The recommended procedure is to create one secure access-list named “SmartGate” which includes the SmartGate servers IP addresses that will be permitted to communicate with the OLTs.
The following example uses a “dummy” 192.168.200.2 OLT IP address. Replace 192.168.200.2 with your OLT private IP and adapt the script to match your network scenario.
# Create an address-list with SmartGate servers
/ip firewall address-list add address=fra.sudo-gate.com list=SmartGate
If you are not using Mikrotik, please contact support for the complete list of IPs to be allowed.
# Setup port forwarding.
Ex.: For packets received from source-address-list SmartGate the action will be dst-nat to => OLT_Private_IP_Address
To use more OLTs on the same public IP address, increment each external port (Ex. for OLT2 : 2334, 2323, 2162)
/ip firewall nat add action=dst-nat chain=dstnat \ dst-port=2333 protocol=tcp src-address-list=SmartGate \ to-addresses=192.168.200.2 to-ports=23 comment=SmartGate /ip firewall nat add action=dst-nat chain=dstnat \ dst-port=2322 protocol=tcp src-address-list=SmartGate \ to-addresses=192.168.200.2 to-ports=22 comment=SmartGate /ip firewall nat add action=dst-nat chain=dstnat \ dst-port=2161 protocol=udp src-address-list=SmartGate \ to-addresses=192.168.200.2 to-ports=161 comment=SmartGate
Do not forget to replace 192.168.200.2 with your OLT private IP address.
# Allow the OLT to contact SmartGate servers
/ip firewall nat add action=masquerade chain=srcnat \ dst-address-list=SmartGate comment=SmartGate
Packet-flow diagram using out-of-band [10/100 or mng1 or meth] management port:
