Dest. Nat over VPN

tiego · August 22, 2016, 7:07am

Hello,

i have a question with Forward a Port over VPN.
my Config:

Router 3G (192.168.168.1) > Router Mikrotik Site A (192.168.168.2) > VPN Tunnel Site B UMTS Uplink (PPTP Client Local Adress 172.16.1.2) > Router DSL (192.168.169.1) > Router Mikrotik Site B (192.168.169.2) > VPN Server (PPTP Sever Local Adress 172.16.1.1).

i have Forwarded all Ports from the Router DSL to the Mikrotik Site B.
i have create a Nat rule dstnat protocol=tcp dst-port=5060 action=dst-nat to-addresses=192.168.168.234 to-ports=5060
I have create a hairpin rule srcnat dst-address=192.168.168.234 src-address=!192.168.169.0/24 action=src-nat to-addresses=192.168.169.2

all works, but on the Server runs Fail2Ban, i receive always the IP 192.168.169.2 when a is Client connected over WAN.
i need a solution to forward the Real Public IP to the server with runs Fail2Ban.

can anyone help me?

Thanks

tiego · August 22, 2016, 6:06pm

i need to masquerade somethink?
Fail to Ban block my allways and i need to reset de device.

Please, Please can help me someone.

Thanks

Unic · August 22, 2016, 9:47pm

nat is for “hiding” your ip behind the device. So i think you should not NAT anything. Just make an acceptrule in the nat-table. But you need to make sure that all devices know where they find the networks, so it may be nessesary to add the routes in the routingtable.

tiego · August 24, 2016, 9:11am

Hello,
thanks for your replay.

i have make some test, and probability i have found de my config Bug.

(1.JPG) on the second Router i Recive the Packet with the real Public IP.
My Problem(Question) is , to tell the Router to Respons over the Roter 192.168.169.2 and not to exit over the default gateway…

how i can set this?

tiego · August 27, 2016, 4:53pm

no one has a solution for me?

Sob · August 29, 2016, 2:22pm

If you forward port to completely different remote network with own internet connection, you need hairpin srcnat rule, because it makes it work. Without it, replies would be sent using the remote connection and it would not work.

It might be possible even without srcnat, if you find a different way how to send replies back via VPN. For that, you’d need to mark connections coming from VPN on remote router, add another routing table with default route to VPN and then mark routing for reply packets to send them to VPN. Then you’d have to do the same on server, mark connections from VPN, add routing table with remote router as default gateway and set routing for reply packets to use it. If you have Fail2ban there, it’s probably some Linux, so it should be possible. You could recognize packets from VPN by their source MAC address (the one of remote router’s LAN interface).