How to get traffic to hosts with VPN but not NAT?

jeremyh · November 3, 2015, 5:27am

Hello

Simple question here, I think.
Screen Shot 2015-11-03 at 1.14.43 pm.png
What rule is required on the bottom router to allow ‘User 1’ to get traffic (single TCP port) to Device 1 and 2? Will dst-nat work when there is no NAT masquerading on the VPN-client router?

For eg., will:

/ip firewall nat add chain=dstnat dst-address=10.0.1.10 protocol=tcp dst-port=8080 action=dst-nat to-addresses=172.16.100.6 to-ports=80

Let the remote user see a web-server on Device 2 if he browses to http://10.0.1.10:8080 whilst also being connected to the VPN server?

Thanks!

ulysses · November 3, 2015, 6:31am

Without NAT on SSTP router it is possible in three ways:

(preferred) add route to the customer router 10.0.1.0/24 via 172.16.100.4. Otherwise the response packet from 172.16.100.6 will not find it’s way to the SSTP client, since it will be forwarded to the customer router.
Add 10.0.1.0/24 via 172.16.100.4 route to Device1 and Device2 routing tables
Configure the Device1 and Device2 to use 172.16.100.4 as their default gateway

But I think that adding a NAT on SSTP router is the easiest solution