dst-nat through VPN

sopro · January 16, 2018, 7:26pm

Hello,

I need to view remote ip cameras using a mobile phone app.

NVR is in remote site, can’t access through public ip.
Remote site 192.168.10.0/24 and local site 192.168.77.0/24 connected through VPN SSTP
I can access remote site with no problem if connected to my local site, so VPN works.

I would like to connect remotely using my smartphone by configuring the app to connect to my server router’s public ip and forward connection through VPN to the client router.
I configured dst-nat to foward port 6060 to the remote site NVR’s local ip.

Looks like the traffic is not coming back.correctly, I can’t view the cameras when connecting from outside.

Server router:

 # jan/16/2018 16:15:10 by RouterOS 6.41
# model = RouterBOARD 962UiGS-5HacT2HnT

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=6060 protocol=tcp to-addresses=192.168.10.102 to-ports=6060

What am I doing wrong?
Please help.

paolopoz · January 17, 2018, 8:38am

NVR needs to know where to send the reply packet, so the router on remote site it should have the gateway through the VPN.
If you cannot do this, you can workaround by src-nat the packet with an IP from the local router (e.g. 192.168.77.1) which is reachable from the NVR.

sopro · January 17, 2018, 12:07pm

Can you help me with an example of how to do that in Winbox?

paolopoz · January 17, 2018, 1:02pm

You just put another rule under the dst-nat, this time with src-nat.
You then need to match the packets you already dst-natted.
A rule could be something like this:

/ip firewall nat
add action=src-nat chain=srcnat dst-port=6060 protocol=tcp dst-addresses=192.168.10.102 to-address=192.168.77.1

sopro · January 17, 2018, 1:14pm

Thanks for your help.

I added that rule but no success.

I read something about marking packets, I’ve tried that too but maybe I am doing something wrong cause still can’t see the cameras.

paolopoz · January 17, 2018, 1:24pm

Does the packet counter for src-nat rule increment?
If you want to mark packets then you can bind to that packet mark for the src-nat to work.

sopro · January 17, 2018, 1:29pm

How to match the packets?

paolopoz · January 17, 2018, 1:35pm

Matching criteria inside the NAT rule.
You know: src-address, dst-address, protocol, etc.

sopro · January 17, 2018, 2:36pm

Local site:

WAN: something.sn.mynetname.net
LAN: 192.168.77.1/24
VPN: 10.10.10.1

/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=NVR port forward dst-port=6060 protocol=tcp to-addresses=192.168.10.102 to-ports=6060

[admin@MikroTik] /ppp active> print
Flags: R - radius 
 #   NAME         SERVICE CALLER-ID         ADDRESS         UPTIME   ENCODING                                                                                                                                                                             
 4   laguna       sstp    191.xxx.xxx.xxx   10.10.10.2      1h45m25s AES256-CBC                                                                                             
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          190.xxx.xxx.xxx               1
 3 ADC  10.10.10.2/32      10.10.10.1      <sstp-laguna>             0

11 ADS  192.168.10.0/24                    <sstp-laguna>             1
15 ADC  192.168.77.0/24    192.168.77.1    bridge2                   0

Remote site:
LAN: 192.168.10.1/24
VPN: 10.10.10.2

NVR: 192.168.10.102 listening at port 6060

[admin@MikroTik Laguna] /ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.8.1               1
 1 ADC  10.10.10.1/32      10.10.10.2      vpn sopro                 0
 2 A S  172.16.0.0/24                      192.168.10.102            1
 3 ADC  192.168.8.0/24     192.168.8.100   ether1                    0
 4 ADC  192.168.10.0/24    192.168.10.1    bridge2                   0

[admin@MikroTik Laguna] /ip firewall connection> print
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, 
F - fasttrack, s - srcnat, d - dstnat 
 #          PR.. SRC-ADDRESS           DST-ADDRESS           TCP-STATE  
309  SAC  s  tcp  10.10.10.1:35558      192.168.10.102:6060   close      
323  SAC  s  tcp  10.10.10.1:43726      192.168.10.102:6060   close  


