Hi my name is Ralf.
I'm new here and tried to find a solution to the problem, named in subject.
My Configuration is the following
static WAN IP Address ( 109.73.X.X i get this via PPPoE-Out1 o RB2011UiAS)
Router itself has internal 192.168.178.0/24 as IP Range
then i setted up on it an PPTP Server with the Range 192.168.110.0/24
RB2011UiAS has 192.168.110.1 (begin of vpn)
on Clients site
there is an Huawei B528s-23a to establish connection via LTE to the Internet
he has an 192.168.188.0/24 Range
behind this there is an hapAClite which i use to connect to PPTP Server
Router itself has internal 192.168.111.0/24 as IP Range
i have setted up an PPTP Client
hap AC lite has 192.168.110.250 (end of vpn)
i can ping in both directions
when i call ip of vpn client in browser, i end up in webinterface of hap ac lite. so far so good.
now i want to forward some ports from RB2011UiAS via VPN to the hap ac lite.
Is this possible?
If yes, what i have to do to make it work?
example:
109.73.X.X:443 -> RB2011UiAS -> VPN Connection -> 192.168.110.250:443 and from there to the 192.168.111.254:443 (the PC which is connected to the other end of hap AC Lite's VPN Client)
i hope you can help me.
regards,
Ralf
Re: Forward Ports from WAN to PPTP Client
It's relatively simple. You can forward the port as usual, and you just need to make sure that you have proper routes in both ways and correctly configured firewalls. The tricky part is when the target network with server has different default gateway, but it might not be a problem in your case, if PC 192.168.111.254 has hapAClite as default gateway.
So basically you need to tell RB2011UiAS that 192.168.111.0/24 is reachable behind 192.168.110.250, which can be done in "/ppp secret", parameter "routes". Then forward port using dstnat to 192.168.111.254:443. Or you can skip it and only use dstnat on both RB2011UiAS (to 192.168.110.250:443) and then also on hapAClite (to 192.168.111.254:443).
Return path should just work, if hapAClite is PC's default gateway and if you make VPN default gateway for hapAClite. If any of this is not true, you can either add srcnats, so that the connection would look as coming from 192.168.110.1 and 192.168.111.1(?) respectively, which would make replies take the correct way back. You'd lose original source addresses. Or you'd need to mark forwarded connections and then use route marking, to send them back the right way.
You can find some inspiration in this thread (it's about forwarding whole IP address through tunnel, you don't that, routing the replies back is the same).
So basically you need to tell RB2011UiAS that 192.168.111.0/24 is reachable behind 192.168.110.250, which can be done in "/ppp secret", parameter "routes". Then forward port using dstnat to 192.168.111.254:443. Or you can skip it and only use dstnat on both RB2011UiAS (to 192.168.110.250:443) and then also on hapAClite (to 192.168.111.254:443).
Return path should just work, if hapAClite is PC's default gateway and if you make VPN default gateway for hapAClite. If any of this is not true, you can either add srcnats, so that the connection would look as coming from 192.168.110.1 and 192.168.111.1(?) respectively, which would make replies take the correct way back. You'd lose original source addresses. Or you'd need to mark forwarded connections and then use route marking, to send them back the right way.
You can find some inspiration in this thread (it's about forwarding whole IP address through tunnel, you don't that, routing the replies back is the same).
-
-
RalfRademacher
just joined
- Posts: 13
- Joined:
Re: Forward Ports from WAN to PPTP Client
Thank you very much.
-
-
RalfRademacher
just joined
- Posts: 13
- Joined:
Re: Forward Ports from WAN to PPTP Client
It's relatively simple. You can forward the port as usual, and you just need to make sure that you have proper routes in both ways and correctly configured firewalls. The tricky part is when the target network with server has different default gateway, but it might not be a problem in your case, if PC 192.168.111.254 has hapAClite as default gateway.
So basically you need to tell RB2011UiAS that 192.168.111.0/24 is reachable behind 192.168.110.250, which can be done in "/ppp secret", parameter "routes". Then forward port using dstnat to 192.168.111.254:443. Or you can skip it and only use dstnat on both RB2011UiAS (to 192.168.110.250:443) and then also on hapAClite (to 192.168.111.254:443).
Return path should just work, if hapAClite is PC's default gateway and if you make VPN default gateway for hapAClite. If any of this is not true, you can either add srcnats, so that the connection would look as coming from 192.168.110.1 and 192.168.111.1(?) respectively, which would make replies take the correct way back. You'd lose original source addresses. Or you'd need to mark forwarded connections and then use route marking, to send them back the right way.
You can find some inspiration in this thread (it's about forwarding whole IP address through tunnel, you don't that, routing the replies back is the same).
Hi Sob,
one question again to this topic.
now behind the hap ac lite, there is another small business server called Intranator.
behind it, there are all the clients.
now if a client trys to call the webmail site, connection times out.
the webmail-site is an iframe outside in the www, which trys to connect to my external ip:443.
when i call from outside it works, from behind the RB2011 it works to, because i found an working nat rule.
but from behind hap ac lite, it doesnt work.
if i call tracert [webmailsite] from client behind, it is routed via vpn tunnel.
if i call from hap ac lite from builtin traceroute it is routed via connection of accesspoint.
cause only clients call webmail site, i think normally the rout via vpn tunnel is used.
but in which of both mikrotiks i have to do what, to redirect calls to external ip:443, going back on 192.168.110.250?
regards,
Ralf
Re: Forward Ports from WAN to PPTP Client [SOLVED]
I don't know what exact config you used, and it makes a lot of difference. Probably the most effient way would be to use hairpin NAT on hapAClite, to save the packets an unnecessary trip to the public address and back. Basic principle is described here. In your case you'd need dstnat rule with dst-address=109.73.X.X, to intercept outgoing packets right on hapAClite before they go out and redirect them back to internal server. And then srcnat rule as explained in the linked article.
Edit: Actually, even more efficient way would be to use static DNS record on hapAClite, and send requests directly to the right internal address. But it would only work if all clients behind hapAClite use it as their DNS resolver. Also, if you only forward some ports to this server, it might not be possible to use this way, if some other ports on same address would go elsewhere.
Edit: Actually, even more efficient way would be to use static DNS record on hapAClite, and send requests directly to the right internal address. But it would only work if all clients behind hapAClite use it as their DNS resolver. Also, if you only forward some ports to this server, it might not be possible to use this way, if some other ports on same address would go elsewhere.
-
-
RalfRademacher
just joined
- Posts: 13
- Joined:
Re: Forward Ports from WAN to PPTP Client
thank you very much. it solved the final problem now
-
-
jeremiedigre
just joined
- Posts: 4
- Joined:
Re: Forward Ports from WAN to PPTP Client
Hello everyone. please, I have a preocupation, the same that Ralf. I have set a vpn pptp between two sites A (192.168.2.0) and B (192.168.1.0) which works very well, but I want to go through the internet to reach a machine from my local site, ie network B, as ip public: port ->vpn->local network machine. for example 156.202.X.X: 8963 -> vpn -> 192.168.1.32:80
I tried the previous indications without success. thanks for the help.
My routers are RB2011UiAS-2HnD
I tried the previous indications without success. thanks for the help.
My routers are RB2011UiAS-2HnD