Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

PortForward through VPN

Post Reply
 
DavidGB
newbie
Topic Author
Posts: 45
Joined: Fri Sep 14, 2018 9:22 pm

PortForward through VPN

Wed Dec 04, 2019 6:09 pm

Hi,

I have a question about Port Forwarding.

I have a Mikrotik with PPTP VPN Server with local address 10.0.0.1
Mikrotiok with PPTP Client with IP address 10.0.1.1 and LAN 10.0.1.0/24

I have routes from mikrotik server to mikrotik client and vice versa and I can acces from Mikrotik server (in VPN) to Mikrotik client LAN, for example to 10.0.1.150.

I´m trying to open dst-nat in Mikrotik Server with this configuration:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment="Conectino1" dst-port=\
    45000 in-interface=WAN log=yes log-prefix=test protocol=tcp \
    to-addresses=10.0.1.150 to-ports=80
But I can´t acces.
Is there something wrong?
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: PortForward through VPN

Wed Dec 04, 2019 7:14 pm

A little, yes. Let's say a client with address 1.2.3.4 connects to <your server>:80. Server forwards packet to 10.0.1.150 and assuming that everything else is configured correctly, it will reach target device. Device sends response to 1.2.3.4, and what do you think will happen? It sends it directly to 1.2.3.4 using own default route. So 1.2.3.4 expects response from <your server>, but it will get something unexpected from address of your client router (or maybe not, firewall can block it, but in any case, it won't work).

The solution is to mark new connections (on client router) coming in via tunnel, add new new default route in different routing table, and then mark routing for responses belonging to marked connections, to make them use this new routing table, i.e. to send them back to vpn server.
Top
 
DavidGB
newbie
Topic Author
Posts: 45
Joined: Fri Sep 14, 2018 9:22 pm

Re: PortForward through VPN

Thu Dec 05, 2019 10:22 am

A little, yes. Let's say a client with address 1.2.3.4 connects to <your server>:80. Server forwards packet to 10.0.1.150 and assuming that everything else is configured correctly, it will reach target device. Device sends response to 1.2.3.4, and what do you think will happen? It sends it directly to 1.2.3.4 using own default route. So 1.2.3.4 expects response from <your server>, but it will get something unexpected from address of your client router (or maybe not, firewall can block it, but in any case, it won't work).

The solution is to mark new connections (on client router) coming in via tunnel, add new new default route in different routing table, and then mark routing for responses belonging to marked connections, to make them use this new routing table, i.e. to send them back to vpn server.
I can´t do it... can you help me with my code?
My Server VPN Mikrotik Config is :

