Hi!
We need to port forward a few services through a IPSEC tunnel to a server on another site. How to set this up, we already have a configured IPSEC tunnel up and running
Site A
WAN IP: 1.1.1.1
INT IP: 172.16.0.0/16
want to port forward port 80 to 172.17.10.10 in site B
Site B
WAN IP: 2.2.2.2
INT IP: 172.17.0.0/16
want to receive packets on port 80 through site A on 1.1.1.1
[Internet]->1.1.1.1:80 (WAN Site A) → [IPSEC tunnel] → 172.17.10.10:80 (LAN Site B)
how to configure this?
It should probably work using two NAT rules. One standard port forward, dstnat 1.1.1.1:80 to 172.17.10.10:80. And then masquerading the source of forwarded packets to match IPSec policy, srcnat everything for 172.17.10.10:80 to 172.16.?.? (whatever address router has).
Thanks alot! It works!
Hi i have same problem. Please can you explain step by step how to create second nat rule?
It’s very simple. Using addresses from original post, client connects from x.x.x.x (its own address) to 1.1.1.1:80. Dstnat rule changes destination to 172.17.10.10:80. But source address remains x.x.x.x and because the tunel is configured to only forward stuff between 172.16.0.0/16 and 172.17.0.0/16, it won’t take packet from x.x.x.x. So in addition to changing destination, you also need to change source:
/ip firewall add chain=srcnat dst-address=172.17.10.10 protocol=tcp dst-port=80
action=src-nat to-addresses=172.16.1.1You’ll end up with packet from 172.16.1.1 to 172.17.10.10:80 and that can go through tunnel just fine. Reply will come back through tunnel and thanks to contrack it will be correctly rewritten back to packet from 1.1.1.1:80 to x.x.x.x and everything will work.
Even though it works, this solution is not completely correct, because it will catch and change source of all packets going to 172.17.10.10:80. So if for example you’d like to access 172.17.10.10:80 directly from 172.16.0.0/16 and want server to see individual addresses, instead of just 172.16.1.1, you’d have to exclude this traffic from that srcnat rule.
Thank you…I have been racking my brain for days to setup special mangle rules to route certain traffic back through the tunnel.
Hello,
i have a similar situation, it works but the speed is slow when using ext IP from Local site A to access port 80 on one server from site B.
The speed is max 5-6 Mbps but if i do speed test directly from site A to site B speed is about 40 Mbps.
Also speed from site A/B to Internet is 100 Mbps download / 50 Mbps upload.
What can be the issue ?
Which RB’s are you using? Maybe they cannot cope with the encryption.
RB450G with 6.29.1 OS Version
Nobody ? I read everything i could find…
I can’t image why the speed is so slow when accessing site B www server through site A ext IP. 
Have you checked if CPU goes to 100% when doing such transfer? do you have Queues?
Hmm,
i had 1 unlimited queue once i disabled it traffic got to 18 Mbps instead of 5, but is not stable… oscillating a lot
Processor is about 50 %
Much better anyway 
Ok, I’m trying to follow this guide but I’m struggling.
The attached file has the network diagram.
Currently I can acces devices on the remote LAN no worries. Trying to get a port from the internet however, much tougher.
Here are the relevant parts of the firewall from the HAP ac
add action=dst-nat chain=dstnat comment=“Port Translation for Work Cisco SSH” dst-port=50003 in-interface=ether1 protocol=tcp to-addresses=192.168.6.1 to-ports=22
add action=src-nat chain=srcnat dst-address=192.168.6.1 dst-port=23 protocol=tcp to-addresses=192.168.1.200 to-ports=22
The first line is getting hits when I try use it so I suspect that is working.
The second line is getting no hits so I suspect its munted somehow. The source address change address (underlined) I dont really know what to use here, do I use the bridge IP or what?
From the mAP lite the relevant firewall rules
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.6.0/24
add action=masquerade chain=srcnat out-interface=wlan1
Any help would be greatly appreciated.
Personal intranet.pdf (42.7 KB)
As always, I recommend to use IPIP or GRE tunnel over IPsec (enter IPsec key in the interface definition)
instead of IPsec tunnel. It will all work just like a normal ethernet link and standard recipes can be used
for port forwarding.
When you say work like Ethernet link you genuinely mean layer 2?
I think example config or a picture would help if you have one handy
Most of my remote connections have dynamic WAN IP’s can IPIP handle that?
I’ll give it a crack at work today see what I can achieve
Well I got it working, simple error the dst-nat was receiving from the wrong destination port.
Here is the config well the relevant sections. (section) in brackets is a change for obvious reasons.
Remote site with dynamic IP.
/ip pool
add name=Cisco_Lab_DHCP_Pool ranges=192.168.6.100-192.168.6.200
/ip dhcp-server
add address-pool=Cisco_Lab_DHCP_Pool disabled=no interface=bridge-vlan60 name=Cisco_Lab_DHCP
/interface bridge port
add bridge=bridge-vlan60 interface=ether1
/ip address
add address=192.168.6.254/24 interface=bridge-vlan60 network=192.168.6.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=wlan1
/ip dhcp-server network
add address=192.168.6.0/24 gateway=192.168.6.254
/ip firewall filter
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=192.168.6.0/24
add action=accept chain=forward dst-address=192.168.6.0/24 src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.6.254 src-address=192.168.6.1
add action=accept chain=forward disabled=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.6.0/24
add action=masquerade chain=srcnat out-interface=wlan1
/ip ipsec peer
add address=(static IP target at home)/32 enc-algorithm=aes-256 hash-algorithm=sha512 nat-traversal=no secret=“(password)”
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=(static IP target at home) sa-src-address=0.0.0.0 src-address=192.168.6.0/24 tunnel=yes
/system identity
set name=Cisco_Lab
/system scheduler
add interval=1m name=“1min Ping” on-event=(name) policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/31/2016 start-time=07:58:13
/system script
add name=(name) owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":put [ping 192.168.1.254 src-address=192.168.6.254 count=2]
Home address with static IP
/ip address
add address=192.168.1.254/24 interface=bridge2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.254 netmask=24
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.6.0/24 src-address=192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.4.0/24 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment=“Port Translation for Work Cisco SSH” dst-port=(an external port) in-interface=ether1 protocol=tcp to-addresses=192.168.6.1 to-ports=22
add action=src-nat chain=srcnat dst-address=192.168.6.1 dst-port=22 protocol=tcp to-addresses=192.168.1.254 to-ports=22
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256 generate-policy=port-strict hash-algorithm=sha512 local-address=(my local WAN IP static) nat-traversal=no secret=“(password)”
No it is not L2, that would be an EoIP tunnel. But it can be configured with IP like you would configure a normal
ethernet link, i.e. with IP addresses, and firewall rules.
Dynamic address would be no problem I think, I have no experience with that.