L2TP client to SERVER port won't open

MarioNYB · February 19, 2014, 3:58pm

Hi mikrotik community, I have now few days hard experience on mikrotik and I can say I’m amased with routerOS. I have read all the possible tutorials and solutions + this forum and I got stuck.

Anyway here is my SETUP and curent progress (I hope I can get some lead/advice and help since i’m stuck).
What is my problem? I have a HIGH latency internet without a public IP and thus I need a L2TP VPN for my IP Cameras to get to them remotely.

My PLAN?

Mikrotik (L2TP client) > L2TP SERVER > INTERNET

What I managed so far?

I got a connection to the L2TP Linux server with mikrotik. Now my whole LAN IP range goes over the VPN and gets the VPN server IP. Great! Also I can get access to the mikrotik router over the server IP!

SETUP:

VPN SERVER IP: 85.111.222.333

Mikrotik WAN: connected to another router which is connected to my ISP and got IP 192.168.1.123/24 later I connect it directly to a high latency internet connection but here i only try to set it UP

Mikrotik VPN IP: 10.1.2.3
Mikrotik LAN IP: 192.168.88.1

Lets go on..
I managed to access MT(mikrotik) WEBfig remotely with 85.111.222.333:PORT by NAT-ing firewall rules in the VPN Linux server. This means VPN works fine and I want it like that!

What I want now is when I connect a device to my MT in this example I have an IP CAMERA which got IP 192.168.88.244 from mikrotik. The camera has a GUI on 192.168.88.244:900 and I want to access that guy by NATing it in the linux server! But it won’t work like the mikrotik WEBfig on port 80. I can access the webfig by going to 10.1.2.3:200 (the VPN IP, i put port 200 on linux VPN server side) but I can’t get port 900 OUT. I tryed all possible rules and solutions but i am stuck elsewhere!

Here are some codes so far:

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X chain=dstnat action=dst-nat to-addresses=192.168.88.244 to-ports=0-65535 
     protocol=tcp dst-address=10.1.2.3 

 1 X chain=srcnat action=src-nat to-addresses=10.1.2.3 to-ports=0-65535 
     protocol=tcp src-address=192.168.88.244 

 2 X chain=dstnat action=dst-nat to-addresses=192.168.88.244 to-ports=900 
     protocol=tcp dst-address=10.1.2.3 routing-mark=l2tp 
     in-interface=l2tp-out1 dst-port=900 

 3 X chain=dstnat action=dst-nat to-addresses=192.168.88.244 to-ports=900 
     protocol=tcp in-interface=l2tp-out1 dst-port=900 

 4 X chain=dstnat action=dst-nat to-addresses=192.168.88.244 to-ports=900 
     protocol=tcp dst-port=900 

 5 X chain=srcnat action=src-nat to-addresses=10.1.2.3 
     src-address=192.168.88.244 out-interface=ether1-gateway 

 6 X chain=dstnat action=dst-nat to-addresses=192.168.88.244 
     dst-address=10.1.2.3 in-interface=ether4-slave-local 

 7   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 
     out-interface=ether1-gateway 

 8   chain=srcnat action=masquerade out-interface=l2tp-out1 

 9   chain=srcnat action=accept 

10   chain=dstnat action=accept

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established 

 2   ;;; default configuration
     chain=input action=accept connection-state=related 

 3   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway 

 4   ;;; default configuration
     chain=forward action=accept connection-state=established 

 5   ;;; default configuration
     chain=forward action=accept connection-state=related 

 6   ;;; default configuration
     chain=forward action=drop connection-state=invalid

In short:

I want 192.168.88.244:900 = 10.1.2.3:900 (IP CAMERA connected by cable on ethernet 4)
Right now WORKS! 192.168.88.1:80 = 10.1.2.3:80

10.1.2.1 IP range is the L2TP IP given by the linux VPN server!

What to do to get port 900 OUT over l2tp-out1 IP 10.1.2.3? standard ways don’t work..

MarioNYB · February 20, 2014, 3:07pm

Anyway I was doing some more stuffs today but still stuck.. Here are some details…

As said, all I wanna do is forward ANY port from ANY LAN IP (192.168.88.X) to 10.1.2.3 which is the VPN IP I got from the VPN server.
I probably did a huge mistake somewhere..

