Hi,
My computer and my server on the same local Network.
I’m trying to established a connexion on my server as follow,
My computer (local.IP) =>> (My public IP).
I have RouterOS 6.46.4.My Network configuration :
local network = 5.0.20.0
Public IP = 36.10.206.471
Router configuration :
/ip firewall filter
add action=accept chain=forward
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes \
src-address=5.0.20.0/24
add action=change-mss chain=forward new-mss=1410 out-interface=l2tp1 \
passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535
add action=change-mss chain=forward in-interface=l2tp1 new-mss=1410 \
passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535
/ip firewall nat
add action=masquerade chain=srcnat comment=HAIRPIN-NAT dst-address=\
5.0.20.182 protocol=tcp src-address=5.0.20.0/24
add action=src-nat chain=srcnat comment="L2TP 0" out-interface=l2tp0 \
src-address=5.0.20.0/24 to-addresses=36.10.206.471
add action=src-nat chain=srcnat comment="L2TP 1" out-interface=l2tp1 \
src-address=5.0.20.0/24 to-addresses=36.10.206.471
add action=dst-nat chain=dstnat comment="WEB ACCESS to local server" \
dst-address=36.10.206.471 dst-port=5111 protocol=tcp to-addresses=\
5.0.20.182
Thank’s a lot
anav
March 30, 2020, 6:48pm
2
/ip firewall nat
missing the standard Source Nat Rule that is always requiredaction=masquerade chain=srcnat comment=“defconf: masquerade”
But since you have a fixed wanip this is betteraction=src-nat chain=srcnat to-addresses=36.10.206.471
Now you need to add another Source Rule for Hairpin..
Now for the Destination Nat rule… is fine!!
WAN list interface = l2tp0 & l2tp1 & loopback with my ip public attached ?
when i do this command on my customer computer :
ssh user@ -p 5111
syn sent (TCP) → source 5.0.20.185:40010 destination 36.10.206.471:5111
close → source 10.2.0.124:30090 destination 5.0.20.147:5111
IP 10.2.0.124 is the address of my l2tp0 interface rather than the network is 10.2.0.123
Must i include the loopback interface with my public IP 36.10.206.471 associate to my Domain name ?
Moroever, i have a router of the big provider network in front of the web ! How can i do ?
IP (cloud) : i have the public IP of the big provider.
anav
March 30, 2020, 9:17pm
4
If you have some funky non standard wan connection then I am not able to assist, you will need a higher tier of support LOL
Sob
March 31, 2020, 1:20am
5
About this:
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes \
src-address=5.0.20.0/24
What do you have in routing table “vpn”? Because if it doesn’t have route to 5.0.20.182, then even though dstnat changes destination for connections from client to public address to 5.0.20.182, it won’t really go there.
Simplest fix for that is @anav ’s favourite:
/ip route rule
add action=lookup-only-in-table dst-address=5.0.20.0/24 table=main
I'm sorry for exotic IP.
