Agratitudesign Impression | Graphic Web Design, Computer Network, Balinese Culture

Loading...
9 comments

Learning Network using Mikrotik with the router OS was very fun. At this moment I would like to write the note about how to remote or access DVR as the camera/CCTV server on our Mikrotik network by creating port forwarding rules on firewall nat of the Mikrotik router OS. Maybe you be like me wanted to be able to see a certain place that you feel important to keep safe in your observation wherever you are. It doesn't look to be such a big deal, your eyesight is in your hands right now on your mobile.

Obviously for the security reasons you need surveillance system at the office or even your home. Installation CCTV (Closed Circuit Television) camera is not difficult matter. I think right now you wanted to buy the camera and hoping to be able to see the place where you think it might be necessary for you. Perhaps you have CCTV installed already, but don’t quite know the CCTV network system. I hope after this you can manage your CCTV network by your self. Lets take a look the schematic picture below!


Based on the schematic picture above, we have the internet connection with static public IP connected to port 1 of wan mikrotik interface named as internet. The internet goes into the router and out to the network through port 4 of local network interface named as localnet-3. Then the Internet connection which is already masquerade by the router will be shared to the local area network using switch/hub. DVR CCTV server as the device client of the local network must be set using static IP, it can be done by setting DVR server lonely like you set the IP the configuration on the PC client that uses static IP. DVR CCTV server usually has the port that you can set manually, or just leave the port number by default manufacture, you just need to know what the port that used to access DVR as CCTV server.

As probably you know, there are two kind of the cameras/CCTV such as Analog Camera which is using coaxial cable, its kind like commonly antenna cable television connected to DVR and IP Camera which is using LAN cable. Surely when you buy the cameras you must know the kind of DVR as the camera server, its using coaxial cable or LAN cable that will connected to. In this implementation I was used Analog Cameras and The DVR. DVR will act as the server of cameras to view and record the showing what the camera captures.

In this case I am not showing you how to setup DVR as the server, its probably a less of my record. But trust me it is easy its depends on the brand of your DVR that you have. If you want to setup the DVR, you can connect the screen, maybe PC monitor must be connected to DVR, you can plug in PC mouse and keyboard if needed, then start on the DVR. DVR will ask you the login password to access DVR menu. The default login may you can find at the body chasing of DVR itself. After you have logged in, you begin to setup DVR configuration, its truly depending on yours. Just for the reference:

IP address (static) : 192.168.3.5
Subnet Mask: 255.255.255.0
Default Gateway (real) : 192.168.3.1
Preferred dns server : 8.8.8.8
Alternate dns server : 8.8.4.4


Media Port : 34567
Mobile Port: 5000


So that is the point of DVR configuration, once again its depending on your network environment that you have. Some of DVR may does not have or provide you Media Port. In this condition you have to access the camera server just from the mobile port by your mobile phone through internet from outside of your network.

As the schematic picture, let's assume:

Mikrotik Router Configuration:

Wan/public Interface : Internet
Public Network : 114.6.112.92/30
Gateway IP : 114.6.112.93
Public IP: 114.6.112.94

Lan/Local Interface : localnet-3
Local Network : 192.168.3.0/24
Gateway IP : 192.168.3.1


PC Security Monitor:

IP address (dynamic) : 192.168.3.13
Subnet Mask: 255.255.255.0
Default Gateway (real) : 192.168.3.1
Preferred dns server : 8.8.8.8
Alternate dns server : 8.8.4.4


According to this condition, what would you like to do?

1. Access DVR CCTV Server Displaying the Cameras View from Local Network

Our aim to access DVR CCTV server through local network in the same local port interface of mikrotik router we don’t need to add or create the new rules of the mikrotik configuration that has been run. If your DVR has provided the Camera Client View software, you can install the software on PC client, in this case is PC Security Monitor. But if your DVR doesn’t provide any software, you may need third party software like CMS2000. I believe you just like free software!



The you make the configuration to access DVR CCTV server from local network in the same interface or DHCP server of the router. Create the name of the configuration, login password for DVR that you have setup earlier, insert DVR IP address and media port that’s used to access DVR server. Some people commonly use 34567 | 7000 | 8000 | 9000 as media port DVR. Just my opinion leave the port configuration by default manufacture for not invite any trouble during the setup.

If you have got the problem in accessing DVR CCTV server from local network, it most probably caused by PC client that you have used is in different interface or network/subnet. When you using different interface like this, you may need to setup the bridge on the router, or you just can access from public IP router itself. So to avoid any problem during the configuration, simply just put PC client monitoring in the same interface or network of the router. Another thing that could be the cause is firewall filter rules on the router that may block the connection. DVR server is hang can be the cause of  the problem too, try reset the DVR. The last possibility is DVR is broken system, buy the new one, lol!

2. Access DVR CCTV Server Displaying the Cameras View from Internet 

This will be the main thing that I want to explain, which is the main goal is how we can access DVR CCTV camera everywhere as long as we have internet connection. This is the way how we can access the cameras through public IP of the Mikrotik as the router of the network where the DVR CCTV is located. Lets assume that we have public IP which is not changed or static 114.6.112.94. So knowing your ISP internet connection IP, you have private Public IP or not.

We should create the new rules port forwarding media and mobile port DVR on firewall nat Mikrotik. The same kind like what I have done as the article Building Web Hosting Server. So have to create two rules port forwarding for each port DVR like below!

/ip firewall nat
add action=dst-nat chain=dstnat comment="CCTV Media Port Fowarding" dst-address=114.6.112.94 dst-port=34567 protocol=tcp to-addresses=192.168.3.5 to-ports=34567
add action=dst-nat chain=dstnat comment="CCTV Mobile Port Fowarding" dst-address=114.6.112.94 dst-port=5000 protocol=tcp to-addresses=192.168.3.5 to-ports=5000



Simply I just can say, we do CCTV media port forwarding to public IP media port will be forwarding to DVR IP media port that just using TCP protocol. This will allow you in order to access DVR CCTV server through public IP using PC or laptop with camera client view software like CMS2000.

