DST-Nat to a destination connected through VPN/PPTP

RouterOS General
1

Hi everyone!

I’m trying to do a dst-nat that has as destination a Network that is not directly attached to the router that is exposed to the internet, but has no nat between them (it’s a PPTP connection with routes set and they are directly accessible). Tracking the connection, it seems that the second router is trying to return the packet straight to the original source (which is on the internet), instead of returning it to the router that is exposed to the internet (like if the reverse nat is not really happening on the first router).
dst-nat-vpn.png
Routes on Mikrotik 1 (local network 192.168.0.0/24):
ADS 0.0.0.0/0 wan1
ADC 172.31.200.2/32 172.31.200.1 0
ADS 172.31.90.0/24 172.31.200.2 1

chain=dstnat action=dst-nat to-addresses=172.31.90.2 to-ports=80 protocol=tcp
dst-address-type=local in-interface=wan1 dst-port=51080 log=no log-prefix=“”


Route on Mikrotik 2: (local network 172.31.90.0/24)
ADC 172.31.200.1/32 pptp-out1
AS 192.168.0.0/24 pptp-out1


Both networks can ping each other without problems.

Thank you,
Carlos Marchi

2

You can choose:

a) Use srcnat on router from which you’re forwarding port to other one. It will make responses go back there. But you won’t be able to see original source addresses.
b) On the other router add new default route in separate routing table, with gateway being the first router. Mark new incoming connection from tunnel. Mark routing for resposes to marked connections, to use the other routing table. They will go back via tunnel and you’ll still be able to see original source addresses.