dstnat from SSTP VPN

RouterOS General
1

Hello,

I have users need to access RDP with external address server.domain.com:3333 (nat to lan port 3389), from internal network I have done hairping configuration, it works.

From external network I have done dstnat with address list filter, this works for fixed IP-s I want to allow to RDP.

How could I allow users from VPN connection to RDP to server.domain.com:3333?

Greetings,

Rando.

2

For VPN users, it’s actually not so much a Mikrotik question like a Windows question (as you mention RDP, I assume the clients are Windows machines). In other words, there is no way to resolve that on Mikrotik alone, as you must first make the clients send the traffic for server.domain.com through the VPN tunnel.

The possibilities to do so are the following:

  • put a translation of server.domain.com to the private IP address of the server to the c:\Windows\System32\Drivers\etc\hosts file and let the dst-nat rules on the Mikrotik only change the port
  • configure the Windows to send all the traffic via the tunnel (which can be done using just mouse, but I suppose it is not what you want, as you don’t want to waste the bandwidth of your company uplink) and let the dst-nat rule act also on traffic coming in via VPN interfaces or coming from the subnet from which the VPN clients get their addresses)
  • to add a selective route to the public IP of the server via the tunnel, which requires PowerShell on Windows if you want the route to be added only when the tunnel is up, or a plain command line if you are OK with adding a “persistent” route. But I assume this way is only possible if the public IP of server.domain.com differs from the public address to which the VPN clients connect - I have never tried this, though. The dst-nat rules on Mikrotik would then be the same like in the previoous case.
3

I have full tunnel for VPN so all traffic passes in that tunnel.

I was thinking about dns but then though it can also be done inside mikrotik by idendifying VPN traffic and allowing source it to destnet.

Gr,

Rando

4

If so, it is just a matter of modification of the dst-nat rules to trigger also on the VPN traffic. You can use a ppp profile to add the dynamically created interface names to an interface list (you have to create the list itself manually), or match on the src-address if the subnet used for the VPN client is not used for anything else… can’t give a better advice without seeing the current configuration.