VPN and NAT

cpelect · Thu Dec 28, 2006 2:48 am

I need to know this: Does Microtik’s NAT handle passing a VPN tunnel through it? I have several clients that are dependant on this to work and I have had little success with this. I’ve been using a 1-to1 NAT to try and get it to work. I had it working with a software VPN but when I tried again with another client it didn’t work. Another client has a hardware router to router VPN and this also doesn’t work. I have a hotspot controller enabled on this box as well and am using IP bindings to bypass these clients through the hotspot.

Here are the rules I’m using in the NAT for the 1-to-1 rule.

 0   ;;; CWL Airport VPN
     chain=dstnat dst-address=204.244.66.xxx action=dst-nat 
     to-addresses=10.10.0.xxx to-ports=0-65535 

 1   chain=srcnat src-address=10.10.0.xxx action=src-nat 
     to-addresses=204.244.66.xxx to-ports=0-65535 

 2   ;;; CMA Airport VPN
     chain=dstnat dst-address=204.244.66.xxx action=dst-nat 
     to-addresses=10.10.0.xxx to-ports=0-65535 

 3   chain=srcnat src-address=10.10.0.xxx action=src-nat 
     to-addresses=204.244.66.xxx to-ports=0-65535

The 204.244.66.xxx addresses are our public IPs we've been assigned by our pipe provider. I have one address assigned to the public interface for the 1-to-1 NAT to work for each client.

If you need to see any other rules I'm using or have any further questions, please post what it is you need and I'll supply the information.

I'm using Microtik 2.9.28

mneumark · Thu Dec 28, 2006 8:43 am

You nat rules look ok. Do you have any firewall rules?

cpelect · Thu Dec 28, 2006 7:10 pm

Yes, I have several firewall rules but nothing stands out that might be the culprit for blocking this traffic. Would you like for me to post them?

changeip · Thu Dec 28, 2006 8:02 pm

What type of VPN? PPTP or L2TP or other? Are you using the NAT helpers in MT? You should be able to get these to work ... but we need more info to know.

Sam

cpelect · Thu Dec 28, 2006 8:09 pm

I'm not sure what type of VPN they are, be it PPTP or L2TP. I'm unfamiliar with what the NAT helpers are in MT, if you could clarify this for me?

All I do know about these VPN is that one client has a software VPN client to Jhonson & Jhonson and it worked. Another client is using a different software VPN to Air Canada. The last VPN is a hardware router to router VPN using a Linksys router. The last two didn't work.

changeip · Thu Dec 28, 2006 8:22 pm

/ ip firewall service-port
set gre disabled=no
set pptp disabled=no

This will help GRE get thru ... as well as PPTP tunnels. You should make sure you are allowing protocol 47 (not port 47) thru as well.

It should work ... if not, its probably time to start packet sniffing / logging and seeing where things are stopping.

Sam

cpelect · Fri Dec 29, 2006 1:09 am

/ ip firewall service-port
set gre disabled=no
set pptp disabled=no

Thanks for that. I'll log into my router and verify that I don't have these set to disabled.

Edit: I checked those settings and I did have them on disabled. For the other item you mention, about protocol 47 (gre), what would be a good way to structure the rule to allow it through the firewall?

changeip · Fri Dec 29, 2006 2:46 am

I believe you allow that GRE with the connection-state=related just like with established? Since the helper would mark it in the connection-tracking table the 'related' should allow it thru on the forward chain.

Sam