Hey guys,
im new to mikrotik and now trying to configure my RB951Ui-2HnD properly.
All ports from outside are blocked by my provider, so i have to use portfordwarding via my server. I set up the VPN with OpenVPN and its working without problems until here. I do a dstnat on my server who sends the packets to a local VPN Ip-Adress, which the mikrotic statically has (10.10.0.10). This is working fine. Iam doing a dstnat again on the mikrotik to forward this packets to the raspberry (192.168.101.254).
The Mikrotik Device is only a WLAN Pseudobridge and not the gateway the the internet. The problem is now that answers from the raspberry (which is connected with LAN to the Mikrotik) are sent over the wifi interface to the internet gateway and not routed back to the vpn.
I tried to set up a mangle rule to add a routing mark to the packets and added a new route to the vpn with the routing mark i used at the mangle rule. I thought this would work but it doesnt. Do i have a problem in my configuration or am i just stupid?
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses=192.168.101.254 to-ports=22000 protocol=tcp dst-address=10.10.0.10 dst-port=22000 log=yes log-prefix=""
[admin@MikroTik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=route-vpn passthrough=yes protocol=tcp src-address=192.168.101.254 src-port=22000 log=yes log-prefix=""
[admin@MikroTik] /ip route> print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=ovpn-out1 gateway-status=ovpn-out1 reachable via ovpn-out1 distance=1 scope=30 target-scope=10 routing-mark=route-vpn
1 A S dst-address=0.0.0.0/0 gateway=192.168.101.2 gateway-status=192.168.101.2 reachable via bridge-local distance=1 scope=30 target-scope=10
2 ADC dst-address=10.10.0.1/32 pref-src=10.10.0.10 gateway=ovpn-out1 gateway-status=ovpn-out1 reachable distance=0 scope=10
3 ADC dst-address=192.168.101.0/24 pref-src=192.168.101.3 gateway=bridge-local gateway-status=bridge-local reachable distance=0 scope=10
As you see i enabled the log and i see the entrys for the destination nat and for the mangle rule, but it seems like the routing mark does not apply?.
23:46:09 firewall,info dstnat: in:ovpn-out1 out:(none), proto TCP (SYN), 134.xxx.xxx.xxx:51701->10.10.0.10:22000, len 60
23:46:09 firewall,info prerouting: in:bridge-local(ether1-master-local) out:(none), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), 192.168.101.254:22000->134.xxx.xxx.xxx:51701, NAT (192.168.101.254:22000->10.10.0.10:22000)->134.xxx.xxx.xxx:51701, len 60
At sniffer i can see the packet is sent to the gateway via wlan:
[admin@MikroTik] /tool sniffer> pack pr
# TIME INTERFACE SRC-ADDRESS DST-ADDRESS IP-PROTOCOL SIZE
0 3.739 ovpn-out1 134.xxx.xxx.xxx:56938 10.10.0.10:22000 tcp 64
1 3.739 bridge... 134.xxx.178.112:56938 192.168.101.254:22000 tcp 64
2 3.739 ether1... 134.xxx.xxx.xxx:56938 192.168.101.254:22000 tcp 64
3 3.739 ether1... 192.168.101.254:22000 134.xxx.xxx.xxx:56938 tcp 60
4 3.739 wlan1 10.10.0.10:22000 134.xxx.xxx.xxx:56938 tcp 60
Thx for your help :>