[admin@MikroTik Laguna] /ip firewall connection> print detail
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 0  SAC     protocol=tcp src-address=192.168.8.100:39045 dst-address=190.45.xxx.xxx:443 reply-src-address=190.45.xxx.xxx:443 reply-dst-address=192.168.8.100:39045 
            tcp-state=established timeout=4m59s orig-packets=4 729 orig-bytes=3 532 945 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=4 165 
            repl-bytes=590 509 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=152.4kbps repl-rate=37.9kbps 

 1  SAC     protocol=tcp src-address=10.10.10.1:51829 dst-address=192.168.10.1:8291 reply-src-address=192.168.10.1:8291 reply-dst-address=10.10.10.1:51829 
            tcp-state=established timeout=4m59s connection-mark="VPN_SoPro" orig-packets=24 171 orig-bytes=1 570 375 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=30 750 repl-bytes=34 311 553 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=13.2kbps repl-rate=141.5kbps 

 6  SAC  s  protocol=tcp src-address=10.10.10.1:27312 dst-address=192.168.10.102:6060 reply-src-address=192.168.10.102:6060 reply-dst-address=192.168.10.1:27312 
            tcp-state=close timeout=4s connection-mark="VPN_SoPro" orig-packets=10 orig-bytes=896 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=6 
            repl-bytes=600 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps 

 13  S C  s  protocol=udp src-address=192.168.10.102:30008 dst-address=54.165.xx.xxx:3478 reply-src-address=54.165.xx.xxx:3478 reply-dst-address=192.168.8.100:30008 
            timeout=7s orig-packets=1 orig-bytes=56 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=1 repl-bytes=116 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps 

14  S C  s  protocol=udp src-address=192.168.10.102:30006 dst-address=54.165.xx.xxx:3478 reply-src-address=54.165.xx.xxx:3478 reply-dst-address=192.168.8.100:30006 
            timeout=7s orig-packets=1 orig-bytes=56 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=1 repl-bytes=116 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps 

21  SAC  s  protocol=tcp src-address=10.10.10.1:19507 dst-address=192.168.10.102:6060 reply-src-address=192.168.10.102:6060 reply-dst-address=192.168.10.1:19507 
            tcp-state=established timeout=23h59m59s connection-mark="VPN_SoPro" orig-packets=4 orig-bytes=340 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=3 repl-bytes=300 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps

sopro · January 17, 2018, 2:54pm

That is what it shows when I try to connect with my smartphone from outside.
Don’t know how to redirect the packets.
Is there something wrong?
Shall I change the routes in the remote site in some way?

sopro · January 17, 2018, 3:42pm

No, it doesn’t increment

sopro · January 17, 2018, 4:02pm

I know this has a solution, I’ve read a lot of them but do not know how to implement them.

Some solutions I’ve tried:

1.- Mangle in the remote site router and redirect through a route:http://forum.mikrotik.com/t/routing-through-vpn/103202/1 or http://forum.mikrotik.com/t/redirect-nat-through-vpn-tunnel-to-http-server/71336/1
2.- srcnat rule in the local site: http://forum.mikrotik.com/t/dst-nat-through-vpn/115651/1
3.- Masquerade: http://forum.mikrotik.com/t/port-forward-to-vpn/104542/1
4.- Netmap: http://forum.mikrotik.com/t/dst-nat-port-forward-accross-vpn-locations/105806/1

None of them have worked.

Maybe some error in the implementation

Which one is better?

Can somene please help me here?
@normis @sob @paolopoz

sopro · January 17, 2018, 6:27pm

I can access the router on remote site, but that router is providing Internet access through an Ubiquiti access point too
Any ideas?

paolopoz · January 18, 2018, 8:52am

This:

/ip firewall nat
add action=masquerade chain=srcnat

Should be more specific, for example add the out-interface otherwise it will NAT everything.
You can also put more specific rules before the masquerade, so you are sure the latter will not interfere.

To better understand this situations I find helpful to imagine the packet in every step, request and reply, and check what happens to it following the packet flow:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

sopro · January 18, 2018, 12:42pm

This:
/ip firewall nat
add action=masquerade chain=srcnat
Should be more specific, for example add the out-interface otherwise it will NAT everything.
You can also put more specific rules before the masquerade, so you are sure the latter will not interfere.