On the other part, we also add the rule for CCTV mobile port forwarding, that will allow you to access DVR CCTV server using mobile device with any mobile application like HDIVS. HDIVS is available on android and iOS of your mobile phone.

We have done in adding the rules port forwarding on mikrotik firewall nat, next we ready to install camera client view software on PC/laptop (CMS2000) and camera client view app on mobile device(HDIVS). Just like what we have been done like we setup Local Access DVR CCTV Server Displaying the Cameras View from Local Network, but now we are going to use the Public IP on the configuration as shown like the picture below!



The picture above is how we configure the camera client view software in this case CMS2000 on the laptop to access the camera from public IP DVR Server. It assumes you have private public IP from your ISP on DVR CCTV server.

In the most cases you gonna need to access the camera just wherever you want. For this kind purposes you have to setup camera client app on your mobile device that has connection to the internet. The picture below is how you can configure HDIVS app on your mobile device! 



If you have found any problem in accessing DVR CCTV Server Displaying the Cameras View remotely through internet or public IP. Try to cross check you have the right way in creating the new rules port forwarding media and mobile port DVR on firewall nat Mikrotik about public IP of DVR server side. Make sure access media and mobile port has been opened. Go to yougetsignal.com type your public IP with media and mobile port that should be opened, like the picture below!



It’s impossible to access the camera remotely through internet since you have found the port is still closed. Try to check the firewall rules and make sure there’s no rule has block the port access. In most cases try to reboot the DVR CCTV Camera Server.

So that’s the concept how we can access DVR CCTV Camera Server from local network and remotely through public IP. Perhaps some of you have wondering how about if we have just dynamic public IP on the camera server. It can be solve by accessing from ddns domain name.

Please read how setup noIP on the article Build Web Hosting Server by self Using Dynamic IP. After you have domain name on noip.com and related to your dynamic public IP, you must keep it in up to date by using Script Automatic Update Dynamic IP into the router like the script below!

/system script
add name=no-ip_ddns_update policy=read,write,test source={
 :local noipuser "your_user_login_noIP"
 :local noippass "your_password_login_noIP"
 :local noiphost "yourdomain.ddns.net"
 :local inetinterface "your_wan_interface_router"
 :global previousIP
 :if ([/interface get $inetinterface value-name=running]) do={
  :log info "Fetching current IP"
  /tool fetch url="https://www.trackip.net/ip" mode=http dst-path=mypublicip.txt
  :local currentIP [/file get mypublicip.txt contents]
  :log info "Fetched current IP as $currentIP"
  :for i from=( [:len $currentIP] - 1) to=0 do={
   :if ( [:pick $currentIP $i] = "/") do={
    :set currentIP [:pick $currentIP 0 $i]
   }
  }
  :if ($currentIP != $previousIP) do={
   :log info "No-IP: Current IP $currentIP is not equal to previous IP, update needed"
   :set previousIP $currentIP
   :local url "http://dynupdate.no-ip.com/nic/update\3Fmyip=$currentIP"
   :local noiphostarray
   :set noiphostarray [:toarray $noiphost]
   :foreach host in=$noiphostarray do={
    :log info "No-IP: Sending update for $host"
    /tool fetch url=($url . "&hostname=$host") user=$noipuser password=$noippass mode=http dst-path=("no-ip_ddns_update-" . $host . ".txt")
    :log info "No-IP: Host $host updated on No-IP with IP $currentIP"
   }
  }  else={
   :log info "No-IP: Previous IP $previousIP is equal to current IP, no update needed"
  }
 } else={
  :log info "No-IP: $inetinterface is not currently running, so therefore will not update."
 }
}

/system scheduler
add interval=2m name=no-ip_ddns_update on-event=no-ip_ddns_update policy=read,write,test comment="Update No-IP DDNS" disabled=no

By using Script Automatic Update Dynamic IP, the router will working in updating your Dynamic IP still related to ddns domain noip in order to access the camera. In this condition we do a little bit changed for the rules port forwarding DVR CCTV Camera Server that is no longer using public IP, otherwise it must be refer to wan interface router like the rules below!

/ip firewall nat
add action=dst-nat chain=dstnat comment="CCTV Media Port Fowarding" in-interface= your_wan_interface_router dst-port=34567 protocol=tcp to-addresses=192.168.3.5 to-ports=34567
add action=dst-nat chain=dstnat comment="CCTV Mobile Port Fowarding" in-interface= your_wan_interface_router dst-port=5000 protocol=tcp to-addresses=192.168.3.5 to-ports=5000


That’s all about the accessing DVR CCTV Camera Server on our Mikrotik network, for more clearly, you may need watching the video, have a good day!


3 comments

Netcut is the software that has an ability to control the internet connection in the same network interface of the router. By scanning IP address to all the device that connected with the same network. Netcut can be used to get and take over the network client devices and can do anything with the internet connection for all devices as the network clients. Netcut is used by someone inside the local network as part of our network clients. It most probably used on wifi connection after the client is login.

There are some kind Netcut software out of there. But one of the most powerful netcut software which is has very complete ability as I have found so far is P2pover. First I know P2pover is used by my client that want to cut another network clients for the internet connection. Hoping to get faster internet connection of other clients. I was very surprised this kind netcut, because it is really work, this software can be used to manage our bandwidth clients like an admin of the network. P2pover can cut or drop, limit, filter and others inside our network. As an admin, it might be an alternative way to manage the internet usage by the clients. But if the client is used, it could be a big problem. One client that uses this kind netcut software will tend to do a bed thing to another clients for their personal reasons.


