I can only get wireless Internet where I live, and that means CGNAT. I need to run some public services, so I'm running Mikrotik CHR inside a cheap Azure VM. Site-to-site VPN is working great, and all hosts can see each other at home and in the Azure subnet

I've set up the public IP in Azure to fwd to the Mikrotik. I've then set up a dstnat rule on the public ports, to my on-prem servers. However, it's not working. I can see the SYN packet leave the mikrotik inside Azure, but I can't see anything on-prem. I'd have thought it should be under the firewall forwarding rules, but I'm not seeing it in my packet counts. Any idea what I'm mising?

Thanks

What kind of VPN is there? Can it transfer packets with any source address (any random address used by client connecting to service)? For example, if it was policy-based IPSec just between local and remote subnet, it couldn't. Fix would be srcnat and changing source address.

Hi, thanks for taking the time to reply.

It's an sstp vpn and hosts on either side can talk to each other via static routes.

I've discovered that I can't ping to addresses in my house from the Azure Mikrotik router itself, but on either side it routes fine.

I've run a packet trace, which shows the SYN packets arriving at my home router over the VPN interface. The source address in the packets is the public external IP hitting Azure, not the Azure Mikrotik router itself as I was expecting

Then you have two choices:

a) Use srcnat on Azure Mikrotik router to change real source address to router's address. It's a simple way how to make responses go back via tunnel.

b) If you care about seeing real source addresses, then on home router you need to mark new incoming connections from tunnel, create new routing table with default gateway pointing to tunnel, and mark routing for responses to use this other routing table, which will send them to tunnel.

Aha yes that makes a lot of sense. I forgot you could mark connections like that. I'll give them a try, thanks!