneView version 4.4.0-163 (or newer) and be using a supported router.
Steps
- Login to OneView™ with an administrator account.
Navigate to the MikroTik router management GUI by adding the following path to the URL: /#!/customized/routergui
Example URL: http://10.2.21.31/#!/customized/routergui
In version 4.5.1-222 or newer, another way to reach this page is via the advanced router menu under System > Config of the sidebar. The Manual Management button navigates to the same page. - Click "Open GUI". You will be provided with the proxy URL and router credentials.
(Note: The credentials shown on the page will expire after 10 minutes.) - Click on the proxy URL hyperlink. For example, http://10.2.21.31:8081.
- Enter the username and password provided to you on OneView. Then click "Login".
- Regarding the expiration of credentials, if you keep the "Terminal" window open and ensure that you don't navigate away from it, you will not be logged out and can can continue using the terminal even after the credentials have expired.
- Log out of the MikroTik management GUI by clicking the "door" icon in the top right corner.
Terminal configuration for port forwarding
A commonly used feature that OneView currently does not support (though it is planned to be added in the near future) is port forwarding. The MikroTik documentation for this is here:
Older documentation: Manual:IP/Firewall/NAT - MikroTik Wiki
Newer documentation: NAT - RouterOS - MikroTik Documentation
For the examples, the network information below will be used. These will probably not be the same as on your network. Change the values in the example command as needed.
- The Connect internal network has a subnet 192.168.5.0/24
- The WAN IP address for the MikroTik router is 10.2.0.200/24
- The WAN interface is ether1
If you only need to access one device on the internal network from the WAN side, all you need is one NAT rule. In these examples, the internal device is 192.168.5.10.
/ip firewall nat add action=dst-nat chain=dstnat in-interface=ether1 dst-address=10.2.0.200 to-addresses=192.168.5.10
You may want to restrict it to specific ports. In the command below, the port forwarding is restricted to TCP ports 80 and 443 (HTTP and HTTPS).
/ip firewall nat add action=dst-nat chain=dstnat in-interface=ether1 dst-address=10.2.0.200 to-addresses=192.168.5.10 protocol=tcp dst-port=80,443
If you need multiple devices, there is more than one way to do it. The examples below will use 192.168.5.11 as a second internal device.
One way is to map different ports on the WAN IP address. The 192.168.5.10 device gets an unmodified mapping for ports 80 and 443, but the 192.168.5.11 device has a mapping of port 8443 on the WAN side to port 443 internally.
/ip firewall nat add action=dst-nat chain=dstnat in-interface=ether1 dst-address=10.2.0.200 to-addresses=192.168.5.10 protocol=tcp dst-port=80,443 to-ports=80,443
/ip firewall nat add action=dst-nat chain=dstnat in-interface=ether1 dst-address=10.2.0.200 to-addresses=192.168.5.11 protocol=tcp dst-port=8443 to-ports=443
Another way is to use multiple IP addresses on the WAN side. This requires IT to allocate multiple addresses for use by the OT network.
The first device can use the normal WAN IP:
/ip firewall nat add action=dst-nat chain=dstnat in-interface=ether1 dst-address=10.2.0.200 to-addresses=192.168.5.10
All other devices require adding another IP address to the MikroTik router and a NAT rule that maps the new address to an internal device. The address 10.2.0.201 is added and mapped to 192.168.5.11 in this example. Two commands are used, one to add the address and another for the port forwarding rule.
/ip address add address=10.2.0.201/32 interface=ether1
/ip firewall nat add action=dst-nat chain=dstnat in-interface=ether1 dst-address=10.2.0.201 to-addresses=192.168.5.11
If you've made a mistake, you can remove your settings with the steps below. However, take care not to remove settings you didn't create. There is no "undo" functionality, though you should be able to re-create an accidentally removed setting by using printed information.
/<command prefix> print
/<command prefix> remove numbers=<numbers corresponding to settings>
For example:
/ip firewall nat print
/ip firewall nat remove numbers=3,4
/ip address print
/ip address remove numbers=2
Comments
0 comments
Please sign in to leave a comment.