Hello,
I am very new to Mikrotik, not much experience here.
Please see the picture first!
https://imgur.com/a/OFTV68D
We live in a very remote place where LTE and satellite internet are the only internet source available. We need to access web server from outside internet and of course the internet provider mentioned earlier doesn't have any public IP address. We found a vendor who is renting out public IP address and deliver it using either L2TP or SSTP.
We configure L2TP in our mikrotik, it is connected and getting public IP address. However, we have no idea on how to port forward to web server which on LAN 192.168.10.10/24
Ideally, client access from outside will be using public IP and the rest of default traffic will be going out using LTE internet
How can I accomplish that? I have very limited experience here so need step by step instruction in order to accomplish it.
Thank you
Mikrotik L2TP VPN IP Public Port Forward
You do not have the required permissions to view the files attached to this post.
Re: Mikrotik L2TP VPN IP Public Port Forward
It's simple, it's like regular dual-WAN config. You can forward ports as usual and you just need to make sure that if request came from tunnel, response must go back the same way.
Minimal config for that is new default route in separate routing table:
Then mark new connections coming from tunnel:
And finally mark routing for responses:
Minimal config for that is new default route in separate routing table:
Code: Select all
/ip route
add dst-address=0.0.0.0/0 gateway=<IP address on the remote side of VPN tunnel> routing-mark=vpnCode: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=<L2TP interface> new-connection-mark=from-vpnCode: Select all
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=from-vpn in-interface=<LAN interface> new-routing-mark=vpnRe: Mikrotik L2TP VPN IP Public Port Forward
Tried and didn't work. I can't ping 2nd Public IP from internet.
When you do this
/ip route
add dst-address=0.0.0.0/0 gateway=<IP address on the remote side of VPN tunnel> routing-mark=vpn
Which IP should I put for gateway? Because when I dial L2TP, I am getting 1.0.0.1 as the remote address when it is connected.
If this is supposed to work, how can I allow ping to 2nd IP?
When you do this
/ip route
add dst-address=0.0.0.0/0 gateway=<IP address on the remote side of VPN tunnel> routing-mark=vpn
Which IP should I put for gateway? Because when I dial L2TP, I am getting 1.0.0.1 as the remote address when it is connected.
If this is supposed to work, how can I allow ping to 2nd IP?
Re: Mikrotik L2TP VPN IP Public Port Forward
I forgot one rule:
And yes, gateway should be the address on their side. If it's really 1.0.0.1, then on one hand it's completely wrong, because it's public address that doesn't belong to them, but if it's there, it's what you should use.
Code: Select all
/ip firewall mangle
add action=mark-routing chain=output connection-mark=from-vpn new-routing-mark=vpnRe: Mikrotik L2TP VPN IP Public Port Forward
Tried adding this one
Still doesn't work.
The L2TP works if I am using TP-Link WR840N Router to dial out and also notice the default gateway is also 1.0.0.1 on TP-Link router, so I know 1.0.0.1 should be working.
The Public IP is /32 for instance 129.129.129.10/32 and gateway could be something totally different like 55.56.57.51
I don't know why they have that weird IP Public, but that's how their network design. Even the IP is /32 and gateway is not same subnet as the IP, the IP is still route-able to internet.
/ip firewall mangle
add action=mark-routing chain=output connection-mark=from-vpn new-routing-mark=vpn
Still doesn't work.
And yes, gateway should be the address on their side. If it's really 1.0.0.1, then on one hand it's completely wrong, because it's public address that doesn't belong to them, but if it's there, it's what you should use.
The L2TP works if I am using TP-Link WR840N Router to dial out and also notice the default gateway is also 1.0.0.1 on TP-Link router, so I know 1.0.0.1 should be working.
The Public IP is /32 for instance 129.129.129.10/32 and gateway could be something totally different like 55.56.57.51
I don't know why they have that weird IP Public, but that's how their network design. Even the IP is /32 and gateway is not same subnet as the IP, the IP is still route-able to internet.
