Getting around CGNAT with another Mikrotik Router

Hi,

Apologies if this seems quite trivial, I can’t seem to implement this even if I seem to understand the concept behind it.

I have a Mikrotik that is connected to and LTE network but it’s behind CGNAT. I will need to get back access to the Mikrotik for future configuration, etc. I have another Mikrotik that has a public IP so I understand that it’s possible for me to create a site to site VPN and then I can use the publicly accessible Mikrotik to gain access to the CGNAT’d one.

I’ve managed to successfully establish a L2TP/IPSec VPN from the CGNAT’d Mikrotik but then what do I do?

For example, say that I wanted to get back access to winbox to the CGNAT’d router - it’s currently got a bound address of 192.168.89.2 (from L2TP/IPSec VPN connection interface). I tried to create a dst-nat rule to redirect port 1234 (example) to 8291 at address 192.168.89.2 but that doesn’t seem to work. The other thing is, I am not sure that this is the best way to do this - shouldn’t I be able to redirect a certain port to the interface rather than the address of the interface in case the address of the interface changes?

Many thanks in advance

can you ping from the lan ip on the public ip Mikrotik to the CGnat lan ip?
post configs to see better

Hi,

I can ping the lan IP if I select to add a default route to the L2TP client interface (but this seems to break connection to the internet via the LTE interface).

Here’s the relevant config of the router behind CGNAT:

/interface l2tp-client
add add-default-route=yes allow=mschap2 connect-to=remote.address.ip disabled=no name="Bypass CGNAT" profile=L2TP use-ipsec=yes user=SOMEONE

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input dst-port=53 in-interface-list=WAN log=yes protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN log=yes protocol=udp
add action=drop chain=input comment="Don't allow these IP addresses to connect" log=yes log-prefix=DENIED src-address-list="Do not allow"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept IGMP" protocol=igmp
add action=accept chain=input comment="allow l2tp" dst-port=1701,4500,500 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="GRE for EoIP" protocol=gre
add action=accept chain=input comment="Allow Winbox" dst-port=8291 log=yes log-prefix=WINBOX protocol=tcp
add action=accept chain=input comment=IPSec2 protocol=ipsec-esp
add action=accept chain=input comment="VPN L2TP AH" protocol=ipsec-ah
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix="DROPPED LAN"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp in" in-interface-list=WAN new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=change-mss chain=forward comment="Clamp out" new-mss=clamp-to-pmtu ut-interface-list=WAN passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.1.0/24 out-interface=bridge1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24

For the router with a public IP address:

/ip firewall nat

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" out-interface=src-address=192.168.89.0/24
add action=dst-nat chain=dstnat comment="Send to CGNAT Router" dst-address=!192.168.2.0/24 dst-address-type="" dst-port=1234 log=yes log-prefix=CGNAT protocol=tcp to-addresses=192.168.89.2 to-ports=8291

I’m getting somewhere in that now It’s passing through to the CGNAT’d router, it’s reaching the relevant service (Winbox in this case as a test) but I think it doesn’t know how to route out correctly after that as I’m receiving these messages:

WINBOX input: in:Bypass CGNAT out:(unknown 0), proto TCP (SYN), REQUESTING_FROM_IPADDRESS:60192->192.168.89.2:8291, len 52

On your public mikrotik dont add a default route.. add a specific route like:
/ip route
add distance=10 dst-address=(lan network of cgnat network) gateway=(l2tp interface)

Sorry, I meant the other way around, if I set ‘add default route’ to the L2TP client interface connection which is being sent out by the router behind CGNAT (because it can’t be the other way around).

I can ping from the public IP router to the CGNAT router (through the VPN interface) if i add a route to do so. However, it doesn’t seem to make any difference as I’m still getting log error messages where the packets reach the Winbox rule but then stops there.

I’m thinking that maybe it might need a connection mark for any traffic coming in from teh VPN interface to send replies out through src-nat masquerade? Or maybe this doesn’t make sense?

Ok, I am a little confused..
You are trying to open a winbox session from the lan side of your internet MT to your CGNAT lan ip and not able to?

You may need to add
/ip firewall nat
add action=accept chain=srcnat dst-address=(Lan Network Internet MT) src-address=(Lan network CGNAT)
Should be the first entry in your nat list

Hi, thank you for trying to help so far.

I think maybe I can try explain more.

I have 3 sites:

1. This site is a Mikrotik that is behind CGNAT ISP connection

2. This site is a Mikrotik that is behind a ‘normal’ public IP connection that I have full access to and can open ports, full configuration changes, etc.

3. This is another site with an internet connection. I am here.

I would like to gain a Winbox connection (as a test and actually could be any service - SSH, FTP, anything behind the router) to the CGNAT router using the Mikrotik at Site 2. I have established a L2TP/IPSec VPN tunnel from Site 1 to Site 2 (initiated by Site 1).

The part that I am having trouble with is what to do next as so far I have opened a port on Site 2 in order to redirect to Site 1 via the VPN. Then I use my connection at Site 3 to use Winbox to go tos Site 2’s IP address (& port that I have opened) so that it should send me back through the tunnel to Site 1.

Ok I think that i more of what you are trying to do…

You are in vpn using l2tp/ipsec to public MT.
from your pc (connected to public ip MT) you are trying to winbox into lan ip of CGNAT lan ip.
is this correct?

I would like to have the complete exports (without passwords or public ip or any sensitive info) of both public and CGNAT routers to see if there is something else going on

I can VPN into the public Mikrotik and from there use Winbox because of the route made to the CGNAT LAN address. So that part is fine.

I’m just wondering if it’s possible to make a connection to the CGNAT router without specifically making a VPN connection to the public Mikrotik router (providing I open up a specific port on it). I know it’s less secure but this was my original thinking.

The only way to get to the CGNAT router is via the vpn established between the public and CGNAC router

Simple way, on router #2, forward port to router #1 (assuming that 192.168.89.2 is address of router #1 reachable from router #2 via VPN):

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=<public address of router #2> dst-port=1234 protocol=tcp to-addresses=192.168.89.2 to-ports=8291

Then make all connections look like they come from router #2 using e.g.:

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.89.2 protocol=tcp dst-port=8291

You won’t see original source addresses on router #1, so if you’d want to allow access only from selected adresses, you’d need to do it on router #2.

Other ways are possible too, but it’s more work.

This actually works very well and it was the 2nd rule that I was missing. Thank you!

Can you elaborate on any other methods? You don’t need to write the config but I would like to learn any other methods just in case. Thanks once again!

PTPA

To Whom it may Concern,

Good Day! my ISP is behind CGNAT. I would like to learn about to how to overcome and bypass the CGNAT to my clients connections…
been bugging me for so long now. can someone here could help me with my problem… I will really appreciate it… TIA

Merry Christmas!!

Email: Nikkofernandezzvt@gmail.com
Country: Philippines
Zip Code: 2431