As the picture above the client that used P2pover which is without any login the software, it will able to scan all the clients IP in the same network. After that can be create or define the rules to limit the internet speed like we are doing as an admin on mikrotik. It is possible until kill or cut the internet connection to another clients until out of the network. If more than one client do like this, you can imagine what would happen with our network services. We as the admin or IT network just receive much complain that will be angry with a this chaos, and most probably one of them will be gone. This would be a terrible threat, does it not? You are in the same boat, we must dealt with some kind the netcut software, so that no netcut anymore between our network clients and the mikrotik. 

In order to prevent from netcut attack on mikrotik network, there a few method to do so. Some tutorial may advice such as creating any rules to block netcut on firewall filter mikrotik. Prevent the clients creating static IP by themselves so that the IP address that used by any clients just come from dhcp server on mikrotik, like the picture below! 



For such kind netcut software like P2pover, none of those method that I mention above during my experiment to block P2pover, it won't work perfectly. It looks like need another way that can strictly and powerful to block P2pover on our mikrotik network. Especially for you that is using wireless interface of mikrotik you must isolate communication between the clients by disable default forward so the clients can not communicate each other. The same thing if you have use wireless router like TP-link try to enable AP isolation.

This is one of the most powerful way in order to stop at all the netcut and protect the clients on our mikrotik network. This is the smart method by using trick to hide the real IP gateway from netcut, so that the netcut will never know the access gateway for the interfaces that we have used on mikrotik router. Ok I assumes that you have used 4 local network interfaces and 1 public interface as reflected by the rules below!

Configuration Before Block Netcut is Implemented on Mikrotik

/ip address
add address=192.168.1.2/24 interface=internet network=192.168.1.0
add address=192.168.2.1/24 interface=localnet-1 network=192.168.2.0
add address=192.168.3.1/24 interface=localnet-2 network=192.168.3.0
add address=192.168.4.1/24 interface=localnet-3 network=192.168.4.0
add address=192.168.5.1/24 interface=localnet-4 network=192.168.5.0


And dhcp server network would be like this rules:

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.4.1
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1



We are going to hide the real IP gateway that used by every local network of the router interfaces. This method has found by someone from many many experiment. It looks like little funny by using fake IP gateway on dhcp server network such as:

dhcp gateway IP for localnet-1 : 1.1.1.1
dhcp gateway IP for localnet-2 : 2.2.2.2
dhcp gateway IP for localnet-3 : 3.3.3.3
dhcp gateway IP for localnet-4 : 4.4.4.4

Change the gateway IP of dhcp server network for each interfaces that you want to protect our network clients against netcut or remove dhcp server network rules and insert the new rules for dhcp server network like this:

Configuration After Block Netcut is Implemented on Mikrotik

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=1.1.1.1
add address=192.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=2.2.2.2
add address=192.168.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=3.3.3.3
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=4.4.4.4

So the result of dhcp server network after changing would be like this!


In order to make this gateway IP work, we need to add the new rules of network IP address for each interfaces. The rules that we need to add would be like this!

/ip address
add address=1.1.1.1/24 interface=localnet-1 network=1.1.1.0
add address=2.2.2.2/24 interface=localnet-2 network=2.2.2.0
add address=3.3.3.3/24 interface=localnet-3 network=3.3.3.0
add address=4.4.4.4/24 interface=localnet-4 network=4.4.4.0


It looks like little bit funny or non theoretical, but its really realy work, it will not effect anything with the internet connection for all the network clients. It just hide the real gateway IP and make the netcut software stuck will never know the right gateway IP for every network router interfaces. Finally no netcut anymore between mikrotik and network client.

My notice here if sometime you want to use external wifi router to interface that have been setup to be anti netcut, you should not use automatic configuration on external wifi router. But you have to setup manually of wan interface gateway that must be using the real gateway IP from the mikrotik router interfaces. That’s all about the smart and powerful way to stop netcut on mikrotik, give a try! and for more clearly lets watch the video! See you!

4 comments

On this occasion, I’d like to explain how to build web hosting server as our own, at our home on our PC. This is Part II of Building Web Hosting Server but now we are using double or multiple router port forwarding technique using Mikrotik as the router of local network. The script automatic update dynamic public IP that most probably we have to the No-IP sub domain. The script will run automatically by system scheduler, and check our current public IP every time its changed the script will send the current IP to the noip.com server, and noip.com will know that the sub domain that we have should be updated to the current IP, and finally your sub domain still keep represent as your current public IP. So we don’t need “Dynamic Update Client” app of noip.com because this job will be handle by the script that will run on mikrotik, without burdening the web hosting server with the application.

Perhaps amongst of you will ask, why we need to use double router or multiple router ? so the reason is depending on your needs. Personally for me as you can see like the picture above ZTE Optical Router by ISP I have limited to manage everything to my network clients. Other than me as just the user of the ISP router that have limited to manage the router, Mikrotik is the programable router, I can manage my Bandwidth of my web hosting server amongst of other network clients as I see fit. I don’t want my web hosting server lack of bandwidth because of the internet purpose of other Pc clients on my local network.


1. The First Router Port Forwarding for TCP and UDP Protocol

In this case I am using ZTE Optical Router from ISP, I still have the access to the router as user login. I can setup port forwarding configuration of the public IP router ISP that is using port:80 to the Public IP wan interface my Mikrotik router that is using the some port:80. As you can see as the above schematic picture, dynamic public IP 36.85.254.229:80 will be forwarding to private public IP Mikrotik 192.168.1.2:80 that is using TCP and UDP protocol. 



Try to find port forwarding feature if your ISP is not using ZTE optical router, it should be any on many kind of the router. But if you have Mikrotik as the first router, you can add the rules on firewall NAT like this! Please change public interface name and public/wan IP that will be the second router!

