Hi everyone. I was wondering if it’s possible to port forward through eoip tunnel over l2tp. In example i would like to access CCTV http via 213.7.231.xx:40080 instead of 62.152.4.xx:40080 and TCP port 40011 for video through the eoip tunnel. TIA
CCTV IP: 192.100.30.4
Client public IP: 62.152.4.xx where the CCTV is (mikrotik uses 192.168.2.10 as wan IP on ISP cpe).
Server public IP: 213.7.231.xx (mikrotik PPPoE connection on bridged ISP cpe)
Mikrotik Client config
# mar/14/2023 23:25:02 by RouterOS 6.49.7
# software id = B8BE-SCNF
#
# model = RB941-2nD
# serial number = D1130FC74BE0
/interface bridge
add name=br-lan-v100
add name=br-wlan-v10
/interface ethernet
set [ find default-name=ether1 ] comment="Uplink to PTCPE" loop-protect=on
set [ find default-name=ether2 ] loop-protect=on
set [ find default-name=ether3 ] loop-protect=on
set [ find default-name=ether4 ] loop-protect=on
/interface l2tp-client
add connect-to=213.7.231.xx disabled=no max-mru=1700 max-mtu=1700 name=\
l2tp-to-bbhq use-ipsec=yes user=adu1n02l2tp
/interface eoip
add local-address=10.2.1.150 mac-address=02:E0:4D:66:DA:11 mtu=1500 name=\
eoip-to-bbhq remote-address=10.2.1.1 tunnel-id=17
/interface vlan
add interface=br-wlan-v10 loop-protect=on name=vlan10 vlan-id=10
add interface=br-lan-v100 loop-protect=on name=vlan100 vlan-id=100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=\
dynamic-keys name=wifi-profile supplicant-identity="" unicast-ciphers=\
tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" \
disabled=no frequency=auto mode=ap-bridge security-profile=wifi-profile \
ssid=CHOME-AP wps-mode=disabled
/ip ipsec peer
add address=213.7.231.xx/32 exchange-mode=ike2 name=ipsec-to-hq
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256 hash-algorithm=sha512
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
/ip pool
add name=dhcp_pool_v100 ranges=172.168.88.2-172.168.88.254
add name=L2TP ranges=10.10.1.2-10.10.1.254
add name=dhcp_pool_v10 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool_v100 disabled=no interface=br-lan-v100 name=\
dhcp-lan
add address-pool=dhcp_pool_v10 disabled=no interface=br-wlan-v10 lease-time=\
2h name=dhcp-wlan
/ppp profile
add change-tcp-mss=yes local-address=10.10.1.1 name=L2TP remote-address=L2TP \
use-encryption=yes
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=nnd115ce7nGxkwbQ
/interface bridge port
add bridge=br-lan-v100 interface=ether2
add bridge=br-lan-v100 interface=ether3
add bridge=br-lan-v100 interface=ether4
add bridge=br-wlan-v10 interface=wlan1
add bridge=br-wlan-v10 interface=vlan10
add bridge=br-lan-v100 interface=eoip-to-bbhq
/interface l2tp-server server
set default-profile=L2TP max-mru=1700 max-mtu=1700 use-ipsec=yes
/ip address
add address=192.168.2.10/24 interface=ether1 network=192.168.2.0
add address=192.100.30.3/29 interface=br-lan-v100 network=192.100.30.0
add address=192.168.10.1/24 interface=br-wlan-v10 network=192.168.10.0
add address=172.168.88.1/24 interface=br-lan-v100 network=172.168.88.0
/ip dhcp-server network
add address=172.168.88.0/24 gateway=172.168.88.1
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=forward comment="Allow good forward connections" \
connection-state=established,related,new
add action=accept chain=input comment="Allow good input connections" \
connection-state=established,related,new
add action=drop chain=forward comment="Drop invalid forward connections" \
connection-state=invalid