To better understand this situations I find helpful to imagine the packet in every step, request and reply, and check what happens to it following the packet flow:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

Thanks Paolo but I can’t make it work
Can somebody help me with configuration instructions in order to view the cameras?

Tdaddysimi · January 18, 2018, 2:08pm

Just connect to your router through a VPN on your phone. I can do this easily on my android, and then view it that way.

sopro · January 18, 2018, 2:21pm

Thanks for your reply.

I’ve done that using my android phone, and it works fine.

Matter is this cameras belong to a customer.

She doesn’t know (nor want to learn) how to connect to a vpn, specially when she can watch another cameras without needing to connect to a VPN everytime.
Another reason is she has an iphone and iOs removed PPTP VPN connections, only L2TP, that’s another complication when connecting iPhones to Mikrotiks.

Plus I know there must be a way to port forward through a VPN, so I would love to learn how for future references.

Tdaddysimi · January 18, 2018, 2:38pm

Its easy. Here is how I used dst-nat to access winbox behind a public IP.

/ip firewall>
add action=dst-nat chain=dstnat comment=“DST NAT for "Tiny Tik" Moms Wifi Router”
port=31 protocol=tcp src-port=“” to-addresses=192.168.1.31 to-ports=8291
add action=dst-nat chain=dstnat comment=“To RB2011” port=10 protocol=tcp src-port=“”
to-addresses=192.168.1.10 to-ports=8291
add action=dst-nat chain=dstnat comment=“To Silo Winbox” port=17 protocol=tcp src-port=
“” to-addresses=192.168.1.17 to-ports=8291

To get to other equipment, it all depends on the ports:
/ip firewall>
add action=dst-nat chain=dstnat comment=“DST NAT For Moms Bullet CPE” port=22303
protocol=tcp src-port=“” to-addresses=192.168.1.171 to-ports=443
add action=dst-nat chain=dstnat comment=“DST NAT For WT AP” port=22304 protocol=tcp
src-port=“” to-addresses=192.168.1.210 to-ports=443
add action=dst-nat chain=dstnat comment=“DST NAT For .30 Netonix Switch” port=22305
protocol=tcp src-port=“” to-addresses=192.168.1.30 to-ports=443

In your case, figure out what port the NVR uses, its local IP, and configure as such. Assign any port to it to connect to it from the outside, like I mainly used 223XX, but you can use almost whatever ports you want.

sopro · January 18, 2018, 2:45pm

Its easy. Here is how I used dst-nat to access winbox behind a public IP.

/ip firewall>
add action=dst-nat chain=dstnat comment=“DST NAT for "Tiny Tik" Moms Wifi Router”
port=31 protocol=tcp src-port=“” to-addresses=192.168.1.31 to-ports=8291
add action=dst-nat chain=dstnat comment=“To RB2011” port=10 protocol=tcp src-port=“”
to-addresses=192.168.1.10 to-ports=8291
add action=dst-nat chain=dstnat comment=“To Silo Winbox” port=17 protocol=tcp src-port=
“” to-addresses=192.168.1.17 to-ports=8291

To get to other equipment, it all depends on the ports:
/ip firewall>
add action=dst-nat chain=dstnat comment=“DST NAT For Moms Bullet CPE” port=22303
protocol=tcp src-port=“” to-addresses=192.168.1.171 to-ports=443
add action=dst-nat chain=dstnat comment=“DST NAT For WT AP” port=22304 protocol=tcp
src-port=“” to-addresses=192.168.1.210 to-ports=443
add action=dst-nat chain=dstnat comment=“DST NAT For .30 Netonix Switch” port=22305
protocol=tcp src-port=“” to-addresses=192.168.1.30 to-ports=443

In your case, figure out what port the NVR uses, its local IP, and configure as such. Assign any port to it to connect to it from the outside, like I mainly used 223XX, but you can use almost whatever ports you want.

You are forwarding to different devices in the same subnet, not at all the problem I am trying to solve.

I want to access a remote device 192.168.10.102 listening on port 6060 through a router 192.168.77.1 with a public ip
Router 192.168.10.1 and 192.168.77.1 are connected via SSTP VPN tunnel

sopro · January 18, 2018, 11:22pm