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=internet dst-port=80 protocol=tcp to-addresses=192.168.1.2 to-ports=80 comment="TCP port forwarding"
add action=dst-nat chain=dstnat in-interface=internet dst-port=80 protocol=udp to-addresses=192.168.1.2 to-ports=80 comment="UDP port forwarding"

It means the incoming connection that comes from public IP that is using port 80 will be forwarding to private public IP of the public/wan interface of the second router.

2. The Second Router Port Forwarding for TCP and UDP Protocol

Next we have plan to put our web hosting server as the PC client of local network of Mikrotik as the second router. We need to setup the second router port forwarding that will fowarding connection from public/wan IP on the second router Mikrotik that is using port 80 to the IP web hosting server as the client of local network second router mikrotik that is using port 8080. So we need add 2 rules on firewall NAT of the second router mikrotik like this!

/ip firewall nat
add chain=dstnat dst-address=192.168.1.2 action=dst-nat protocol=tcp to-addresses=192.168.2.254 to-ports=8080 comment="port forwarding router IP to the client"
add chain=dstnat dst-address=192.168.1.2 action=dst-nat protocol=udp to-addresses=192.168.2.254 to-ports=8080


At this time we have done to setup double router port forwarding on the two router. The condition now is if any incoming connection that comes from public IP on the first router that is using port 80 will be forwarding to the IP of web hosting server by double router port forwarding.

3. Adjustment Server Configuration on Local Network As Web Hosting Server

If you follow the previous article, its nothing different then what we have done to Build Web Hosting Server that used Single Router. Just make sure, the IP address of web hosting server should be set 192.168.2.254 as the static IP on the ethernet adapter configuration of LAN related to the second port forwarding. The windows firewall should not block wamp server as the web server application, and create the rules that allow TCP and UDP Port 8080. On Apache httpd.conf of wamp server

httpd.conf  : C:\wamp64\bin\apache\apache2.4.23\conf

Find the text with “Listen” and change

Listen 0.0.0.0:80 -> Listen 0.0.0.0:8080
Listen [::0]:80 -> Listen [::0]:8080

Find the text with “ServerName” and change

ServerName localhost:80 -> ServerName 192.168.2.254:80
Find the text with “onlineoffline” and change
Require local -> Require all granted

Optional:

DocumentRoot "${INSTALL_DIR}/www/agratitudesign"
<Directory "${INSTALL_DIR}/www/agratitudesign/">

phpmyadmin.conf  : “C:\wamp64\alias”

Require local -> Require all granted

4. Script for Automatic Update Dynamic Public IP to No-IP Domain on Mikrotik.

The second router Mikrotik as the programmable router that allow us to do the job like Dynamic Update Client to keep update your sub domain noip.com related to the dynamic Public IP ISP that would be changed at anytime. The System Script for Automatic Update Dynamic Public IP to No-IP will be join with system scheduler.

/system script
add name=no-ip_ddns_update policy=read,write,test source={
:local noipuser "agratitudesign"
:local noippass "Password"
:local noiphost "agratitudesign.sytes.net,agratitudesign.ddns.net"
:local inetinterface "internet"
:global previousIP
:if ([/interface get $inetinterface value-name=running]) do={
:log info "Fetching current IP"
/tool fetch url="https://www.trackip.net/ip" mode=http dst-path=mypublicip.txt
:local currentIP [/file get mypublicip.txt contents]
:log info "Fetched current IP as $currentIP"
:for i from=( [:len $currentIP] - 1) to=0 do={
:if ( [:pick $currentIP $i] = "/") do={
:set currentIP [:pick $currentIP 0 $i]
}
}
:if ($currentIP != $previousIP) do={
:log info "No-IP: Current IP $currentIP is not equal to previous IP, update needed"
:set previousIP $currentIP
:local url "http://dynupdate.no-ip.com/nic/update\3Fmyip=$currentIP"
:local noiphostarray
:set noiphostarray [:toarray $noiphost]
:foreach host in=$noiphostarray do={
:log info "No-IP: Sending update for $host"
/tool fetch url=($url . "&hostname=$host") user=$noipuser password=$noippass mode=http dst-path=("no-ip_ddns_update-" . $host . ".txt")
:log info "No-IP: Host $host updated on No-IP with IP $currentIP"
}
}  else={
:log info "No-IP: Previous IP $previousIP is equal to current IP, no update needed"
}
} else={
:log info "No-IP: $inetinterface is not currently running, so therefore will not update."
}
}


/system scheduler
add interval=5m name=no-ip_ddns_update on-event=no-ip_ddns_update policy=read,write,test comment="Update No-IP DDNS" disabled=no



Insert the script above to the new terminal winbox! the system script and scheduler should be set with policy=read,write,test. Change on the script that I have marked as red color, depending on your noip.com account and the public interface name on your mikrotik router as the second router. The system schedule will run every 5 menit as the interval that we set to execute the related system script. Then the system script will watch your current public IP, if it is changed from the previous public IP, the script will send the request to your noip.com account to update the related IP for sub domain that we have setup. But if the current public IP is not changed is nothing to send request to noip.com server.

Actually build web hosting server, its not such a big deal. It doesn’t matter, perhaps you need triple or multiple router port forwarding. We just only understand the principle Port forwarding techniques and how to make the firewall is not blocking the port forwarding process running on the server. That’s it… let’s see the video for more clearly, good job!