Ah yea now I tryed with an apache on my windows PC, apache point to port 81, so my PC got 192.168.88.254 and when I do 192.168.88.254:81 apache open fine, now I want that port to go through l2tp so when I try 10.1.2.3:81 for it to open up..
Here are my tryes and a picture down shows that some packets are coming IN when I refresh the ip.

[admin@MikroTik] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="ether1-gateway" default-name="ether1" type="ether" mtu=1500 
       l2mtu=1600 max-l2mtu=4076 mac-address=D4:CA:6D:A5:FF:40 fast-path=yes 

 1  RS name="ether2-master-local" default-name="ether2" type="ether" mtu=1500 
       l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:A5:FF:41 fast-path=yes 

 2   S name="ether3-slave-local" default-name="ether3" type="ether" mtu=1500 
       l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:A5:FF:42 fast-path=yes 

 3  RS name="ether4-slave-local" default-name="ether4" type="ether" mtu=1500 
       l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:A5:FF:43 fast-path=yes 

 4  RS name="ether5-slave-local" default-name="ether5" type="ether" mtu=1500 
       l2mtu=1598 max-l2mtu=2028 mac-address=D4:CA:6D:A5:FF:44 fast-path=yes 

 5  RS name="wlan1" default-name="wlan1" type="wlan" mtu=1500 l2mtu=2290 
       mac-address=D4:CA:6D:A5:FF:45 fast-path=no 

 6  R  name="bridge-local" type="bridge" mtu=1500 l2mtu=1598 
       mac-address=D4:CA:6D:A5:FF:41 fast-path=no 

 7  R  name="l2tp-out1" type="l2tp-out" mtu=1400 fast-path=no

[admin@MikroTik] > /ip route print detail         
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=l2tp-out1 
        gateway-status=l2tp-out1 reachable distance=1 scope=30 target-scope=10 
        routing-mark=l2tp 

 1 ADS  dst-address=0.0.0.0/0 gateway=192.168.1.1 
        gateway-status=192.168.1.1 reachable via  ether1-gateway distance=1 
        scope=30 target-scope=10 vrf-interface=ether1-gateway 

 2  DS  dst-address=0.0.0.0/0 gateway=10.1.2.1 
        gateway-status=10.1.2.1 reachable via  l2tp-out1 distance=1 scope=30 
        target-scope=10 

 3 ADC  dst-address=10.1.2.1/32 pref-src=10.1.2.3 gateway=l2tp-out1 
        gateway-status=l2tp-out1 reachable distance=0 scope=10 

 4 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.123 gateway=ether1-gateway 
        gateway-status=ether1-gateway reachable distance=0 scope=10 

 5 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge-local 
        gateway-status=bridge-local reachable distance=0 scope=10 

 6   S  dst-address=192.168.88.0/24 gateway=10.1.2.1 
        gateway-status=10.1.2.1 reachable via  l2tp-out1 distance=1 scope=30 
        target-scope=10 

 7 A S  dst-address=192.168.88.243/32 gateway=10.1.2.1 
        gateway-status=10.1.2.1 reachable via  l2tp-out1 distance=1 scope=30 
        target-scope=10

[admin@MikroTik] > /ip address print detail      
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     address=192.168.88.1/24 network=192.168.88.0 interface=bridge-local 
     actual-interface=bridge-local 

