Hi there i wonder if anyone can help me out here, I need to manage a broadband network of about 300 clients. They all use Huawei LTE routers and mikrotik doing all of the routing right behind it. So because the broadband doesnt supply static public IP’s and its just to much of a headache to load every single one with a DDNS account, i have decided to create a VPN network to every single site. Now i have most of the VPN’s connected( normal pptp). I need to make it easy for my helpdesk to reach all known devices via port forward. But i am struggeling to get a port forwarded to my clients devices for
ex. remote address 172.31.100.117:8081 distnat to 192.168.8.1:80
172.31.100.117:8082 distnat to 192.168.10.1:80
the thing is i am seeing the traffic hit the nat rule but it just doesnt want to open up?
Can anyone please shed some light here. I would appreciate it so much
I would recommend you set up an account with a “go2mypc” type of service and do helpdesk that way, because as you’ve noted, it’s quite a management headache to build all of the various vpn tunnels and port forwards, etc - and as your customer base grows, this is only going to get harder to maintain.
That’s just my $0.02’s worth, but if you want NAT pinholes, then one thing to consider is whether the firewall rules are blocking the pinhole access. A simple rule that allows all pinholes to be accessed from anywhere is this:
chain=forward connection-nat-state=dstnat action=accept
You could modify this with extra criteria if you want to limit it to being accessible from certain sources - e.g. make an address list ManagmentNets
and add your NOC and other management network IPs to this list and on the above rule, add the criteria src-address-list=ManagementNets
Ok- if it’s not being blocked by the firewall, perhaps it’s not being properly routed across the VPN - meaning that the client device needs to have routes to your management nets which are routed across the vpn tunnel. Look in a client’s routing table and see if your IP address appears in the routing table - if not, then add a route - e.g. dst-address=172.16.0.0/16 gateway=172.31.100.1 (or whatever IP the pptp server has on the VPN side)
Hey so i am back. I hope you get this and i really hope you can help me. I have a 951G with three gateways 1 for VOIP, 1 for all outgoing to the internet and i have a last one that is used for incoming VPN pptp connections. But the VPN doesnt want to connect. When i torch the interface i see pptp connections coming in but not establishing. when i change my default route to route over that gateway, only then do the pptp connections establish. please help