4 comments

At this moment I am going continue my experiment in order to build Web Hosting Server as my  own self on my personal computer (PC). Web Hosting Server that I am going to build is on our PC server which is one of my PC client on my network that is using just one router port forwarding at this time. Here The equipment environment  that I used:

a. Wamp Server : Windows Web development environment with 3 packages in one, that is Apache, MySQL, PHP.  Wamp Server itself require its dependency that is The Visual C++ Redistributable Packages that must be installed before you install wamp server to make it run on windows.

b. Network Router : It is depending on your network environment of the internet connection that you have use from your ISP (Internet Service Provider). In this case the ISP using their router to provide internet connection that is ZTE optical router. But it doesn’t matter If you use Mikrotik that directly connected to Public IP of internet.

c. No-IP Account: This is for you who no have IP from ISP. No-IP means that you have no private or static public IP. Of course you have public IP but always changed at anytime. Using noip.com will make it possible to create any domain still keep related to your dynamic Public IP.

d. Website Project Files: the files of your website that you have build and need to launch so that you can access the website from outside using internet. In this case I have use wordpress for the complete example the website that using PHP and database Mysql to test Web Hosting Server that we are going to make it.

Before we begin lets take a look the image schema above! I am using the ISP router directly connected to the switch/hub before connected to the local network PC clients. The Web Hosting Server as the PC client can be connected directly to the router or use switch/hub in between if you more than one PC clients. The Web Hosting Server get the IP from ZTE Optical Router with dhcp server inside the router system by ISP. After thay we need to set the IP of Web Hosting Server to be static. We can setup or define the static IP through windows ethernet adapter.

As you can see, the Web Hosting Server as of the client local network already set to be static IP 192.168.1.9 and use the IP gateway 192.168.1.1 of the  local network of the router, in this case ZTE Optical router. After that we need to setup  port forwarding from the router in order to access the Web Hosting Server through public IP of our internet connection.

Ok lets begin step by step in detail how to build Web Hosting Server for Dynamic Public IP using single router. If you have different kind of the router by your ISP, try to find the port forwarding feature that allow you to setup port forwarding!


1. Get Free Sub Domain noip.com as the Domain Name your Public IP

If you have no the account yet, let you register first to make your account on noip.com, then define any sub domain that you will use as the domain name of website project that you want to launch as live web server.

Noip.com has nice domain name, its easy to remember. But as free user we have limited to create the sub domain on it, and has expiration date. But we still have chance to update the sub domain that we have created every month. If you have more funds you can upgrade to be premium user of the noip.com account.

As you can see, the sub domain is related to the IP target that is our current Public IP right the way. But how about when the public IP has changed. Noip.com has provide the app that you must be install on one of PC clients as the client of the local internet network that still using the same Public IP.


You can download Dynamic Update Client app from the site and install it to PC client on the local network. Using this app will keep the sub domain that we have just created still related to our dynamic Public IP. Every time our Public IP is changed, this app will get our current IP and send the request to noip.com to update the sub domain IP from the previous IP to current IP of our public IP. Please keep this app running as the background.

2.  Setup Router Port Forwarding Public IP to the Web Hosting Server


Don’t worry If you have another kind of the router, try to find where the port forwarding feature is. The principle is you setup port forwarding for TCP and UDP protocol of public interface router on port 80 to the IP local network client as the web hosting server on port 8080. We can not using port 80 of the web hosting server, cause most probably port 80 on it is busy.

ZTE router is such kind of the instant or simple router. As you can see, how easy to setup port forwarding on it. But for you Mikrotik lover, perhaps ask to me, why not using Mikrotik. Ok assuming you have use Mikrotik as your router and connected directly to the external/public IP. Or maybe your ISP use mikrotik router to provide their internet connection to you. So this is single mikrotik router port forwarding rules that you must add to the nat firewall as follow:

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=internet dst-port=80 protocol=tcp to-addresses=192.168.1.9 to-ports=8080 comment="TCP port forwarding"
add action=dst-nat chain=dstnat in-interface=internet dst-port=80 protocol=udp to-addresses=192.168.1.9 to-ports=8080 comment="UDP port forwarding"

We require two rules on firewall nat, change in-interface name, it depends on public interface name on your mikrotik configuration. So that we also create port forwarding for TCP and UDP protocol. 

3. Installing Wamp Server According to Public IP and Port Forwarding

The process for the Installation of Wamp Server on windows its not such a big deal that I should be explain explicitly. Just go immediately to http://www.wampserver.com/en/, then you can download Wamp Server for the latest version that now is including with php 7.0.10. Don’t forget before install Wamp Server, you must be install its dependency Visual Studio 2012 : VC 11 vcredist_x64/86.exe


After this you can install Wamp Server itself, before finish the installation, I suppose you to allow Apache http server of Wamp Server running on private and public network on the app windows firewall. Remember we have plan to access Wamp Server as Web Hosting Server through public IP or external IP. So we don’t want app windows firewall blocked Wamp Server.


 4. Adjust Wamp Server Configuration and Windows Firewall Rules

We have done to create port forwarding rules on the router, but our job is not finish yet, still need to Add Windows Firewall rules for TCP and UDP port on windows firewall with advanced security and adjust Wamp Server Configuration.

Adjustment Windows Firewall:

It is the very common way but its required. Most probably we fail in building web hosting server because of it, so that we need to add 2 rules to the port 8080 for each TCP and UDP protocols on windows firewall with advanced security like the picture below!


And don't forget to make sure that Wamp Server is allowed to communicate through windows firewall as private and public on app windows firewall like the picture below!


Adjustment Wamp Server Configuration:

Before we adjust Wamp Server Configuration, let you check everything is working properly. Run Wamp Server App and make sure Wamp Server System Tray Icon should be green.



Type localhost, 127.0.0.1, and The IP address 192.168.1.9 as you set as static IP for the server, all should be able to access from your browser to open Wamp Server.

