NAT from VPN working only when packet sniffer is started

Hi,

My router is behind a LTE modem, and my provider puts me behind a router with a private IP so I cannot have any incoming connection.

However, I have an HTTP server on this site and I have to provide an access to it from Internet.

I’ve configured a VPN connection from the Mikrotik router to a Linux server on another site with a fiber Internet access, and set up some iptables rules (PREROUTING and POSTROUTING) on that Linux server to redirect the required streams throught the VPN connection.
On the RouterOS side, I’ve created a NAT rule to forward the packets to the HTTP server (all ports are forwarded: I might add other services in the future).

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ovpn-sw1 protocol=tcp \
   to-addresses=192.168.0.136

I also have configured these rules so the response packets are returned back to the linux server:

/ip firewall mangle
add action=mark-connection chain=forward connection-state=new in-interface=ovpn-sw1 log-prefix=from_sw1 new-connection-mark=from_sw1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=from_sw1 log-prefix=to_SW1 new-routing-mark=go_SW1 passthrough=no src-address=192.168.0.136
/ip route
add distance=1 gateway=ovpn-sw1 routing-mark=go_SW1

• New connections from the VPN are marked as 'from_sw1 '.
  
  
  
• Response packets with the ‘from_sw1’ connection mark are marked as ‘go_SW1’
  
  
  
• A specific route is added for these packets to go through the VPN

And this works… but only when the packet sniffer is started!!!
I have spent hours wondering why it was sometime working and sometime not before noticing that, and I can reproduce this behavior.

I’m using a browser to make the tests, and as I said I can load a full web page only when the packet sniffer is started. But actually, I can get a response from the http server using telnet when the packet sniffer is not started (i.e. a ‘bad request’ response because I send a wrong http request header).

I must have missed something…

Hi,

I have a similar issue, when i would like to put some traffic through VPN interface, i mark packets via route connections in mangle, and it works only when packet sniffer is enabled. Router has latest firmware, and this real make me crazy, and i don’t know how solve issue.

I have an openvpn connection “ovpn-prostovpn”.
This is mangle part:

add action=mark-routing chain=prerouting comment="all DNS to VPN" dst-port=53 layer7-protocol=!orange.local new-routing-mark=through-free-vpn-route passthrough=no protocol=udp src-address=192.168.101.0/24
add action=mark-routing chain=prerouting comment="mark packages through vpn" dst-address-list=through-free-vpn-lst new-routing-mark=through-free-vpn-route passthrough=yes src-address=192.168.101.0/24
add action=mark-routing chain=output comment="mark packages through vpn" dst-address-list=through-free-vpn-lst new-routing-mark=through-free-vpn-route passthrough=yes src-address=192.168.101.0/24
add action=mark-connection chain=prerouting comment="mark packages through vpn" dst-address-list=through-free-vpn-lst new-connection-mark=through-free-vpn-lst passthrough=yes src-address=192.168.101.0/24

i have a list of resources in through-free-vpn-lst (ipaddresses)

and i have a routing:
add distance=5 gateway=ovpn-prostovpn routing-mark=through-free-vpn-route

so all is working for icmp, dns, but http/https don’t.
But if i enable packet sniffer it works!

Also if i add direct route to route table, it works as well, but i would like to use address list for that.

Possible it is a bug of mikrotik? Why it works when packet sniffer is enabled?

I’ve disabled fasttrack and now it is working for me.

I think I found a little bit better solution than totally disabling fasttrack.