As a beginner in mikrotik kung-fu I was very proud of myself when I’ve managed (finally) to setup my two mikrotik routers in a way that I wanted. I have one at my home with public ip on WAN side and second one at the summer home accessing internet through 5G network which is behind NAT at the internet provider. So I’ve configured the l2tp tunnel initiated from the summer home and added IP routing rules directing traffic to each other networks through the tunnel. I can access hosts on both home and summer home private networks (192.168.213.0/24 and 192.168.88.0/24, respectively) from within both those networks.
But now I want to use NAT to access specific hosts from these networks from the internet. NAT works fine if I want to access hosts from the home network (the one handled by the router with a public IP) but if I add NAT rule but with destination at 192.160.88.0/24 network (on the other side of the tunnel) it doesn’t work. I’ve just added a NAT rule in dstnat chain for tcp protocol with dst port of, for example, 12345 to take dst-nat action to 192.168.88.100:80
The web server at that host is shown property when I access 192.168.88.100:80 host from either of my networks, but if I try to access http://my.public.ip.number:12345 from the internet I can see the packet counts increasing for the NAT rule, I see that packets are sent through the tunnel to the destination network but there’s no traffic back from there. What has to be done in addition to that to make this happen? What information I need to provide to help you help me? I’d be grateful for any hints.
[EDIT] - is it because the summer home router is sending response packages directly through the LTE gateway instead of back through the tunnel? If so how to prevent it? I know there’s something called masquerade but as I read the documentation it is meant to do things other way around - to mask the local IP of the sent packages.
So I was correct about the source of the issue. I don’t care about server not knowing the real source address but when I preceded the port forwarding dst-nat rule with the masquerade I notice the traffic going back through the tunnel at the router on the public IP side but apparently the packets are not routed back through the router and its gateway. What I am doing wrong? Here are the NAT rules:
and on the other router I have regular port forwarding rule to a server here from port 12345 to 80.
As for proposed above better solution I’d need some help in pointing me in proper direction because as I somewhat (but not enough apparently) understand what the firewall does I know close to nothing about routing. OK, I managed to add a routing table but I have no idea how I am supposed to mark connections.