After that you begin to find httpd.conf of Apache configuration file on Wamp Server installation directory. It is according to the place where you put the Wamp Server installation files on your PC. “C:\wamp64\bin\apache\apache2.4.23\conf”. Open httpd.conf with your favorite editor then

Find the text with “Listen” and change

Listen 0.0.0.0:80 -> Listen 0.0.0.0:8080
Listen [::0]:80 -> Listen [::0]:8080
Find the text with “ServerName” and change
ServerName localhost:80 -> ServerName 192.168.1.9:80

Find the text with “onlineoffline” and change

Require local -> Require all granted

For phpmyadmin of Web Server in order to access it through public IP, find phpmyadmin.conf on Wamp Server installation directory “C:\wamp64\alias”. Open phpmyadmin.conf and change

Require local -> Require all granted

This is just an option, in order to access the web project directly rather then access directory root www just by typing public IP or domain name. We need to set DocumentRoot and Directory, still on httpd.conf like this:

DocumentRoot "${INSTALL_DIR}/www/agratitudesign"
<Directory "${INSTALL_DIR}/www/agratitudesign/">

"agratitudesign" is a directory name of the web project files

You have done to adjust Wamp Server Configuration according to router port forwarding. Then you need to restart all the wamp server services, you can do it from Wamp Server System Tray Icon. Everything should be working properly. At this you can access Wamp Server through public IP or your sub domain that you have created on noip.com. 

4. Adjust Wordpress Sites from Localhost to Live Web Hosting Server

In this case I am using Wordpress CMS as the example of the Website Project that uses database to work with. Its so many tutorial about how to install wordpress, here I just explain  how to adjust Wordpress Website from local configuration to the live web hosting server configuration. Our aim is to test the Web Hosting Server that we have just created.

Ok assuming that you have build Website Wordpress Project to the directory “www” as default document root of Wamp Server. In this example is agratitudesign directory, and I have been move the document root to this directory itself. So that we can access agratitudesign web project just by typing the subdomain of noip.com, that is agratitudesign.sytes.net or agratitudesign.ddns.net. If you don’t how to install wordpress please watching the video of this tutorial for more details.

The most important that I have to tell you, consider that our Wamp Server its not localhost that only can be access from you’re the PC server, but now is the live server that can be access anywhere as long as connected to the internet. Usually we leave “localhost/phpmyadmin” with user root with no password. Imagine that someone type “yoursubdomain/phpmyadmin” they can access the website database with the common login like this. So we are going to create a new login for phpmyadmin of Wamp Server


Create a new user login for phpmyadmin don’t forget activate all global privileges for the user login, after that you can remove the root login, because almost everyone already knows as the default user login for phpmyadmin on windows.

So when we build website wordpress project, we have database name of the site, user login for the database, user login for admin backend for that wordpress site. As usually we do, when we move wordpress project from local to the live web hosting server, we need to adjust wp-config file of wordpress site files



After that we login to the database of this wordpress site, by typing “subdomain/phpmyadmin” with the new login that we have just created. Open the database of the wordpress site and find “wp_options” table and change siteurl and home from localhost to subdomain that we have. Lets see the picture below!


Most probably wordpress website was using hyperlink refers to localhost but now we must change ro subdomain. It would be very painful to do manually one by one to check the database tables. Go to the related database and on SQL tab we insert sql query as follow

UPDATE wp_posts SET post_content = REPLACE(post_content, 'localhost/agratitudesign', 'agratitudesign.sytes.net');

The last is go to wp-admin of the backend wordpress website then select setting > permalinks and update the permalink on the backend.



Well done we have successful to build web hosting server by own self on our local network using dynamic public IP and single router. I have already test the subdomain access, admin backend of wordpess site, the database. Everything is working good, and finally Web Hosting Server is own hands. For more clearly lets watch the video, see you!


5 comments

As one of the IT staff in a company I have any request for me. How can we manage some local networks using just 1 network address but different subnets. In other word, we use the same network address that will divided by sub network. Yet I just think about when I want to manage some networks in different local port interface router so I divided into different network mask for the local network. But actually we can manage our networks into single network multiple subnets. So this implementation is about the understanding subnetting in ip address of the network. If you already knew it, just forget it! I just go to continue my notes.

For the example about Subnetting Ip Address C Class :

NETWORK ADDRESS = 192.168.1.0/26
Subnet Mask /26 = 11111111.11111111.11111111.11000000 = 255.255.255.192
Number of Subnet = 2^x = 2^2 = 4 segments
Number Host/Subnet = 2^y-2 = 2^6 – 2 = 62 host
Subnet block = 256 – 192 = 64, 64 + 64 = 128, 128+64=192 =  0, 64, 128, 192

x : number of binary 1 of the last 2nd octet 
y : number of binary 0 of the last 2nd octet

For more clearly about subnetting IP address you can go to boossit.wordpress.com and for you who want  automatic calculation of it, you can go to http://jodies.de/ipcalc

Ok lets get furthermore how we implement it into our Mikrotik router. 

Lets say we have the internet connection with the modem that has

IP gateway = 192.168.1.1

We have plan to share the internet connection to our local network

Number of Localnet = 4

The forth local network will be divided into 4 subnets in the same network address

Network Address = 192.168.2.0/24 so our subnets will be
Subnet Localnet1 : 192.168.2.0/26
Subnet Localnet2 : 192.168.2.64/26 
Subnet Localnet3 : 192.168.2.128/26
Subnet Localnet4 : 192.168.2.192/26

Reset your router with no default configuration, then we can start how to configure our mikrotik using 1 network address divided by 4 subnets of our local network.

1. Setup identity, DNS server, and NTP client of the Mikrotik router

We begin by setup identity of your router. Sometimes if you have some mikrotik routers, its better we give the name of router to prevent  the mistake which one of mikrotik router that now you setup or change. Then we chose the dns server reference and NTP client at first.

