I’m trying to do a DST-nat to a network that is behind another mikrotik connected using a VPN (and using a direct route, no nat, to the mikrotik from where I’m trying to setup the DST-nat), but I’m getting a strange (or not so strange) behavior where the second mikrotik is trying to answer the request through the 0.0.0.0/0 route and not through the VPN. It looks like the request is getting there with the original source address instead (internet) of the internal address from the first Mikrotik. Does it make any sense?
Internet → Mikrotik 1 (192.168.0.1, with NAT and trying to set the DST-nat to traverse the VPN) → VPN (PPTP) - Mikrotik 2 (172.31.188.2, being .1 the previous Mikrotik, and the internal network on this side is 172.31.10.0/24 with a route to 192.168.0.0/24 through the VPN)
When you need to expose some server to internet, you don’t have public address where it’s connected, but you have it somewhere else, you can make a tunnel and then forward ports through it. It’s slightly desperate, but when there’s no other way, it’s possible.
And yes, the behaviour is normal, router uses its routes. If you want to route responses back to tunnel, it needs a little help. On client router, add new default route in separate routing table, with gateway being the address on server side of tunnel. Mark incoming connections from tunnel, and then mark routing for outgoing packets belonging to these connections. Or if you don’t care about original source addresses, you can simply use srcnat on server side of tunnel and make all connections look like they come from there.
It’s a real use case scenario. One of my customers have a few VPNs connecting to his central branch, but for some of them I don’t have access to the remote mikrotik because it’s managed by a Local ISP and they don’t have Internet connection (the ISP only provides transport). Now we need to route a connection from the Internet to those remote “internal” networks and I was wondering if I could use the Internet on the central branch instead of enabling internet on the remote branches.
I thought about the srcnat on the server side, but I could’t came to a conclusion by myself and I didn’t have a testing environment to play around. I don’t care about the original source, and at first sight I tought that the dstnat would also change the source when passing the package to the second router. I’ll try this way (srcnat), thank you for your suggestion!
It’s a real use case scenario. One of my customers have a few VPNs connecting to his central branch, but for some of them I don’t have access to the remote mikrotik because it’s managed by a Local ISP and they don’t have Internet connection (the ISP only provides transport). Now we need to route a connection from the Internet to those remote “internal” networks and I was wondering if I could use the Internet on the central branch instead of enabling internet on the remote branches.