 1 X address=192.168.10.1/24 network=192.168.10.0 interface=ether5-slave-local 
     actual-interface=ether5-slave-local 

 2 D address=192.168.1.123/24 network=192.168.1.0 interface=ether1-gateway 
     actual-interface=ether1-gateway 

 3 D address=10.1.2.3/32 network=10.1.2.1 interface=l2tp-out1 
     actual-interface=l2tp-out1

[admin@MikroTik] > /ip firewall export
# jan/02/1970 04:24:41 by RouterOS 6.9
# software id = EUKR-V1ZD
#
/ip firewall filter
add chain=input disabled=yes dst-port=900 protocol=tcp
add chain=forward dst-address=192.168.88.243 dst-port=900 out-interface=\
    l2tp-out1 protocol=tcp
add chain=forward dst-address=192.168.88.254 dst-port=81 out-interface=\
    l2tp-out1 protocol=tcp routing-mark=l2tp
add chain=forward dst-address=192.168.88.254 dst-port=81 out-interface=\
    l2tp-out1 protocol=udp
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=l2tp src-address=\
    192.168.88.1-192.168.88.254
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=l2tp \
    src-address=192.168.10.1-192.168.10.10
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.1.2.3 dst-port=900 protocol=tcp \
    to-addresses=192.168.88.243 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=10.1.2.3 dst-port=81 protocol=tcp \
    to-addresses=192.168.88.254 to-ports=0-65535
add action=src-nat chain=srcnat dst-address=192.168.88.254 dst-port=81 \
    out-interface=l2tp-out1 protocol=tcp to-addresses=10.1.2.3 to-ports=81
add action=dst-nat chain=dstnat disabled=yes dst-address=10.1.2.3 dst-port=81 \
    protocol=udp to-addresses=192.168.88.254 to-ports=0-65535
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=\
    192.168.88.254 src-port=81 to-addresses=10.1.2.3 to-ports=81
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=\
    192.168.88.243 to-addresses=10.1.2.3 to-ports=0-65535
add action=dst-nat chain=dstnat disabled=yes in-interface=l2tp-out1 protocol=\
    tcp routing-mark=l2tp src-port=900 to-addresses=192.168.88.243 to-ports=\
    900-910
add action=dst-nat chain=dstnat disabled=yes dst-port=900 in-interface=\
    l2tp-out1 protocol=tcp to-addresses=192.168.88.244 to-ports=900
add action=src-nat chain=srcnat disabled=yes out-interface=bridge-local \
    protocol=tcp src-address=192.168.88.243 to-addresses=10.1.2.3 to-ports=900
add action=dst-nat chain=dstnat disabled=yes protocol=tcp src-address=10.1.2.3 \
    src-port=900 to-addresses=192.168.88.243 to-ports=900
add action=dst-nat chain=dstnat disabled=yes in-interface=bridge-local \
    protocol=tcp src-address=10.1.2.3 src-port=900 to-addresses=192.168.88.243 \
    to-ports=900-910
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=l2tp-out1
add chain=srcnat
add chain=dstnat

As you can see in picture when I try 10.1.2.3:81 and 10.1.2.3:900 there are some packets coming in but i don’t see any content.. I get a time-out but when I do 10.1.2.3:80 I open webFIG easy.

Ah I also opened ports in filter! But dunno if that is good..

[admin@MikroTik] /ip firewall filter> export
# jan/02/1970 04:42:30 by RouterOS 6.9
# software id = EUKR-V1ZD
#
/ip firewall filter
add chain=input disabled=yes dst-port=900 protocol=tcp
add chain=forward dst-address=192.168.88.243 dst-port=900 out-interface=\
    l2tp-out1 protocol=tcp
add chain=forward dst-address=192.168.88.254 dst-port=81 out-interface=\
    l2tp-out1 protocol=tcp routing-mark=l2tp
add chain=forward dst-address=192.168.88.254 dst-port=81 out-interface=\
    l2tp-out1 protocol=udp
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid

MarioNYB · February 21, 2014, 1:32pm

Okay I managed to get port 81 working on the l2tp virtual IP.

So basically now the apache on my PC - 192.168.88.254:81 is connected with 10.1.2.3:81 and I can access it remotely from my server.

Whats bugs me now is the IPcamera it has 3 ports, standard http GUI port 900 , data port 9008 and rtsp port 554.
I gave up on port 900 (seems it needs port 9008 too to work) and I started doing port 554 but I can bind that to 10.1.2.3:554
it just wont go out!
I see counter going up in my NAT rule but when I check torch it isn’t right..

Need my “new” rules?

MarioNYB · February 25, 2014, 3:16pm

Okay I have done some “progress” which I can’t call progress but hey!

I tried now forwarding port :554 from the IP camera to the ethernet1 WAN and it works ofc! When I connect remotely I get TX rate clock UP! see picture here:

BUT when I try same thing, same NAT rules but VIA l2tp VPN tunnel I can’t get TX rate UP! See pic here:

Any idea PLEASE?!