Community discussions

MikroTik App
 
tiego
just joined
Topic Author
Posts: 11
Joined: Sun Jan 02, 2011 7:25 pm

Dest. Nat over VPN

Mon Aug 22, 2016 10:07 am

Hello,

i have a question with Forward a Port over VPN.
my Config:

Router 3G (192.168.168.1) > Router Mikrotik Site A (192.168.168.2) > VPN Tunnel Site B UMTS Uplink (PPTP Client Local Adress 172.16.1.2) > Router DSL (192.168.169.1) > Router Mikrotik Site B (192.168.169.2) > VPN Server (PPTP Sever Local Adress 172.16.1.1).

i have Forwarded all Ports from the Router DSL to the Mikrotik Site B.
i have create a Nat rule dstnat protocol=tcp dst-port=5060 action=dst-nat to-addresses=192.168.168.234 to-ports=5060
I have create a hairpin rule srcnat dst-address=192.168.168.234 src-address=!192.168.169.0/24 action=src-nat to-addresses=192.168.169.2

all works, but on the Server runs Fail2Ban, i receive always the IP 192.168.169.2 when a is Client connected over WAN.
i need a solution to forward the Real Public IP to the server with runs Fail2Ban.

can anyone help me?

Thanks
 
tiego
just joined
Topic Author
Posts: 11
Joined: Sun Jan 02, 2011 7:25 pm

Re: Dest. Nat over VPN

Mon Aug 22, 2016 9:06 pm

i need to masquerade somethink?
Fail to Ban block my allways and i need to reset de device.

Please, Please can help me someone.

Thanks
 
Unic
newbie
Posts: 48
Joined: Thu Jun 11, 2015 3:51 pm

Re: Dest. Nat over VPN

Tue Aug 23, 2016 12:47 am

nat is for "hiding" your ip behind the device. So i think you should not NAT anything. Just make an acceptrule in the nat-table. But you need to make sure that all devices know where they find the networks, so it may be nessesary to add the routes in the routingtable.
 
tiego
just joined
Topic Author
Posts: 11
Joined: Sun Jan 02, 2011 7:25 pm

Re: Dest. Nat over VPN

Wed Aug 24, 2016 12:11 pm

Hello,
thanks for your replay.

i have make some test, and probability i have found de my config Bug.

(1.JPG) on the second Router i Recive the Packet with the real Public IP.
My Problem(Question) is , to tell the Router to Respons over the Roter 192.168.169.2 and not to exit over the default gateway...

how i can set this?
You do not have the required permissions to view the files attached to this post.
 
tiego
just joined
Topic Author
Posts: 11
Joined: Sun Jan 02, 2011 7:25 pm

Re: Dest. Nat over VPN

Sat Aug 27, 2016 7:53 pm

no one has a solution for me?
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dest. Nat over VPN

Mon Aug 29, 2016 5:22 pm

If you forward port to completely different remote network with own internet connection, you need hairpin srcnat rule, because it makes it work. Without it, replies would be sent using the remote connection and it would not work.

It might be possible even without srcnat, if you find a different way how to send replies back via VPN. For that, you'd need to mark connections coming from VPN on remote router, add another routing table with default route to VPN and then mark routing for reply packets to send them to VPN. Then you'd have to do the same on server, mark connections from VPN, add routing table with remote router as default gateway and set routing for reply packets to use it. If you have Fail2ban there, it's probably some Linux, so it should be possible. You could recognize packets from VPN by their source MAC address (the one of remote router's LAN interface).

Who is online

Users browsing this forum: digibrick and 21 guests