Hi all, my customer is forced to use an LTE mobile service however the mobile service provider does not allow any incoming connection. My plan has been to create a VPN from the LTE router to a Mikrotik acting as a firewall and forward RDP traffic to the customer’s machine on their LAN
I have been able to configure a simple L2TP VPN and can telnet from inside the Mikrotik to the 172.16.0.0 address at the far end of the VPN. I can also ping from inside the Mikrotik to the very far end device on the customer network. That gives me confidence that the VPN itself is working.
My problem, however, is that I am not able to connect to any address inside the VPN from the WAN interface. The result is that any port forwards are not working even though I am able to see that the port is open.
I have added a standard masquerade rule to the WAN interface however clearly that is not correct, or not enough.
I would really appreciate any feedback that might point me in the right direction to get this working.
Thanks
Mal
/interface list
add name=WAN
add name=LAN
/ip pool
add name=vpn ranges=172.16.0.10-172.16.0.20
/ppp profile
add local-address=172.16.0.1 name=l2tp remote-address=vpn
/interface l2tp-server server
set default-profile=l2tp enabled=yes
/interface list member
add interface=ether1 list=WAN
add list=LAN
/ip firewall filter
add action=reject chain=input comment=“ALLOW SSH from PN” disabled=yes dst-port=3389 protocol=tcp reject-with=icmp-network-unreachable src-address=103.225.68.0/22
add action=accept chain=forward connection-state=established,related disabled=yes in-interface=ether1
add action=drop chain=input comment=“DROP SSH” disabled=yes dst-port=22 protocol=tcp src-address=!103.225.68.0/22
add action=drop chain=input comment=“DROP TELNET” dst-port=23 protocol=tcp src-address=0.0.0.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-address=103.225.69.8 dst-port=5443 protocol=tcp to-addresses=172.16.0.102 to-ports=443