add action=drop chain=input comment="Drop invalid input connections" \
connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=\
established,related,new disabled=yes in-interface=l2tp-to-bbhq \
new-connection-mark=n02tobbhq passthrough=yes
add action=mark-routing chain=prerouting connection-mark=n02tobbhq disabled=\
yes in-interface=br-lan-v100 new-routing-mark=n02tobbhq passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=l2tp-to-bbhq
add action=masquerade chain=srcnat src-address=172.168.88.0/24
add action=masquerade chain=srcnat disabled=yes src-address=192.100.30.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=1161 protocol=udp \
to-addresses=192.100.30.4 to-ports=1161
add action=dst-nat chain=dstnat disabled=yes dst-port=40011 protocol=tcp \
to-addresses=192.100.30.4 to-ports=40011
add action=dst-nat chain=dstnat disabled=yes dst-port=40080 protocol=tcp \
to-addresses=192.100.30.4 to-ports=40080
/ip ipsec identity
add peer=ipsec-to-hq
/ip route
add disabled=yes distance=1 gateway=l2tp-to-bbhq routing-mark=n02tobbhq
add distance=1 gateway=192.168.2.1
/ip route rule
add action=lookup-only-in-table disabled=yes interface=br-lan-v100 table=\
n02tobbhq
add action=lookup-only-in-table disabled=yes interface=br-wlan-v10 table=\
n02tobbhq
/ip service
set telnet disabled=yes
set ftp address=213.7.231.xx/32,172.168.88.0/24,10.1.1.0/24,10.2.1.0/24 port=\
10021
set www address=213.7.231.xx/32,172.168.88.0/24,10.1.1.0/24,10.2.1.0/24 port=\
10080
set ssh address=213.7.231.xx/32,172.168.88.0/24,10.1.1.0/24,10.2.1.0/24 port=\
10022
set api disabled=yes
set winbox address=213.7.231.xx/32,172.168.88.0/24,10.1.1.0/24,10.2.1.0/24 \
port=10090
set api-ssl disabled=yes
/ppp secret
add disabled=yes name=adu1hqckrcontrolcom profile=L2TP service=l2tp
/snmp
set contact=admin@csolutionscy.com enabled=yes location=n02 trap-community=\
nnd115ce7nGxkwbQ trap-target=213.7.231.xx trap-version=2
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=adu-1-n02.ckrcontrol.com
/system logging
add disabled=yes topics=l2tp
/system ntp client
set enabled=yes primary-ntp=213.7.231.xx secondary-ntp=172.168.188.2
Mikrotik server config
# mar/14/2023 23:24:11 by RouterOS 6.49.7
# software id = QXU3-9BSF
#
# model = RB750Gr3
# serial number = CC210FFC6E46
/interface bridge
add name=br-vlan10
add name=br-vlan20
add name=br-vlan30
add name=br-vlan40
/interface ethernet
set [ find default-name=ether1 ] comment="Uplink from CTCPE" loop-protect=on \
mtu=1596
set [ find default-name=ether2 ] comment="DCOS / R2 / 8P-Swich" loop-protect=\
on loop-protect-disable-time=10m mtu=1596
set [ find default-name=ether3 ] comment=R3 loop-protect=on \
loop-protect-disable-time=10m mtu=1596
set [ find default-name=ether4 ] comment=CCTV loop-protect=on \
loop-protect-disable-time=10m mtu=1596
set [ find default-name=ether5 ] comment="Uplink to adu-1.hq.ckrcontrol.com" \
loop-protect=on loop-protect-disable-time=10m mtu=1596
/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-ctfiber user=user
/interface l2tp-server
add name=l2tp-adu1hql2tp user=adu1hql2tp
add name=l2tp-adu1n02l2tp user=adu1n02l2tp
add disabled=yes name=l2tp-ckl2tp user=ckl2tp
add name=l2tp-hb535 user=hb535l2tp
/interface ovpn-server
add name=ovpn-ck user=chrisckr
/interface eoip
add local-address=10.2.1.1 mac-address=02:DF:6F:F5:E4:A6 mtu=1500 name=\
eoip-to-adu1n02 remote-address=10.2.1.150 tunnel-id=17
/interface vlan
add interface=br-vlan10 loop-protect=on loop-protect-disable-time=10m name=\
