NAT to VPN

ZeroByte · April 22, 2015, 4:37pm

what kind of vpn?

sektornba · April 22, 2015, 4:38pm

PPTP

ZeroByte · April 22, 2015, 4:50pm

ok - so each user gets a /32 in the routing table…
If it worked when you copied the /32 route into the DEXTER table, then it should also work to leave the /32 alone and do not put packets into DEXTER when the destination is vpn…

While your VPN endpoint is attached:
/ip firewall export compact
/ip address export compact
/ip route print detail

Post the results here.
If you want to do any “sanitizing” on the information before posting, please don’t remove any rules. Only hide the IP addresses with x.x.x.x (and if different public IP ranges are being hidden, use different letters for each different range)

Thanks.

sektornba · April 22, 2015, 5:04pm

[admin@FW Dexter] /ip firewall> export compact

apr/22/2015 14:00:30 by RouterOS 5.25

software id = FPZS-PB2N

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
/ip firewall mangle
add action=mark-routing chain=prerouting comment=DEXTER dst-address=!172.10.0.0/28 new-routing-mark=DEXTER passthrough=no src-address=
192.168.3.0/24
add action=mark-routing chain=prerouting comment=HOSPEDES new-routing-mark=HOSPEDES passthrough=no src-address=10.0.0.0/20
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment="RDR CAMERAS BRIP" disabled=yes dst-address=177.71.xx.xx dst-port=8080 protocol=tcp
to-addresses=192.168.3.15 to-ports=8080
add action=dst-nat chain=dstnat comment="RDR CAMERAS ZAMIX" dst-address=189.84.xx.xx dst-port=8080 protocol=tcp to-addresses=
192.168.3.15 to-ports=8080
add action=dst-nat chain=dstnat comment="RDR2 CAMERAS ZAMIX" dst-address=189.84.181.238 dst-port=37777 protocol=tcp to-addresses=
192.168.3.15 to-ports=37777
[admin@FW Dexter] /ip firewall>

[admin@FW Dexter] /ip address> export compact

apr/22/2015 14:01:46 by RouterOS 5.25

software id = FPZS-PB2N

/ip address
add address=10.0.0.1/20 comment="DMZ ( REDE PARA HOSPEDES )" interface=2_LAN_DMZ
add address=177.71.xx.xx/24 comment="BRIP INTERNET" interface=1_BRIP
add address=192.168.3.1/24 comment="LAN REDE DEXTER" interface=2_LAN_DMZ
add address=189.84.xx.xx/24 comment="ZAMIX INTERNET" interface=5_ZAMIX
[admin@FW Dexter] /ip address>

[admin@FW Dexter] /ip route> print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp,
B - blackhole, U - unreachable, P - prohibit
0 A S ;;; DEXTER
dst-address=0.0.0.0/0 gateway=189.84.xx.xy gateway-status=189.84.xx.xy reach
target-scope=10 routing-mark=DEXTER

1 A S ;;; HOSPEDES
dst-address=0.0.0.0/0 gateway=177.71.xx.xx gateway-status=177.71.xx.xy reachab
target-scope=10 routing-mark=HOSPEDES

2 A S ;;; ROTA PADRAO FAILOVER
dst-address=0.0.0.0/0 gateway=189.84.xx.xy,177.71.xx.xy
gateway-status=189.84.xx.xy reachable via 5_ZAMIX,177.71.xx.xy reachable via
target-scope=10

3 ADC dst-address=10.0.0.0/20 pref-src=10.0.0.1 gateway=2_LAN_DMZ gateway-status=2_LAN

4 ADC dst-address=172.10.0.6/32 pref-src=172.10.0.1 gateway= gateway-sta

5 ADC dst-address=177.71.76.0/24 pref-src=177.71.xx.xx gateway=1_BRIP gateway-status=

6 ADC dst-address=189.84.181.0/24 pref-src=189.84.xx.xx gateway=5_ZAMIX gateway-stat

7 ADC dst-address=192.168.3.0/24 pref-src=192.168.3.1 gateway=2_LAN_DMZ gateway-status
[admin@FW Dexter] /ip route>

ZeroByte · April 22, 2015, 5:26pm

Ok - I think I figured it out - the mangle exception (dst-address=!172.10.0.0/28) is being missed because of the masqueradeing rule being too aggressive.

The ping replies (or whatever traffic replies such as remote desktop, etc) are going to be going to destination = 192.168.3.1 and not the VPN address… so the masquerade rule continues to mark the packets with routing marks.

Change your first masquerade rule - and break it into two rules:
chain=srcnat action=masquerade out-interface=1_BRIP
chain=srcnat action=masquerade out-interface=5_ZAMIX

This way, traffic won’t get masqueraded just because it flows through the router - it will only get masqueraded if it is going out one of the WAN interfaces.

That, along with the !172.10.0.0/28 rule should make things work.

sektornba · April 22, 2015, 5:39pm

Thanks dude. It´s working.

I love u

ZeroByte · April 22, 2015, 5:44pm

Glad to hear it’s working now.

TomosRider · April 23, 2015, 6:53am

This topic is great example of learning stuff through troubleshooting steps. Bookmarked!