##################################
##################################
local network = 10.0.20.0
server IP = 10.0.20.182
customer IP = 10.0.20.185
public IP = 80.10.50.185 for example
Router configuration :
/ip firewall filter
add action=accept chain=forward
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes \
src-address=10.0.20.0/24
add action=change-mss chain=forward new-mss=1410 out-interface=l2tp1 \
passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535
add action=change-mss chain=forward in-interface=l2tp1 new-mss=1410 \
passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1411-65535
/ip firewall nat
add action=masquerade chain=srcnat comment=HAIRPIN-NAT dst-address=\
10.0.20.182 protocol=tcp src-address=10.0.20.0/24
add action=src-nat chain=srcnat comment="L2TP 0" out-interface=l2tp0 \
src-address=10.0.20.0/24 to-addresses=80.10.50.185
add action=src-nat chain=srcnat comment="L2TP 1" out-interface=l2tp1 \
src-address=10.0.20.0/24 to-addresses=80.10.50.185
add action=dst-nat chain=dstnat comment="WEB ACCESS to local server" \
dst-address=80.10.50.185 dst-port=5111 protocol=tcp to-addresses=\
10.0.20.182
##################################
##################################
/interface list WAN = l2tp0 & l2tp1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
add action=src-nat chain=srcnat to-addresses=80.10.50.185 out-interface-list=WAN
add action=masquerade chain=srcnat comment=HAIRPIN-NAT src-address=10.0.20.0/24 dst-address=10.0.20.0/24
add action=dst-nat chain=dstnat comment="WEB ACCESS to local server" dst-address=80.10.50.185 dst-port=5111 protocol=tcp to-addresses=10.0.20.182
##################################
local network = 10.0.20.0
About the vpn routing table, i have this configuration,
add as=65131 client-to-client-reflection=no name=AS65131_V4
/ip address
add address=10.0.20.1/24 interface=bridge1 network=10.0.20.0
add address=80.10.50.185 interface=Loopback0 network=80.10.50.185
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=130.117.11.11 domain=\
jo.cust.net gateway=10.0.20.1 netmask=24
/ip dns
set servers=2a0b:cbc0:42::42,130.117.11.11,9.9.9.9
/routing bgp network
add network=10.0.20.0/24 synchronize=no
add network=2a0b:cbc0:6111::/48 synchronize=no
add network=80.10.50.185/32 synchronize=no
/routing bgp peer
add in-filter=transit-in-57199-brs-v4 instance=AS65131_V4 name=\
"Transit: Milka brs [IPv4]" out-filter=transit-out-57199-brs-v4 \
remote-address=10.0.1.133 remote-as=65061 ttl=default
add address-families=ipv6 in-filter=transit-in-57199-brs-v6 instance=\
AS65113_V6 name="Transit: Milka BRS [IPv6]" out-filter=\
transit-out-57199-brs-v6 remote-address=2a0b:cbc0:1::111 remote-as=65061 \
ttl=default
add address-families=ipv6 in-filter=transit-in-57199-vnx-v6 instance=\
AS65113_V6 name="Transit: Milka VNX (Backup) [IPv6]" out-filter=\
transit-out-57199-vnx-v6 remote-address=2a0b:cbc0:1::115 remote-as=65021 \
ttl=default
add in-filter=transit-in-57199-vnx-v4 instance=AS65131_V4 name=\
"Transit: Milka vnx [IPv4]" out-filter=transit-out-57199-vnx-v4 \
remote-address=10.0.1.137 remote-as=65021 ttl=default
/routing filter
add action=accept chain=transit-in-57199-vnx-v4 set-bgp-prepend=2
add chain=---
add action=accept chain=transit-out-57199-vnx-v4 prefix=10.0.20.0/24 \
set-bgp-prepend=2
add action=accept chain=transit-out-57199-vnx-v4 prefix=80.10.50.185 \
set-bgp-prepend=2
add action=discard chain=transit-out-57199-vnx-v4
add chain=---
add action=accept chain=transit-in-57199-vnx-v6 set-bgp-prepend=2
add chain=---
add action=accept chain=transit-out-57199-vnx-v6 prefix=2a0b:cbc0:6111::/48 \
set-bgp-prepend=2
add action=discard chain=transit-out-57199-vnx-v6
add chain=---
add chain=---
add chain=---
add action=accept chain=transit-in-57199-brs-v4
add chain=---
add action=accept chain=transit-out-57199-brs-v4 prefix=10.0.20.0/24
add action=accept chain=transit-out-57199-brs-v4 prefix=80.10.50.185
add action=discard chain=transit-out-57199-brs-v4
add chain=---
add action=accept chain=transit-in-57199-brs-v6
add chain=---
add action=accept chain=transit-out-57199-brs-v6 prefix=2a0b:cbc0:6111::/48
add action=discard chain=transit-out-57199-brs-v6
Okey,
With your last line, i have access to my server since my local network.
/ip route rule