vlan10 vlan-id=10
add interface=br-vlan20 loop-protect=on loop-protect-disable-time=10m name=\
vlan20 vlan-id=20
add interface=br-vlan30 loop-protect=on loop-protect-disable-time=10m name=\
vlan30 vlan-id=30
add interface=br-vlan40 loop-protect=on loop-protect-disable-time=10m name=\
vlan40 vlan-id=40
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=62.152.4.xx/32 exchange-mode=ike2 name=ipsec-to-adu1.n02
/ip ipsec policy group
set [ find default=yes ] name=L2TP
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=disable-dpd \
enc-algorithm=aes-256 hash-algorithm=sha512
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
/ip pool
add name=OVPN-Pool ranges=10.1.1.2-10.1.1.254
add name=L2TP-Pool ranges=10.2.1.2-10.2.1.100
add name=vlan20_pool ranges=192.168.20.2-192.168.20.254
add name=vlan10_pool ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=vlan20_pool disabled=no interface=br-vlan20 lease-time=2h \
name=vlan20_dhcp
add address-pool=vlan10_pool disabled=no interface=br-vlan10 lease-time=2h \
name=vlan10_dhcp
/ppp profile
set *0 change-tcp-mss=default
add local-address=10.1.1.1 name=OVPN remote-address=OVPN-Pool
add local-address=10.2.1.1 name=L2TP remote-address=L2TP-Pool
set *FFFFFFFE change-tcp-mss=default use-encryption=default
/queue simple
add burst-time=1s/1s max-limit=52M/205M name=vlan10_200/50 target=br-vlan10
add burst-time=1s/1s max-limit=52M/205M name=vlan20_200/50 target=br-vlan20
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=dcos_com_only_
/system logging action
add email-start-tls=yes email-to=christos322009@hotmail.com name=email \
target=email
/interface bridge port
add bridge=br-vlan20 interface=ether3
add bridge=br-vlan10 interface=vlan10
add bridge=br-vlan20 interface=vlan20
add bridge=br-vlan10 interface=ether2
add bridge=br-vlan30 interface=vlan30
add bridge=br-vlan30 interface=ether4
add bridge=br-vlan40 interface=ether5
add bridge=br-vlan40 interface=vlan40
add bridge=br-vlan30 interface=eoip-to-adu1n02
/interface l2tp-server server
set default-profile=L2TP enabled=yes max-mru=1700 max-mtu=1700 \
one-session-per-host=yes use-ipsec=required
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=OVPN enabled=\
yes port=61194 require-client-certificate=yes
/ip address
add address=192.168.10.1/24 interface=br-vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=br-vlan20 network=192.168.20.0
add address=172.168.188.1/24 interface=ether2 network=172.168.188.0
add address=192.168.8.250/24 interface=ether2 network=192.168.8.0
add address=192.100.30.1/29 interface=br-vlan30 network=192.100.30.0
add address=192.168.40.1/30 interface=br-vlan40 network=192.168.40.0
/ip arp
add address=192.168.8.1 comment=LTE-Backup interface=br-vlan10 mac-address=\
E0:40:07:7F:1C:EF
add address=172.168.188.2 comment=DCOS interface=br-vlan10 mac-address=\
C4:34:6B:65:92:DA
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=10.0.0.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=10.0.0.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.1,1.1.1.1,1.0.0.1
/ip dns static
add address=172.168.188.2 name=dcos.ckrcontrol.com
add address=213.7.231.xx name=ns1monitoring.ckrcontrol.com
add address=38.242.199.xx name=ns2monitoring.ckrcontrol.com
add address=38.242.199.xx name=mail.ckrcontrol.com
add address=172.168.188.1 name=bbhq.ckrcontrol.com
add address=10.2.1.150 name=adu-1.n02.ckrcontrol.com
add address=10.2.1.151 name=adu-1.hq.ckrcontrol.com
