Hi,
I have 2 Mikrotiks at 2 locations doing NAT for each site’s internal network (stock configuration RB750GL, but with the default subnets of 192.168.88.0/24 replaced to 10.1.0.0/24 and 10.2.0.0/24)
Both sites are VPN’ed together and the VPN routing is working fine (tried with both IPsec and SSTP)
Site 1: ether1-wan IP = 1.1.1.1 (example)
ether2-lan = 10.1.0.0/24
Site 2: ether1-wan IP = 2.2.2.2 (example)
ether2-lan = 10.2.0.0/24
I am trying to configure a port forwarding from Site 1 to a web server at Site 2 on 10.2.0.100 port 8080:
/ip firewall nat add chain=dstnat dst-address=1.1.1.1 dst-port=8080 action=dst-nat protocol=tcp to-address=10.2.0.100 to-port=8080
Using Torch on both routers, I see the connection is being successfully forwarded through the VPN to Site 2 and to the web server, however, the src-address remains the public IP address of the remote web browser, so on site 2, traffic is trying to go back out directly through the internet connection at Site 2 back to the user’s browser, instead of going back through the VPN to Site 1 and back onto the internet from there.
I believe I may need to apply routing marks with mangle rules ?
Any suggestions?