Code: Select all
/interface bridge
add comment=Red_LAN name=LAN
/interface ethernet
set [ find default-name=ether1 ] comment=Proveedor_ISP name=WAN
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
/ip pool
add name=Red_LAN ranges=192.168.2.20-192.168.2.150
/ip dhcp-server
add address-pool=Red_LAN disabled=no interface=LAN name=DHCP_LAN
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether6
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
add bridge=LAN interface=ether9
add bridge=LAN interface=ether10
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.2.1/24 comment=Red_LAN interface=LAN network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.2.20-192.168.2.255 list=Src_Red_LAN
add address=192.168.2.11-192.168.2.20 list=Src_Administradores
add address=1.0.0.200 list=Src_AdministracionClientes
add address=1.0.0.0/20 list=Dst_Clientes
/ip firewall filter
add action=tarpit chain=input comment="##### Filtra IPs en Lista Negra #####" \
    protocol=tcp src-address-list="BLACKLIST TARPIT"
add action=add-src-to-address-list address-list="BLACKLIST TARPIT" \
    address-list-timeout=1m chain=input src-address-list=BLACKLIST
add action=drop chain=input log=yes log-prefix="DROP BlackList" \
    src-address-list=BLACKLIST
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=tarpit chain=input comment="##### Filtra IPs en Lista Negra #####" \
    protocol=tcp src-address-list="BLACKLIST TARPIT"
add action=add-src-to-address-list address-list="BLACKLIST TARPIT" \
    address-list-timeout=1m chain=input src-address-list=BLACKLIST
add action=drop chain=input src-address-list=BLACKLIST
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward comment=\
    "##### Permite el trafico establecido y relacionado #####" \
    connection-state=established,related
add action=accept chain=output connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=forward comment="##### Filtra Paquetes Invalidos #####" \
    connection-state=invalid log=yes log-prefix="DROP Invalid Packets"
add action=drop chain=input connection-state=invalid
add action=accept chain=forward comment=\
    "##### Prermite trafico Forward ##### PPTP Rexel" out-interface=LAN \
    src-address-list=Src_Red_Rexel
add action=accept chain=forward comment="##### Prermite trafico Forward #####" \
    src-address-list=Src_Administradores
add action=accept chain=forward src-address-list=Src_Red_LAN
add action=accept chain=forward dst-address-list=Dst_VPN_Usuarios \
    src-address-list=Src_VPN_Usuarios
add action=accept chain=forward dst-address-list=Dst_Clientes src-address-list=\
    Src_AdministracionClientes
add action=accept chain=input comment=\
    "##### Prermite trafico Input ##### - Conexiones PPTP" dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment=\
    "##### Prermite trafico Input ##### - Conexiones L2TP" dst-port=\
    1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment="##### Prermite trafico Input ##### " \
    src-address-list=Src_Administradores
add action=drop chain=input comment="##### BLOQUEO POR DEFECTO #####" \
    log-prefix="INPUT DROP"
add action=drop chain=forward connection-nat-state="" log=yes log-prefix=\
    "FORWARD DROP"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat comment="Conexion LM Cliente 1" dst-port=52001 \
    in-interface=WAN log=yes log-prefix=test protocol=tcp to-addresses=\
    1.0.1.200 to-ports=80
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip route
add comment="Ruta Hacia Red de Cliente 1" distance=1 dst-address=1.0.1.0/24 \
    gateway=1.0.1.1
add comment="Ruta Hacia Red de Cliente 2" distance=1 dst-address=1.0.2.0/24 \
    gateway=1.0.2.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/ppp secret
add local-address=1.0.0.1 name=Cliente1 remote-address=1.0.1.1 service=pptp
add local-address=1.0.0.1 name=Cliente2 remote-address=1.0.2.1 service=pptp
add local-address=1.0.0.1 name=AdministradorClientes remote-address=1.0.0.200 \
    service=pptp
/system clock
set time-zone-name=Europe/Madrid
And Client1 mikrotik config is:
Code: Select all
/interface bridge
add comment="Salida red Interna" name=LAN
/interface ethernet
set [ find default-name=ether1 ] comment="Entrada Proveedor Internet" name=WAN
/ip pool
add name=DHCP_LAN ranges=1.0.1.20-1.0.1.150
/ip dhcp-server
add address-pool=DHCP_LAN disabled=no interface=LAN name=DHCP-LAN
/interface pptp-client
add connect-to=MIKROTIK_SERVER_PUBLIC_IP disabled=no name=Tunnel-PPTP profile=default user=Cliente1
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
/ip address
add address=192.168.10.2/24 interface=WAN network=192.168.10.0
add address=1.0.1.1/24 interface=LAN network=1.0.1.0
/ip dhcp-server network
add address=1.0.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=1.0.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/ip route
add distance=1 gateway=192.168.10.1
add distance=1 dst-address=1.0.0.0/24 gateway=1.0.0.1
/system clock
set time-zone-name=Europe/Madrid
Thanks so much
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: PortForward through VPN

Thu Dec 05, 2019 5:29 pm

I don't have much time right now, so I just skimmed through your configs, but what I was describing was (for client router):
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=pptp-client new-connection-mark=vpn-conn
add action=mark-routing chain=prerouting connection-mark=vpn-conn in-interface=LAN new-routing-mark=vpn-route
/ip route
add dst-address=0.0.0.0/0 gateway=pptp-client routing-mark=vpn-route
Hopefully that will get you going.

Btw, it's really bad idea to use public IP ranges (your 1.x.x.x) in LAN if they are not yours.
Top
 
DavidGB
newbie
Topic Author
Posts: 45
Joined: Fri Sep 14, 2018 9:22 pm

Re: PortForward through VPN

Mon Dec 09, 2019 5:03 pm

I don't have much time right now, so I just skimmed through your configs, but what I was describing was (for client router):
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=pptp-client new-connection-mark=vpn-conn
add action=mark-routing chain=prerouting connection-mark=vpn-conn in-interface=LAN new-routing-mark=vpn-route
/ip route
add dst-address=0.0.0.0/0 gateway=pptp-client routing-mark=vpn-route
Hopefully that will get you going.

Btw, it's really bad idea to use public IP ranges (your 1.x.x.x) in LAN if they are not yours.
Thanks! It works perfectly. I´ve changed VPN ip to 10.x.x.x

I have a question about VPN connection:

I have VPN L2TP server and 2 users:
VPN_IP_Pool: 10.0.0.2-10.0.0.100
User1 with local address 10.0.0.1 and remote address: VPN_IP_Pool
User2 with local address 10.0.0.1 and remote address: VPN_IP_Pool

When I connect both users from diferent Public_IP work fine but when I connect in same LAN (different from mikrotik LAN) I only can connect with one of them.
When I connect the second user, Mikrotik disconect the first.

Thanks so much
Top
Post Reply
  4. RouterOS
  5. Beginner Basics