port forward to VPN

phil92600 · December 21, 2016, 1:25pm

Hi all,
i am new in this forum.
i have mikrotik cloud router switch crs125-24g-1s-rm.
I have connected it in datacenter and asigned an ip. So i connect easily on it.
I have on other location with dynamic ip devices.
I need to connect this devices by VPN in PPTP (only) to mikrotik. I arrive to do this stop but i need through the ip of mikrotik to connect to http interfaces of my differents devices.
I can access to my devices in http by example or telenet.
What i need is to use static ip of my mikrotik and connect with port forward to all my devices.
by example device_01 is connected in vpn on mikrotik and i need to have that :
http://ipmikrotik:8001 connect to vpn of my device_01 on port 80 and http://ipmikrotik:2301 connect to to vpn of my device_01 on port 23.
So i need to do a port forwarding on my VPN client.
I can connect my vpn to mikrotik but i can’t access to device.
If someone can help me.
Thank you
Regards
Philippe

Sob · December 21, 2016, 5:30pm

On CRS:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=<vpn-client-interface>

It will make all forwarded connections look like they come from address at server’s end of tunnel and it will allow replies to be routed the correct way (back to tunnel). If you keep original source address, devices you connect to will try to reply via their default gateway and it can’t work.

phil92600 · December 21, 2016, 9:33pm

Hi
Thank you for your answer.
i have tested that but now i don’t see how to connect on my device with the port forwarding.
i mean by example connect with :http://ip:8001 tp connect on port 80 of my device connected on
thank you
Regards
Philippe

Sob · December 21, 2016, 9:45pm

For connecting to http://:8001 you need port forwarding rule like this:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=<public-ip> dst-port=8001 protocol=tcp to-addresses=<internal-ip> to-ports=80

Where is address of device behind tunnel.

phil92600 · December 22, 2016, 9:00am

Hi
Thank you again for the answer.
is the router have to be in bridge mode or router mode?
i have followed all instraction for firewall but i can’t reach the device.
Maybe something wring in my configuration.
Thank you again ofr your help.
Regards
Philippe

Sob · December 22, 2016, 4:01pm

Erm, bridge or router? I know what that is, but I don’t know how it relates to this. You should probably post your current config, because I’m starting to have a little suspicion that I may not understand your description correctly.

phil92600 · December 22, 2016, 5:06pm

Hi
see below zipped screenshots of my configuration. I use web interface to configure
Thank you
config.zip (809 KB)

Sob · December 22, 2016, 5:52pm

There’s much simpler way to export configuration using New Terminal from menu. There you can run command “/export hide-sensitive” and you get whole config in text form.

From what you posted, you definitely don’t want that red “no interface” error. Create static interface for client like this:

/interface pptp-server
add name=pptp-DEVICE_01 user=DEVICE_01

And then use it in srcnat rule.

You can also do some tests. With connected client, you should be able to ping its address 192.168.101.101 from router. You should also be able to connect to client’s web server, select New Terminal from menu and run:

/system telnet address=192.168.101.101 port=80

It should connect and after pressing Enter few times it will probably return “HTTP/1.0 400 Bad Request” or something similar. If this works, connecting to public address from outside should work too. Unless you block connections in firewall, but I guess you probably didn’t change anything there.

phil92600 · December 22, 2016, 8:59pm

Hi
all problem :
see below my configuration
and thank you for help :

