Hello,
I am having an issue where I cannot connect to an external OpenVPN server on UDP port 1194 from inside my network. Outside my network I can connect just fine, and can also connect to my own internal OpenVPN server from outside my network. The only explanation I can think of is that my Mikrotik is blocking/dropping my outgoing connection somehow. Any ideas how I can investigate this?
Start with Tools->Torch on WAN interface to see if udp/1194 packets are going out. If not, it’s most likely something in your firewall. If they do and none is coming back, they must get eaten somewhere else. Etc..
Turns out it was due to the NAT rule I had for my own internal OpenVPN server. Apparently you can’t connect to an external VPN if you have an incoming NAT rule for a VPN server using the same port? Using a different port for each resolves the issue.
Offending NAT rule:
chain=dstnat action=dst-nat to-addresses= to-ports=1194 protocol=udp dst-port=1194
Your rule translated to English:
“Take all udp packets to any address and port 1194 and rewrite destination to :1194.”
Do you see the problem? You need to limit destination address. Best by using dst-address= or if WAN address is dynamic, then dst-address-type=local.
I do have an IP address there. I was sanitizing my example out of habit. Probably unnecessary, I know. Or I could have just put a different address there. In any case I never said the rule itself didn’t work. I was just giving details in case someone with the same problem comes across this. My problem is fixed if I didn’t make that clear enough already.
Try reading it again. I was trying to explain that there’s absolutely no problem using same port for outgoing and incoming VPN at the same time, and the only requirement is correct dstnat rule. Which yours - unless you “sanitized out” whole dst-address parameter - wasn’t.
From this older post.. This is one of the bug i have. Like an android phone with a vpn provider work fine everywhere, but when connect in the mikrotik… vpn traffic is blocked.
so is it just adding this ?
add action=dst-nat chain=dstnat comment=“softvpn pass” dst-port=1196 protocol=tcp to-addresses=192.168.0.146 to-ports=1196
Not sure, as it don’t look to work. What can be the correct one ?
Your rule suffers from same problem. If you take it apart:
action=dst-nat chain=dstnat - where it is and what it should do
to-addresses=192.168.0.146 to-ports=1196 - new destination
dst-port=1196 protocol=tcp - what packets it should apply to (original destination)
So in other words, it will take packets to :1196 and redirect them to 192.168.0.146:1196. Incoming, outgoing, it doesn’t matter, as long as destination port is 1196, everything will be sent to your internal server. Putting aside that 1196 is not standard VPN port, so it won’t matter for most services, you do want to specify original destination address. Either using dst-address= or dst-address-type=local could be good enough too.
Please be careful about wording 
I know what you wanted to say (incoming = received on WAN, outgoing = received elsewhere and intended to be transmitted via WAN), but less seasoned gents might misunderstand this as an information that dst-nat works in postrouting/output.
Well, indeed it look to be the case. I wasn’t sure to get it right. But at same time not much port look to work, but it should be quite standard as per all i find. Here’s what i got currently :
/ip firewall filter
add action=accept chain=input comment="Top:" connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid comment="c: drop invalid"
add action=accept chain=input protocol=icmp comment="c: accept ICMP" connection-state=new
add action=drop chain=input in-interface-list=WAN comment="c: drop all not coming from LAN"
add action=accept chain=input comment="Allow LAN access to the router itself" connection-state=new in-interface=ether1
add action=accept chain=input comment="S: OpenVPN" protocol=tcp dst-port=1194
add action=accept chain=input comment="ss: softVPN" protocol=tcp dst-port=1197-2100
add action=accept chain=input comment="softVPN ud" protocol=udp dst-port=1197-2100
add action=accept chain=input protocol=tcp dst-port=5060-5061 comment="Voip"
add action=accept chain=input protocol=tcp dst-port=25 comment="ipCam mail"
add action=accept chain=input dst-port=500,4500 in-interface=ether1 protocol=udp comment="allow L2TP VPN /udp"
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp comment="v: L2TP/IPSEC"
add action=accept chain=input dst-port=1701 protocol=udp comment="Keep Off uncrypted: L2TP"
add action=drop chain=input comment="Drop all input"
