Port forwarding Public IP over Wireguard VPN not working

SilverNodashi · October 17, 2024, 7:44pm

I am trying to port forward Port 9500 and 9005 to a Dauhua DSS Server which is connected to a MikroTik LTE Router, which connects via Wireguard to a MikroTik RB3011UiAS Server that is hosted in a public datacenter with a public IP address.

See diagram below.
Screenshot from 2024-10-17 20-06-15.png

HQ has an MikroTik SXT LTE6 router, with a Duhua DSS Server
All the sites, Site1, Site2, Site3, etc use MikroTik SXT LTE6 routers. Attached to each MikroTik SXT LTE6 router, at each site is a POE switch, with a Dahua XVR (DVR) and ARC (DAHUA Alarm hub). The Alarm Control Panels need
The DAHUA Alarm hub need to communicate to the DSS Server via a Public IP address, on Ports 9500 (Registration and 9005 (Admin Service)

The VPN Router with Public IP address can connect to 192.168.0.2 on Port 9500
Screenshot from 2024-10-17 21-21-24.png
But the Site2 router cannot connect to 192.168.0.2 on Port 9500

Logs from the VPN server:

VPN Router with Public IP NAT rules:

add action=dst-nat chain=dstnat dst-port=9500 in-interface=bridge protocol=tcp to-addresses=192.168.0.2 to-ports=9500
add action=dst-nat chain=dstnat dst-port=9005 in-interface=bridge port=“” protocol=tcp to-addresses=192.168.0.2 to-ports=9005

HQ Router firewall mangle rules:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wg0 new-connection-mark=from-wg-conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=from-wg-conn new-routing-mark=to-wg passthrough=no src-address=192.168.0.0/24

What am I missing?

anav · October 18, 2024, 11:49am

What is needed are the configs of the routers at least the wireguard server and the HQ LTE router
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc…)

Conceptually, the first thing I would say is that its rather BAD idea to have all the LAN subnets on the different sites to be given the same subnet ( 192.168.0.0/24)
Especially if you are expecting them to talk to each other.

There should be no issue for outside users to hit the RB3011 (its public IP with port XXXXX).
It simply a matter of, on the RB3011 to:
a. creating a port forwarding rule with TO address (Lanip) of private server on HQ LTE device
b. letting the router know that destination trafffic for the IP address of the private server on HT LTE is through the wireguard interface (ip route)
c. masquerading the traffic entering the wireguard tunnel

In this way incoming public www user hits the rb3011, it sees the port and sends the trafffic through wireguard to the HQ router with source address off RB3011 wireguard.
The traffic will be accepted at the hq device, hit the server and be returned back through the tunnel etc…
You will need firewall rule the HQ device to allowing incoming wireguard traffic to reach the local server.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

What I dont understand is why not simply directly go from site1 and site2 devices, VIA WIREGUARD, to the HQ LTE router and bypass port forwarding all together??

Steveocee · October 18, 2024, 9:57pm

I don’t think you need NAT rules here. I think what you need are routes.
Site 1 & 2 both need
192.168.0.2 via 172.16.30.10
HW Needs
192.168.0.14/29 via 172.168.30.11
192.168.0.22/29 via 172.168.30.12

I’m fairly sure as long as there are no FW rules stopping it, this should work.

SilverNodashi · October 21, 2024, 7:19am

The routes are in place already