Port forward (NAT) to VLAN

stuntkiwi · May 28, 2013, 3:34am

Hi all,

I am wanting to configure my RB750G to pass through incoming OpenVPN TCP connections from the internet-facing ethernet1 interface (using unique ports) to virtual machines with trunked VLANs I have on ethernet2. The virtual machines will be my OpenVPN servers.

Each OpenVPN server (VM) has two interfaces.

1x management untagged /24 (has default gateway - ethernet2 network with no VLAN)
1x tagged VPN /24 (no gateway - ethernet2 bridged with other VLANs)

The RB750G has IP’s on each VLAN /24. It also has an IP on the management untagged network and acts as the gateway.

I was thinking a simple dst-nat with a dst-address, dst-port, to-address, and to-ports would do this. The problem is then the traffic is returned (or attempted) via the default gateway and inherently the untagged management network.

Is there a way I can do this with a src-nat? such that OpenVPN traffic is returned back to the router via the VLAN interface. I have tried this way without fruition so far, open to any ideas.

Thanks in advance!

Cheers,
Derek

CelticComms · May 28, 2013, 9:59am

You could SRC NAT or Masquerade the traffic leaving the VLAN interface on the routerboard but then it would all appear to come from the routerboard’s IP on the VLAN subnet which sounds undesirable for a VPN termination application.

It sounds as if the better solution is to address the config on the VMs.

stuntkiwi · June 5, 2013, 5:13am

Thanks for the reply,

I have decided to go with keeping the VPN Servers on their VLAN only simplifying the routing.

I guess while still on topic can I ask if there is any trickery to make the NAT → VLAN work.

Here is my testing setup.

Mikrotik:
Pretend public IP: 10.199.199.1/24
VLAN101 Interface IP: 10.101.201.1/24

VPN Server (Ubuntu)
eth0 (VLAN101): 10.101.201.2/24
No gateway

I have a NAT setup in the mikrotik like so:

/ip firewall nat

2 ;;; NAT for Customer VLAN101
chain=dstnat action=netmap to-addresses=10.101.201.2 to-ports=22 protocol=tcp dst-address=10.199.199.1
in-interface=ether1-outside dst-port=10193

With action dst-nat no difference, also tried without specifying the in-interface (left blank).

The VLANing has been tested and working, the firewall has accept on all chains. Am I missing something obvious?

stuntkiwi · June 6, 2013, 12:51am

OK, so I fixed that up. I think it was all down to the no gateway on the Server.