Access Public IP from local network with Hairpin_nat & L2TP output

joffrey575 · March 29, 2020, 5:13pm

Hi all, i have a VPN connection with a L2TP interface.

I established a connection from my server computer (web) to my customer computer (local network) due to my PUBLIC IP.

I don’t arrived to establish a connection since my local network.

I have already seen hairpin_nat but with no success. I have maybe done a mistake on my configuration.

CASE 1

I arrived to establish a connexion with this scheme,
My customer computer (web) <==> (PUBLIC IP) ROUTEUR (LOCAL IP) <==> My server computer (local)

CASE 2

A method allow to establish a connexion between my customer computer and the server computer,
Hairpin_NAT, but what is the out-interface = LAN ?

My customer computer (Local IP) <==> (LOCAL IP) ROUTEUR (PUBLIC IP HERE ?) <==> My server computer (local)

CASE 3

But in my case, i have connection with BGP on another network with L2TP interface.
I have this scheme i suppose,

My customer computer (Local IP) <==> (LOCAL IP) ROUTEUR (PUBLIC IP HERE ?) <==> VPN by BPG IP <==> (PUBLIC IP) ROUTEUR (LOCAL IP) <==> My server computer (local)

I don’t arrived to established connection with my local server computer.

Here my full configuration,

/interface bridge
add name=Loopback0
add name=bridge1

/interface wireless
set [ find default-name=wlan1 ] country=france frequency=2427 mode=ap-bridge \
    ssid=Home wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 country=no_country_set \
    disabled=no frequency-mode=manual-txpower mode=ap-bridge ssid=\
    home_5Ghz

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa2-pre-shared-key=XXXXXXXXX

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/ip pool
add name=LAN ranges=10.0.29.10-10.0.29.200

/ip dhcp-server
add address-pool=LAN disabled=no interface=bridge1 name=LAN

/interface l2tp-client
add allow=mschap2 allow-fast-path=yes connect-to=80.XXX.XXX.30 disabled=no \
    name=l2tp0 password= XXXXXXXXXXXXXXXXXXX profile=default user=\
    g_cust
add allow=mschap2 allow-fast-path=yes connect-to=80.XXX.XXX.31 disabled=no \
    name=l2tp1 password=XXXXXXXXXXXXXXXXXXX profile=default user=\
    g_cust

/routing bgp instance
set default disabled=yes
add as=48000 client-to-client-reflection=no name=AS60003_V4 \
    redistribute-other-bgp=yes router-id=10.0.29.1 routing-table=vpn
add as=48000 client-to-client-reflection=no name=AS60003_V6 \
    redistribute-other-bgp=yes router-id=10.1.0.222

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2

/ip settings
set accept-redirects=yes accept-source-route=yes

/ip address
add address=10.0.29.1/24 interface=bridge1 network=10.0.29.0
add address=MY_PUBLIC_IPV4 interface=Loopback0 network=MY_PUBLIC_IPV4

/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no

/ip dhcp-server network
add address=10.0.29.0/24 dns-server=XX.XX.XX.XX domain=\
    g.cust.domain.net gateway=10.0.29.1 netmask=24

/ip dns
set servers=2a0b:cbc0:42::42,130.117.11.11,9.9.9.9

/ip firewall filter
add action=accept chain=forward

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes \
    src-address=10.0.29.0/24
add action=change-mss chain=forward new-mss=1410 out-interface=l2tp1 \
    passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535
add action=change-mss chain=forward in-interface=l2tp1 new-mss=1410 \
    passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535

/ip firewall nat
add action=src-nat chain=srcnat out-interface=l2tp0 src-address=10.0.29.0/24 \
    to-addresses=MY_PUBLIC_IPV4
add action=src-nat chain=srcnat out-interface=l2tp1 src-address=10.0.29.0/24 \
    to-addresses=MY_PUBLIC_IPV4
add action=dst-nat chain=dstnat disabled=yes dst-address=MY_PUBLIC_IPV4 \
    dst-port=3000 protocol=tcp to-addresses=LOCAL_IP_SERVER
add action=dst-nat chain=dstnat disabled=yes dst-port=3000 protocol=tcp \
    to-addresses=LOCAL_IP_SERVER

add action=masquerade chain=srcnat disabled=yes dst-address=LOCAL_IP_CUSTOMER \
    dst-port=3000 protocol=tcp src-address=10.0.29.0/24

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ip smb shares
set [ find default=yes ] directory=/pub

/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote

/ipv6 address
add address=MY_PUBLIC_IPV6 interface=bridge1
add address=XXXX:XXXX:XXX::XXX/ XXX advertise=no interface=l2tp0
add address=XXXX:XXXX:XXX::XXX/ XXX advertise=no interface=l2tp1

/routing bgp network
add network=10.0.29.0/24 synchronize=no
add network=MY_PUBLIC_IPV6/48 synchronize=no
add network=MY_PUBLIC_IPV4/32 synchronize=no

/routing bgp peer
add in-filter=transit-in-57199-brs-v4 instance=AS60003_V4 name=\
    "Transit: Wan brs [IPv4]" out-filter=transit-out-57199-brs-v4 \
    remote-address=10.1.0.133 remote-as=47006 ttl=default
add address-families=ipv6 in-filter=transit-in-57199-brs-v6 instance=\
    AS60003_V6 name="Transit: Wan BRS [IPv6]" out-filter=\
    transit-out-57199-brs-v6 remote-address=2a0b:cbc0:1::111 remote-as=47006 \
    ttl=default
add address-families=ipv6 in-filter=transit-in-57199-vnx-v6 instance=\
    AS60003_V6 name="Transit: Wan VNX (Backup) [IPv6]" out-filter=\
    transit-out-57199-vnx-v6 remote-address=2a0b:cbc0:1::115 remote-as=46002 \
    ttl=default
add in-filter=transit-in-57199-vnx-v4 instance=AS60003_V4 name=\
    "Transit: Wan vnx [IPv4]" out-filter=transit-out-57199-vnx-v4 \
    remote-address=10.1.0.137 remote-as=46002 ttl=default

/routing filter
add action=accept chain=transit-in-57199-vnx-v4 set-bgp-prepend=2
add chain=---
add action=accept chain=transit-out-57199-vnx-v4 prefix=10.0.29.0/24 \
    set-bgp-prepend=2
add action=accept chain=transit-out-57199-vnx-v4 prefix=MY_PUBLIC_IPV4 \
    set-bgp-prepend=2
add action=discard chain=transit-out-57199-vnx-v4
add chain=---
add action=accept chain=transit-in-57199-vnx-v6 set-bgp-prepend=2
add chain=---
add action=accept chain=transit-out-57199-vnx-v6 prefix=MY_PUBLIC_IPV6::/48 \
    set-bgp-prepend=2
add action=discard chain=transit-out-57199-vnx-v6
add chain=---
add chain=---
add chain=---
add action=accept chain=transit-in-57199-brs-v4
add chain=---
add action=accept chain=transit-out-57199-brs-v4 prefix=10.0.29.0/24
add action=accept chain=transit-out-57199-brs-v4 prefix=MY_PUBLIC_IPV4
add action=discard chain=transit-out-57199-brs-v4
add chain=---
add action=accept chain=transit-in-57199-brs-v6
add chain=---
add action=accept chain=transit-out-57199-brs-v6 prefix=MY_PUBLIC_IPV6::/48
add action=discard chain=transit-out-57199-brs-v6

/system clock
set time-zone-name=Europe/Paris
/system routerboard settings
set auto-upgrade=yes boot-protocol=dhcp silent-boot=yes

If you have an idea, thanks a lot.