Outgoing VPN and port forwarding combined

helmonder · January 26, 2019, 1:33pm

I habe the following setup:

Outgoing traffic over port 9000 gets routed thru an external VPN (PPTP Client)
Inbound traffic on port 9000 should be port forwarded to an internal system with IP 192.168.1.85

I have a mangle rule that sets a routing mark that is used to pass the traffic over the vpn.
I have a dst-NAT rule that sends incomming traffic on port 9000 (for Dst.Address of my external IP) to 192.168.1.85

It seems I have a catch-22 situation now.. The VPN works on its own, the dst-NAT works on its own, but when both are on port 9000 is not reachable… I am guessing because the traffic -back- is going over the VPN..

I cannot wrap my head around how to solve this.. Any help is appreciated… I use winbox for my configuration.

mkx · January 26, 2019, 2:16pm

Traffic coming in through VPN probably doeasn’t have dst-address set to your external IP but rather to address set to VPN’s address.

However, you could construct DST-NAT rule but using in-interface (or in-interface-list) instead of dst-address …

helmonder · January 26, 2019, 2:27pm

I have added a DST-NAT rule that does not look at the dst-address byt to the in.interface.
The port however still is not seeable from the outside when I check that..

I have also tried with an “Interface list” to “all”, this also does not make the port seeable..

mkx · January 26, 2019, 2:55pm

You’re checking port forwarding through VPN from the VPN peer? If not, then check config also on the other end… is there any NAT on the remote side involved?

helmonder · January 26, 2019, 3:02pm

I am not sure what you mean..

My outgoing VPN connection is towards a commercial VPN service (purevpn).

mkx · January 26, 2019, 4:02pm

Does your VPN provider allow connections to all ports without any firewall?

helmonder · January 26, 2019, 4:17pm

Yes ?