/system identity
set name=Agratitudesign
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/system ntp client
set enabled=yes primary-ntp=203.89.31.13 secondary-ntp=82.200.209.236

2. Setup Interface Port Names for all the Ports that will used

Just the name, you can give any interface port names as you like. In this case I was using internet for wan or gateway, and localnet-1, localnet-2, localnet-3, localnet-4 for the local network interface names.

/interface ethernet
set [ find default-name=ether1 ] name=internet
set [ find default-name=ether2 ] name=localnet-1
set [ find default-name=ether3 ] name=localnet-2
set [ find default-name=ether4 ] name=localnet-3
set [ find default-name=ether5 ] name=localnet-4


As the picture above, we use just 1 wan or internet whatever you say, and 2 local port interfaces. No matter if we just use 2 local port, the rest is just spare ports that will ready to use.

3. Setup Network IP address for the Interface Ports and the Route Gateway

For wan or internet interface we use 192.168.1.2/24, start from 192.168.1.2 its because our IP gateway from the ISP router is using 192.168.1.1. So don’t use 192.168.1.1/24 unless the router will not find the gateway of the internet.

/ip address
add address=192.168.1.2/24 interface=internet network=192.168.1.0
add address=192.168.2.1/26 interface=localnet-1 network=192.168.2.0
add address=192.168.2.65/26 interface=localnet-2 network=192.168.2.0
add address=192.168.2.129/26 interface=localnet-3 network=192.168.2.0
add address=192.168.2.193/26 interface=localnet-4 network=192.168.2.0
/ip route
add distance=1 gateway=192.168.1.1


As you can see, we use 192.168.2.1/26, 192.168.2.65/26, 192.168.2.129/26, 192.168.2.193/26 as the Network IP address for local port interfaces. /26 will has 4 subnets or segments of the total range network address hosts.

4. Setup DHCP Server and IP Pools for Our Local Subnet Interfaces

So 1 dhcp server and ip pool is for 1 local subnet interfaces. Because we have 4 local port subnet interfaces, we must create 4 dhcp servers with ip pools.

/ip pool
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.62
add name=dhcp_pool2 ranges=192.168.2.66-192.168.2.126
add name=dhcp_pool3 ranges=192.168.2.130-192.168.2.190
add name=dhcp_pool4 ranges=192.168.2.194-192.168.2.254

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=localnet-1 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=localnet-2 name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=localnet-3 name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=localnet-4 name=dhcp4

/ip dhcp-server network
add address=192.168.2.0/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
add address=192.168.2.64/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.65
add address=192.168.2.128/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.129
add address=192.168.2.192/26 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.193



5. Create Localnets Masquerade Nat rules on Firewall Nat 

We have 4 masquerading nat rules on firewall nat. If you want to make off of or disable the internet connections for those local port subnet interfaces, you can do it by disable this rules that you want to make off.

/ip firewall nat 
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.0/26 disabled=no comment="localnet-1"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.64/26 disabled=no comment="localnet-2"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.128/26 disabled=no comment="localnet-3"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.192/26 disabled=no comment="localnet-4" 



For any new of the mikrotik router configuration, we should try to reboot the router, for all the rules on it is working stable and actual like we were setup before. After this, you should can use the internet connection from each local port subnet interfaces. Then from the clients side, you can see what the IP number and IP gateway they get from.


6. Setup Bridge for Local Network Port Subnet Interfaces

Obviously the clients on different network or sub network that use different interface  can not communicate the data one another thorough local networks. This is why we have to setup the bridge for those clients that was using different port interface on your router. 


The picture above is client subnet 1 is remote client subnet 2 that is using chrome remote desktop thorough internet connection. Client 1 and Client 2 are using different interface of the router. Event we share the file folder on the clients, we still could not see the file folder that have shared thorough local network.

So what will we do now is setup the bridge for each local subnet interface on mikrotik router. Open your winbox and insert this kind rules.

/interface bridge
add name=bridge_localnet
/interface bridge port
add bridge=bridge_localnet interface=localnet-1
add bridge=bridge_localnet interface=localnet-2
add bridge=bridge_localnet interface=localnet-3
add bridge=bridge_localnet interface=localnet-4

Setup bridge on each interface is like you merge the interfaces and follow dhcp server of the bridge interface that you have to setup. If you stop in this step, of course it will make all local network broken, because the clients using dhcp server for each interface that now already merge. 


What we have to do is change one of localnet dhcp server to the bridge interface name, in this case bridge_localnet like the picture below. Or you can create a new rule for the bridge dhcp server like this

/ip address
add interface=bridge_localnet address=192.168.2.1/24
/ip pool
add name=dhcp_pool_bridge ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool_ disabled=no bridge interface=bridge_localnet
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1


The local subnet network will working again which is no longer using each own subnet dhcp server, otherwise is using one of the bridge dhcp server. Lets check the client get the IP, and now you can share the file folder that you want it. As the picture below the network sharing for each client across the interface router.


That’s all that I can inform you depending on experiment about implementing subnet on local port interfaces and setup the bridge interfaces on dhcp server Mikrotik router. For more clearly lets the video!



Related to this topic here the complete rules if we don’t require to use subnetting for the local port interfaces Mikrotik router!

