Hello,
i have a question with Forward a Port over VPN.
my Config:
Router 3G (192.168.168.1) > Router Mikrotik Site A (192.168.168.2) > VPN Tunnel Site B UMTS Uplink (PPTP Client Local Adress 172.16.1.2) > Router DSL (192.168.169.1) > Router Mikrotik Site B (192.168.169.2) > VPN Server (PPTP Sever Local Adress 172.16.1.1).
i have Forwarded all Ports from the Router DSL to the Mikrotik Site B.
i have create a Nat rule dstnat protocol=tcp dst-port=5060 action=dst-nat to-addresses=192.168.168.234 to-ports=5060
I have create a hairpin rule srcnat dst-address=192.168.168.234 src-address=!192.168.169.0/24 action=src-nat to-addresses=192.168.169.2
all works, but on the Server runs Fail2Ban, i receive always the IP 192.168.169.2 when a is Client connected over WAN.
i need a solution to forward the Real Public IP to the server with runs Fail2Ban.
can anyone help me?
Thanks
Re: Dest. Nat over VPN
i need to masquerade somethink?
Fail to Ban block my allways and i need to reset de device.
Please, Please can help me someone.
Thanks
Fail to Ban block my allways and i need to reset de device.
Please, Please can help me someone.
Thanks
Re: Dest. Nat over VPN
nat is for "hiding" your ip behind the device. So i think you should not NAT anything. Just make an acceptrule in the nat-table. But you need to make sure that all devices know where they find the networks, so it may be nessesary to add the routes in the routingtable.
Re: Dest. Nat over VPN
Hello,
thanks for your replay.
i have make some test, and probability i have found de my config Bug.
(1.JPG) on the second Router i Recive the Packet with the real Public IP.
My Problem(Question) is , to tell the Router to Respons over the Roter 192.168.169.2 and not to exit over the default gateway...
how i can set this?
thanks for your replay.
i have make some test, and probability i have found de my config Bug.
(1.JPG) on the second Router i Recive the Packet with the real Public IP.
My Problem(Question) is , to tell the Router to Respons over the Roter 192.168.169.2 and not to exit over the default gateway...
how i can set this?
You do not have the required permissions to view the files attached to this post.
Re: Dest. Nat over VPN
If you forward port to completely different remote network with own internet connection, you need hairpin srcnat rule, because it makes it work. Without it, replies would be sent using the remote connection and it would not work.
It might be possible even without srcnat, if you find a different way how to send replies back via VPN. For that, you'd need to mark connections coming from VPN on remote router, add another routing table with default route to VPN and then mark routing for reply packets to send them to VPN. Then you'd have to do the same on server, mark connections from VPN, add routing table with remote router as default gateway and set routing for reply packets to use it. If you have Fail2ban there, it's probably some Linux, so it should be possible. You could recognize packets from VPN by their source MAC address (the one of remote router's LAN interface).
It might be possible even without srcnat, if you find a different way how to send replies back via VPN. For that, you'd need to mark connections coming from VPN on remote router, add another routing table with default route to VPN and then mark routing for reply packets to send them to VPN. Then you'd have to do the same on server, mark connections from VPN, add routing table with remote router as default gateway and set routing for reply packets to use it. If you have Fail2ban there, it's probably some Linux, so it should be possible. You could recognize packets from VPN by their source MAC address (the one of remote router's LAN interface).
Who is online
Users browsing this forum: No registered users and 27 guests