dec/22/2016 22:01:30 by RouterOS 6.37.3

software id = ANJR-PKV6

/interface bridge
add name=Local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master-local
set [ find default-name=ether2 ] master-port=ether1-master-local
set [ find default-name=ether3 ] master-port=ether1-master-local
set [ find default-name=ether4 ] master-port=ether1-master-local
set [ find default-name=ether5 ] master-port=ether1-master-local
set [ find default-name=ether6 ] master-port=ether1-master-local
set [ find default-name=ether7 ] master-port=ether1-master-local
set [ find default-name=ether8 ] master-port=ether1-master-local
set [ find default-name=ether9 ] master-port=ether1-master-local
set [ find default-name=ether10 ] master-port=ether1-master-local
set [ find default-name=ether11 ] master-port=ether1-master-local
set [ find default-name=ether12 ] master-port=ether1-master-local
set [ find default-name=ether13 ] master-port=ether1-master-local
set [ find default-name=ether14 ] master-port=ether1-master-local
set [ find default-name=ether15 ] master-port=ether1-master-local
set [ find default-name=ether16 ] master-port=ether1-master-local
set [ find default-name=ether17 ] master-port=ether1-master-local
set [ find default-name=ether18 ] master-port=ether1-master-local
set [ find default-name=ether19 ] master-port=ether1-master-local
set [ find default-name=ether20 ] master-port=ether1-master-local
set [ find default-name=ether21 ] master-port=ether1-master-local
set [ find default-name=ether22 ] master-port=ether1-master-local
set [ find default-name=ether23 ] master-port=ether1-master-local
set [ find default-name=ether24 ] arp=proxy-arp name=ether24-Public
set [ find default-name=sfp1 ] master-port=ether1-master-local
/interface pptp-server
add name=pptp-DEVICE_01 user=DEVICE_01
/ppp profile
set *FFFFFFFE use-compression=no
/interface bridge port
add bridge=Local interface=ether1-master-local
add bridge=Local interface=ether24-Public
/interface pptp-server server
set authentication=chap default-profile=default enabled=yes
/ip address
add address=185.61.XXX.XXX/28 comment=Public interface=ether24-Public
network=185.61.XXX.XXY
add address=192.168.101.1/24 comment=Local disabled=yes interface=Local
network=192.168.101.0
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=185.61.XXX.XXX dst-port=8001
protocol=tcp to-addresses=192.168.101.101 to-ports=80

pptp-DEVICE_01 not ready

add action=masquerade chain=srcnat out-interface=pptp-DEVICE_01
/ip route
add distance=1 gateway=185.61.XXX.YYY
/ip service
set telnet port=2223
set ftp port=2221
set ssh port=2222
/ppp secret
add local-address=192.168.101.100 name=DEVICE_01 remote-address=
192.168.101.101
/system clock
set time-zone-name=Europe/Paris

Sob · December 22, 2016, 10:24pm

What about those tests? You need to go step by step to see what works and what does not:

client must be able to connect to VPN server
client must get address (192.168.101.101) from VPN server
client must be able to ping server (192.168.101.100)
server should be able to ping client (192.168.101.101), although it depends on client’s firewall, so it might not work
server must be able to connect to client’s port 80 (see my previous post)
when connecting to 185.61.XXX.XXX:8001 from outside, packets counters for both rules must increase
when you use Tools->Torch on VPN interface, you must see packets from 192.168.101.100 to 192.168.101.101

If you get this far, then it works. So, try it and report back where exactly it fails.

phil92600 · December 23, 2016, 4:25pm

Hi
thank you again
i will test step by step tonight.
Regards
Philippe

phil92600 · December 24, 2016, 6:40pm

Hi

client must be able to connect to VPN server : client connect but after some minutes it disconnect and reconnect
client must get address (192.168.101.101) from VPN server : client get address (192.168.101.101)
client must be able to ping server (192.168.101.100) : my client has no possibility to ping (it is a telecom gateway but i have only acces to web interface) so i can’t know if it poings or not
server should be able to ping client (192.168.101.101), although it depends on client’s firewall, so it might not work : it doesn’t ping but for information i use my internet box at home and i have VPN on it and it works so no firewall on my client’s firewall.
server must be able to connect to client’s port 80 (see my previous post) : no connexion
when connecting to 185.61.XXX.XXX:8001 from outside, packets counters for both rules must increase : no increase for both rules
when you use Tools->Torch on VPN interface, you must see packets from 192.168.101.100 to 192.168.101.101 : no packet.

thank you for hep
regards
Philippe

Sob · December 24, 2016, 11:59pm

You mean you connect same client to different VPN server and from there you can ping client through tunnel? It should work here too then. PPTP uses one main TCP connection and then GRE for data. But I’m not sure how exactly it would behave if only first part succeeded, if there would be some specific error message, or if it could pretend that it works, but in reality it would not.

You may try Torch again, connect client, then run ping from server and look for GRE packets on public interface. Another thing you can try is to connect from same location, but using another client (e.g. Windows on notebook), which could show more info, you could ping from there, etc.

Another strange thing is no hits on NAT rules. Even without connected VPN client, you should get hits on dstnat rule. It doesn’t require anything special, just incoming tcp connection to given address and port. Simply open http://185.61.XXX.XXX:8001/ in any browser and the connection must come.

phil92600 · December 27, 2016, 10:06am

Thank you for help
i try and keep you informed.
Regards

sopro · January 18, 2018, 11:39pm

apetrov1x5:

On CRS:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=<vpn-client-interface>
It will make all forwarded connections look like they come from address at server’s end of tunnel and it will allow replies to be routed the correct way (back to tunnel). If you keep original source address, devices you connect to will try to reply via their default gateway and it can’t work.

Hi Sob, Can you help me with this?