Re: Mikrotik L2TP VPN IP Public Port Forward
Then try some simple experiments. Make sure that incoming traffic to 129.129.129.10 works correctly. Add logging rule:
Then ping 129.129.129.10 from outside and you should see it logged. Similarly, you can log responses:
You can also test if gateway 1.0.0.1 is really ok, add simple route without any routing marks to one selected address:
And then directly on router try traceroute to it and see where it goes:
It's also possible that L2TP interface (intead of IP address) would work as gateway, but I'm not completely sure right now.
Code: Select all
/ip firewall mangle
add action=log chain=prerouting dst-address=129.129.129.10 protocol=icmpCode: Select all
/ip firewall mangle
add action=log chain=postrouting src-address=129.129.129.10 protocol=icmpCode: Select all
/ip route
add dst-address=8.8.8.8/32 gateway=1.0.0.1Code: Select all
/tool traceroute address=8.8.8.8Re: Mikrotik L2TP VPN IP Public Port Forward
/ip firewall mangle
add action=log chain=prerouting dst-address=129.129.129.10 protocol=icmp
No log appear on mangle (0 B)
Tried this one too
/ip route
add dst-address=8.8.8.8/32 gateway=1.0.0.1
And this one
/tool traceroute address=8.8.8.8
Can't ping, request time out
Re: Mikrotik L2TP VPN IP Public Port Forward
Ok, stupid question, how much are you sure that your new public address does anything at all? If you use Tools->Torch on L2TP interface, what do you see there? Any traffic to or from 129.129.129.10?
Re: Mikrotik L2TP VPN IP Public Port Forward
how much are you sure that your new public address does anything at all?
It is working when I am using my TP-Link router WR840N and dial L2TP from there. It gets the public IP and I can get out to internet
I only see inquiry DNS for 8.8.8.8If you use Tools->Torch on L2TP interface, what do you see there? Any traffic to or from 129.129.129.10?
Re: Mikrotik L2TP VPN IP Public Port Forward
You now have L2TP client with add-default-route=no, right? Can you test if it works when you change it to add-default-route=yes? It will route everything through VPN, but you'll see if it works or not. If it does, you can switch it back.
I tried a quick test and L2TP interface works as gateway, so you don't need to deal with IP address as gateway and you can use:
You can then test it with e.g.:
I tried a quick test and L2TP interface works as gateway, so you don't need to deal with IP address as gateway and you can use:
Code: Select all
/ip route
add dst-address=0.0.0.0/0 gateway=<l2tp interface> routing-mark=vpnCode: Select all
/tool traceroute 8.8.8.8 routing-table=vpnRe: Mikrotik L2TP VPN IP Public Port Forward
Tried this one too and doesn't work/ip route
add dst-address=0.0.0.0/0 gateway=<l2tp interface> routing-mark=vpn
Doesn't work tooCan you test if it works when you change it to add-default-route=yes? It will route everything through VPN, but you'll see if it works or not. If it does, you can switch it back.
Re: Mikrotik L2TP VPN IP Public Port Forward
Then you can try to export your config:
and paste content of resulting myconfig.rsc here in code tags. And hopefully there will be something wrong that can be fixed.
Code: Select all
/export hide-sensitive file=myconfig-
-
picasso1978
just joined
- Posts: 2
- Joined:
Re: Mikrotik L2TP VPN IP Public Port Forward
/ip address
add address=1.1.1.115/24 interface=WAN network=1.1.1.0
/interface l2tp-client
add add-default-route=yes connect-to=xxx.com disabled=no max-mru=1500 max-mtu=1500 name=l2tp-out1 password=x user=x
/ip route
add distance=2 gateway=1.1.1.1
it works very well
please let me know if I helped
add address=1.1.1.115/24 interface=WAN network=1.1.1.0
/interface l2tp-client
add add-default-route=yes connect-to=xxx.com disabled=no max-mru=1500 max-mtu=1500 name=l2tp-out1 password=x user=x
/ip route
add distance=2 gateway=1.1.1.1
it works very well
please let me know if I helped
Re: Mikrotik L2TP VPN IP Public Port Forward
Hey,
What have you tried until now?