add action=accept chain=forward comment="c3: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward in-interface-list=WAN connection-nat-state=dstnat connection-
state=established,related comment="packet fowarded accept from nat rule"
add action=accept chain=forward ipsec-policy=in,ipsec comment="FuturVp in ipsec policy"
add action=accept chain=forward ipsec-policy=out,ipsec comment="FuturVp out ipsec policy"
add action=fasttrack-connection chain=forward comment="df: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="Plex- TCP or32400" disabled=yes dst-port=3005,8324,32469 protocol=tcp
add action=accept chain=forward comment="Plex Ports - udP" disabled=yes dst-port=1900,5353,32412-32414 protocol=udp
add action=drop chain=forward comment="c3: drop invalid" connection-state=invalid
add action=drop chain=forward comment="c3: drop all from inet WAN if not in DSTNATed list"
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Main1: masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. rbMaison vpn traffic" src-address=192.168.89.0/24
add chain=dstnat dst-port=5060-5061 action=dst-nat protocol=tcp to-addresses=192.168.0.30 to-port=5060-5061
add action=dst-nat chain=dstnat dst-port=12700-65500 in-interface=ether1 protocol=udp to-addresses=192.168.0.30 to-ports=5060-5061 comment="voip box"
add chain=dstnat in-interface-list=WAN dst-port=25 action=dst-nat protocol=tcp to-addresses=192.168.0.128 to-ports=25 comment="ipcam email"
add action=dst-nat chain=dstnat comment="Create an incoming port map rule-syntaxok wiki" dst-port=25 protocol=tcp to-addresses=192.168.0.128 to-ports=25 disabled=yes
add chain=dstnat dst-address-type=!local protocol=tcp dst-port=1197-1200 action=dst-nat to-addresses=192.168.0.146 to-ports=1197-1200 comment="softVpn"
ether1 is on bridge one 192.168.0.0/24
Thanks in advance
You have one ! too much in the following rule:
chain=dstnat dst-address-type=**!**local protocol=tcp dst-port=1197-1200 action=dst-nat to-addresses=192.168.0.146 to-ports=1197-1200 comment=“softVpn”
So it now says “redirect to 192.168.0.146 any TCP packet with dst port between 1197 and 1200 which goes to any other address than one of the Mikrotik’s own ones”.
So remove the exclamation mark to make the rule work only for packets meeting the other criteria but originally coming to one of Mikrotik’s own addresses, and you may be good.
The above is a solution if your problem is that you have one VPN server at home, for access to which this rule is intended, and another VPN server somewhere else and your VPN client at home cannot connect to that external server. If your actual problem is that the VPN client can connect to the VPN server at home from any other network than the one at home, the solution is different.
BTW, you don’t need the second rule in chain=forward of /ip firewall filter - it is shadowed by the first one which matches the same packets as the second one (plus some other ones too).
So i’ve spend the day on this again and so far i see it work for about 2 min, then drop… Like i remove all nat Same for the ipphone.. if plug on an old router it work, unplug old router and put on the rb4011, now ipphone do work and after like 10-20min it stop. And the vpn don’t work. For the vpn : purchase a vpn key 5$/month from nordvpn, somethingvpn.com… go to Starbuck cofee and lunch the softvpn : All work fine. Connect to the mikrotik and it cannot connect. Basically can i just open a port on the ipfilter and do nothing in the nat ? As currently having this :
add action=accept chain=input comment="softVPN ud" protocol=udp dst-port=1197-2100
add action=accept chain=input protocol=tcp dst-port=5060-5061 comment="Voip"
should it be put in foward ? I have hard time to understand properly and not sure the rb4011 unit is working properly either. Or to better specify the wan as interface as the only foward .. or all in foward.. :
/ip firewall filter
add action=accept chain=forward comment="allow dst-nat connections from WAN" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
For the nat, with the in-interface=ether1, it look to be better. I can confirm this commande is ok at least:
add action=dst-nat chain=dstnat comment="open port inet9130 to port 80internal lan-ok" dst-address=192.168.1.120 dst-port=9130 in-interface=ether1 protocol=tcp to-addresses=\
192.168.0.128 to-ports=80
Thank to help me, the code post previously are quite all research , wiki and forum info, but still can’t get it.
Good Day,
A certain Citrix gateway is blocked through my Mikrotik router, but it can connect when using cellular data.
Do you have any thoughts on this?
Thank you.