/system identity
set name=Agratitudesign

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/system ntp client
set enabled=yes primary-ntp=203.89.31.13 secondary-ntp=82.200.209.236

/interface ethernet
set [ find default-name=ether1 ] name=internet
set [ find default-name=ether2 ] name=localnet-1
set [ find default-name=ether3 ] name=localnet-2
set [ find default-name=ether4 ] name=localnet-3
set [ find default-name=ether5 ] name=localnet-4

/ip address
add address=192.168.1.2/24 interface=internet network=192.168.1.0
add address=192.168.2.1/24 interface=localnet-1 network=192.168.2.0
add address=192.168.3.1/24 interface=localnet-2 network=192.168.3.0
add address=192.168.4.1/24 interface=localnet-3 network=192.168.2.0
add address=192.168.5.1/24 interface=localnet-4 network=192.168.2.0

/ip route
add distance=1 gateway=192.168.1.1

/ip pool
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool2 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool3 ranges=192.168.4.2-192.168.4.254
add name=dhcp_pool4 ranges=192.168.5.2-192.168.5.254

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=localnet-1 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=localnet-2 name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=localnet-3 name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=localnet-4 name=dhcp4

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.4.1
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1

/ip firewall nat 
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.2.0/24 disabled=no comment="localnet-1"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.3.0/24 disabled=no comment="localnet-2"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.4.0/24 disabled=no comment="localnet-3"
add action=masquerade chain=srcnat out-interface=internet src-address=192.168.5.0/24 disabled=no comment="localnet-4"

/interface bridge
add name=bridge_localnet

/interface bridge port
add bridge=bridge_localnet interface=localnet-1
add bridge=bridge_localnet interface=localnet-2
add bridge=bridge_localnet interface=localnet-3
add bridge=bridge_localnet interface=localnet-4

/ip address
add interface=bridge_localnet address=192.168.2.1/24

/ip pool
add name=dhcp_pool5 ranges=192.168.2.2-192.168.2.254

/ip dhcp-server
add address-pool=dhcp_pool5 disabled=no interface=bridge_localnet

/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
15 comments

For everyone who have an internet connection from an ISP that is using PPPoE connection (Point to Point Protocol over Ethernet) it may be slightly different with how to setup it into Mikrotik router to your local internet network. Here we do not need to setup rule Ip address for the internet gateway as WAN. Instead we will use the PPPoE Client setup as a virtual interface of the gateway or wan. For you who want to learn more about the PPPoE connection, please read wiki.mikrotik.com.

Well I think you don’t waste time, lets go how to setup PPPoE Connection to Mikrotik. In here, I am using Biznet ISP as the axample for ISP that uses PPPoE Connection for their Internet. Its most commonly the same as how we setup the internet connection to mikrotik as usuall. Ok let you reset your mikrotik with no default configuration at first, before we can start.

1.  Set the name for the interface Ethernet

We put the gateway/wan cable on port1 and the local network cable on port2 on the router. So then the name of ether1 will be biznet-internet and ether2 will be lan-localnet, the rest of the ethernet ports just leave it.  Again as usual we just need two rules on it.

/interface ethernet
set [ find default-name=ether1 ] name=biznet-internet
set [ find default-name=ether2 ] name=lan-localnet


2. Setup ip address just for local networks

It is not like usual since we were using internet connection for the ISP that was using IP gateway such as Indosat. We don’t need to setup ip address for wan network mask, instead we are going to define the route for internet gateway with PPPoE Client later. In this case we just have 1 local network so the rule is just one.

/ip address
add address=192.168.1.1/24 interface=lan-localnet network=192.168.1.0


3. Setup PPPoE client for the ISP Connection on the Router

It would be the core of PPPoE setup on Mikrotik router. In this case we set MikroTik RouterOS to be a PPPoE client, we define the interface name here. Obviously we must to know the login or authentication for PPPoE connection for the ISP.

/interface pppoe-client
add add-default-route=yes disabled=no interface=biznet-internet name=BIZNET password=xxxxxxxx user=yyyyyyyyyy


4. Dns server on the routerOS for PPPoE Connection

Yet we can know that sometimes we don’t need to setup dns server on the RouterOS. It will be created automatically during we were setting PPPoE client configuration. But in another case we still need to set the dns server on the routerOS. The only thing that we can do is make sure that the routerOS have already get Dns Server from PPPoE ISP dns itself. Optionally we can add static Dns Server manually.

/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 servers=203.142.82.222,203.142.84.222


If we already insert the rules for dns server, try to remove all the static dns server until the routerOS has dynamic dns server. This will be the cause of the setup PPPoE intenet connection on Mikrotik router fails.

5. Masquerade Public Traffic for Lan and Setup DHCP server

This configuration rule is like usually we do, but let me give you the note. Masquerade Public Traffic on as NAT rule is using out-interface  BIZNET not biznet-internet. It must take the interface name from the PPPoE client that we have just setup.

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade Public Traffic" out-interface=BIZNET src-address=192.168.1.0/24

the rest is creating dhcp server to provide the IP address for our local network clients

/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=lan-localnet name=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1


I think it is enough already. If it is not so clear for you, lets see the video below!


Related to this Topic

Somebody ask me about how to setup CCTV on mikrotik that using PPPoE Configuration Network with fixed public IP.

Ok assuming what we have is

DVR IP : 192.168.1.5 on the local network 1 : 192.168.1.0/24
TCP port : 7774
Mobile Port: 8888
Fixed Public IP: 103.12.160.202

The noted that I can suggest to avoid the problem during the CCTV setup:

1. make sure that no rules on firewall filter that probably will block connection CCTV from public IP. So you must know all the rules that you define, especially for firewall filter rules.
2. make sure that the local network has already masquerade for interface port that you were connected the DVR CCTV to that network.
3. Some kind like port forwarding divice port, DVR port on our local network with NAT rules

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=103.12.160.202 dst-port=7774 protocol=tcp to-addresses=192.168.3.5 to-ports=7774 comment="CCTV Local Inbound"
add action=dst-nat chain=dstnat dst-address=103.12.160.202 dst-port=8888 protocol=tcp to-addresses=192.168.3.5 to-ports=8888 comment="CCTV Mobile Inbound"

4. make sure that DVR port is already open. You may use yougetsignal.com from IP public.
Back to Top