There are some missing pieces to understand the technical issue.
Who is behind the Mikrotik device?
What are the routes on the Mikrotik device?
Might help to understand.
What you technically need to do is add a dnat rule on the l2tp\sstp interface with the local address and the corresponding firewall rules in the filter table.
I cannot assume what is the technical setup regarding what is in the Mikrotik device.
If you would share more info, maybe via a supout.rif or other output from the device me or others might be able to assist you
And as a side note, a L2TP is a tunnel and should have /32 address, the Gateway for such a device is the device itself.
With the right settings you don't need to add anything else then configuring the tunnel and the DHCP client properly.
(Assuming the TP-Link was good enough for you)
Example firewall rules:
Since there was an example of a TP-Link working then it should be working the same on the Mikrotik device.
It's not a DUAL-WAN scenario in the TP-Link since it's converting the current default GW to the l2tp one.
In Mikrotik the only main issue with this L2TP connection is that it will not fetch the published DNS servers.
Example for my setup L2TP:
To verify if FastPath or RouteCache is the issue you can set these to no:
Let me know if some of this helps you.
What have you tried until now?
There are some missing pieces to understand the technical issue.
Who is behind the Mikrotik device?
What are the routes on the Mikrotik device?
Code: Select all
/ip route printWhat you technically need to do is add a dnat rule on the l2tp\sstp interface with the local address and the corresponding firewall rules in the filter table.
I cannot assume what is the technical setup regarding what is in the Mikrotik device.
If you would share more info, maybe via a supout.rif or other output from the device me or others might be able to assist you
And as a side note, a L2TP is a tunnel and should have /32 address, the Gateway for such a device is the device itself.
With the right settings you don't need to add anything else then configuring the tunnel and the DHCP client properly.
(Assuming the TP-Link was good enough for you)
Example firewall rules:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.10.10
/ip firewall filter
add action=accept chain=forward comment="Accept ESTABLISH,RELATED" connection-state=established,related
add action=drop chain=forward comment="Drop INVALID" connection-state=invalid
add action=accept chain=forward comment="Accept NEW From LAN" connection-state=new in-interface-list=LAN
add action=accept chain=forward comment="ACCEPT DNAT FROM WAN" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="DROP New From WAN" connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow ESTABLISHED Related" connection-state=established,related
add action=accept chain=input comment="ipsec policy matcher" ipsec-policy=in,ipsec
add action=accept chain=input comment="Accept ICMP on WAN" connection-state=new in-interface-list=WAN protocol=icmp
add action=drop chain=input connection-state=new in-interface-list=WAN
It's not a DUAL-WAN scenario in the TP-Link since it's converting the current default GW to the l2tp one.
In Mikrotik the only main issue with this L2TP connection is that it will not fetch the published DNS servers.
Example for my setup L2TP:
Code: Select all
/interface l2tp-client
add add-default-route=yes allow=pap,chap allow-fast-path=yes comment=ISP1 connect-to=isp-host.net.il default-route-distance=5 name=l2tp-out1 password=test user=test1
/ip dhcp-client
add add-default-route=yes default-route-distance=20 dhcp-options=hostname,clientid disabled=yes interface=ether1 use-peer-dns=yes use-peer-ntp=yes
/ip dns
set allow-remote-requests=yes servers=192.168.1.254,8.8.8.8Code: Select all
/ip settings
set allow-fast-path=no route-cache=noHello,
I am very new to Mikrotik, not much experience here.
Please see the picture first!
https://imgur.com/a/OFTV68D
We live in a very remote place where LTE and satellite internet are the only internet source available. We need to access web server from outside internet and of course the internet provider mentioned earlier doesn't have any public IP address. We found a vendor who is renting out public IP address and deliver it using either L2TP or SSTP.
We configure L2TP in our mikrotik, it is connected and getting public IP address. However, we have no idea on how to port forward to web server which on LAN 192.168.10.10/24
Ideally, client access from outside will be using public IP and the rest of default traffic will be going out using LTE internet
How can I accomplish that? I have very limited experience here so need step by step instruction in order to accomplish it.
Thank you