Connect through L2TP

imations · August 21, 2013, 5:45pm

I have Site-to-Site L2TP connection.
All works excellent, but how to connect from Internet to address192.168.88.150:8181 ?

Option
add action=dst-nat chain=dstnat dst-port=8181 protocol=tcp to-addresses=192.168.88.150 to-ports=8181 on router with 192.168.1.0/24 don’t work.

Any solutions?
Drawing1 (1).png

MadEngineer · August 22, 2013, 8:15am

can 192.116.1.0/24 communicate with 192.168.88.150?

imations · August 22, 2013, 8:28am

As I write - All works excellent, that mean in local network 192.168.X.X no problems.

MadEngineer · August 22, 2013, 10:54am

add action=dst-nat chain=dstnat dst-port=8181 protocol=tcp to-addresses=192.168.88.150 to-ports=8181 dst-address=78.84.162.nnn

imations · August 22, 2013, 11:40am

Add on rule - dst-address=78.84.162.nnn don’t work.
By default on router enabled masquerade, all connections first access 78.84.162.nnn.

MadEngineer · August 22, 2013, 11:54am

i trust you’re testing this from the internet, rather than from a device on one of those networks.

are the packet/byte counts at zero for that nat rule? are they increasing as you test?

imations · August 22, 2013, 12:00pm

Of course I test this rule from internet and counters count incoming packets, but there are no connection with host 192.168.88.150 and internet host.

MadEngineer · August 23, 2013, 12:57am

Add a rule to the mikrotik at 88.1 to passthrough any traffic that matches any such connection coming in and also watch its counters. Also add the two reply columns in winbox so you can see how it’s natting the connection.

sergeysi · August 23, 2013, 5:12am

I am sorry to double this question but can you access 192.168.88.150:8181 by telnet command right from 192.168.1.1 (not from LAN behind it)?
Contents of /ip firewall from both routers would be helpful.

MadEngineer · August 23, 2013, 9:39am

^ this. i was supposed to have asked it in my first post

you need to test that the device or interface that receives the request from the world can route back to the intended server (and that replies go back as expected)

imations · August 24, 2013, 6:45am

It is possible that 192.168.88.1 unable route packet to 192.168.1.1, but route all packet through LMT (3G modem) interface to internet. Because sync request from 192.168.1.1works Ok.
Any ideas?

alex_rhys-hurn · August 27, 2013, 10:34pm

You might be interested in this video at MUM about using l2tp with ipsec to achieve scalable vpn solution for both site to site and dial up road warrior scenarios.

If I have understood your need properly.

jaytcsd · September 2, 2013, 2:22am

I don’t see a link.

alex_rhys-hurn · September 2, 2013, 6:45am

Hi,

Sorry about the missing link. Here it is:

http://mum.mikrotik.com/presentations/HR13/kirnak.pdf

In fact I liked it so much we are now trialling it in my own network as we get familiar with the solution for our clients. Previously we have been making static tunnels and IPSec Policy.