MikroTik

Hello,

I have two routers and a IPSEC tunnel between router A and B, IPSEC tunnel works fine.
I want to portforward port 443 from WAN on Router A over IPSEC to a server behind router B, how do I do this in the best way?

Router A (192.168.0.1)
Lan 192.168.0.0/24

Router B (192.168.66.1):
Lan 192.168.66.0/24
Server IP 192.168.66.100

Hi,

You need to use both dst-nat and src-nat rule on router A.

If you use /ip firewall raw to bypass connection tracking for that IPsec tunnel, then this will not work as connection tracking is required for NAT to work properly. If you use /ip firewall raw for the IPsec tunnel, you must move to /ip firewall filter instead so that connection tracking works. This will reduce performance very slightly depending on RouterBOARD model, I did not notice much performance loss with my hAP ac^2. Unless someone else knows another way, I had to do this on my setup.

First, create a src-nat rule. The reason you need this src-nat rule is because you need to replace the source address of the packets coming in from WAN side on router A with router A's IP address, otherwise your server will try to send a reply straight back to the client that is connecting and the client will drop that connection because it expects a reply back from router A's WAN address. (packet must come from client to router A, then go through IPsec to server behind router B, then server must respond back through IPsec tunnel to router A, then router A responds to client).
Breakdown:
action=src-nat (replace source address with another source address)
dst-port=443 (match port 443, replace if you forwarding a different port)
protocol=tcp (match tcp protocol, replace if forwarding another protocol)
to-addresses=192.168.0.1 (the packet source address is replaced with 192.168.0.1 so it looks like it is coming from router A)

After that, create a dst-nat rule. The dst-nat rule is configured exactly the same as any other dst-nat port-forwarding rule, except just specify the server internal IP from router B subnet (192.168.66.x) in the rule on router A as if it was just a normal device on the network.
You must create both of these NAT rules (src-nat and dst-nat) for every port that you want to forward.

Hopefully this helps you!

Thanks for a good description and it worked exactly as I wanted.

Thank you and have a good summer!

Hello again,

The two NAT rules affect the normal surfing traffic, it seems that all internal https traffic is sent to the other router.
How can I filter so that the normal internal https traffic in router A goes out to the internet and not to router B?

Hi,

You can specify "In. Interface" for the dst-nat rule to be the WAN of router A, as well as "Out. Interface" to be LAN interface (most likely bridge) for the src-nat rule of router A.

For example, if your WAN interface is ether1, then in-interface=ether1 would work. Otherwise, if using PPPoE internet connection for WAN, then in-interface=pppoe-out1 (or whatever the PPPoE client interface name is) will work.

You may also have to modify the src-nat rule as well, but remember that you cannot match incoming interface in src-nat rule since it is in the outgoing or post-routing phase. You can try matching Out. Interface as bridge or whatever you use for local LAN interface.

To summarize:
src-nat rule: Out. Interface as LAN interface (for example: bridge)
dst-nat rule: In. Interface as WAN interface (for example: ether1, or pppoe-out1, depending on WAN connection)