Port forwarding rule on WAN interface doen't work when VPN Client connected

engel · June 27, 2023, 5:45pm

Hello, everybody.

I am a newbie in Mikrotik configuration.
I need forward port from WAN (ether1 with public IP) to local host in my local network.
I did this through WinBox: IP → Firewall → Nat → Add Rule:

Chain: dstnat
Protocol: 6 (tcp)
Dst Port: 1000
In Interface: ether 1

Action:
Action: netmap
To Addresses: 192.168.46.201
To Ports: 1000

And it works when I coonects throguth public IP X.X.X.X:1000 until I connect to L2TP/IPSec server Y.Y.Y.Y with enabled default route.
Device adds route 0.0.0.0 through Y.Y.Y.Y - And I think that is why forwarding is not working.

Could you please help me how to configure right? That VPN connection and port forwading works (on WAN ip)?

Kentzo · June 27, 2023, 8:38pm

I think you need to add a policy rule (action=none) with lower priority that would exclude TCP 1000 from IPsec. See this topic for some reference.

engel · June 28, 2023, 10:07am

I tried to add this rule - but no effect. I think then Mikrotik connects to VPN server it adds default route though l2tp interface.
So I see syn packets received by router WAN interface but reply packets seem to go throuhg l2tp interface through WAN.

Kentzo · June 28, 2023, 3:09pm

Never needed to set up an L2TP/IPsec (I’m using IKEv2). Looks like I was wrong regarding policies as L2TP is route based. Try firewall marks as means to select a specific route, like discussed in this thread. Search forum for other examples.

engel · June 28, 2023, 6:21pm

Thanks. I already found topic which explain how to use different routing tables.

r0berts · June 29, 2023, 6:21am

Hi engel, did you manage to solve your problem? I have a pretty similar one (without Ipsec) and I am getting stuck.