add address=192.100.30.2 name=cctv.ckrcontrol.com
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Allow fasttrack" \
src-address=172.168.188.0/24
add action=drop chain=forward dst-address=192.168.0.0/16 src-address=\
192.168.0.0/16
add action=accept chain=forward comment=\
"Allow forward good connection states" connection-state=\
established,related,new
add action=accept chain=input comment="Allow incoming good connection states" \
connection-state=established,related,new
add action=drop chain=forward comment="Drop forward invalid connection state" \
connection-state=invalid
add action=drop chain=input comment="Drop input invalid connection state" \
connection-state=invalid
add action=accept chain=input comment="Port Scanner Block" disabled=yes \
protocol=tcp src-address=172.168.188.0/24
add action=accept chain=input disabled=yes protocol=tcp src-address=\
10.100.1.0/24
add action=add-src-to-address-list address-list="Ports Scanner Attacks" \
address-list-timeout=1d chain=input disabled=yes dst-port=\
62222,60080,60090 protocol=tcp
add action=drop chain=input disabled=yes dst-port=62222,60080,60090 protocol=\
tcp src-address-list="Ports Scanner Attacks"
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.168.188.0/24
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat src-address=192.168.20.0/24
add action=masquerade chain=srcnat src-address=192.100.30.0/24
add action=masquerade chain=srcnat src-address=192.168.40.0/30
add action=masquerade chain=srcnat src-address=192.168.8.0/24
add action=masquerade chain=srcnat src-address=10.1.1.0/24
add action=masquerade chain=srcnat src-address=10.2.1.0/24
add action=dst-nat chain=dstnat comment=DCOS dst-address=213.7.231.xx \
dst-port=1-40000 protocol=tcp src-port="" to-addresses=172.168.188.2 \
to-ports=1-40000
add action=dst-nat chain=dstnat dst-address=213.7.231.xx dst-port=53 \
protocol=udp to-addresses=172.168.188.2 to-ports=53
add action=dst-nat chain=dstnat dst-port=1194 protocol=udp to-addresses=\
172.168.188.2 to-ports=1194
add action=dst-nat chain=dstnat comment=NTP dst-address=213.7.231.xx \
dst-port=123 protocol=udp to-addresses=172.168.188.2 to-ports=123
add action=dst-nat chain=dstnat comment=CCTV dst-address=213.7.231.xx \
dst-port=65000 protocol=tcp to-addresses=192.100.30.2 to-ports=65000
add action=dst-nat chain=dstnat dst-address=213.7.231.xx dst-port=65090 \
protocol=tcp to-addresses=192.100.30.2 to-ports=65090
add action=dst-nat chain=dstnat dst-address=213.7.231.xx dst-port=40011 \
protocol=tcp to-addresses=192.100.30.4 to-ports=40011
add action=dst-nat chain=dstnat dst-address=213.7.231.xx dst-port=40080 \
protocol=tcp to-addresses=10.2.1.150 to-ports=40080
add action=dst-nat chain=dstnat comment=WoL dst-address=213.7.231.xx \
dst-port=7 protocol=udp to-addresses=172.168.188.0/24 to-ports=7
add action=redirect chain=dstnat comment="DNS Server" dst-port=53 protocol=\
tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
/ip ipsec identity
add peer=ipsec-to-adu1.n02
/ip route
add check-gateway=ping comment=PPPoE distance=1 gateway=pppoe-ctfiber
add check-gateway=ping comment=LTE-Backup disabled=yes distance=2 gateway=\
192.168.8.1
/ip service
set telnet disabled=yes
set ftp address=172.168.188.0/24,10.1.1.0/24,10.2.1.0/24 port=60021
set www address=172.168.188.0/24,10.1.1.0/24,10.2.1.0/24 port=60080
set ssh address=172.168.188.0/24,10.1.1.0/24,10.2.1.0/24 port=62222
set api disabled=yes
set winbox address=172.168.188.0/24,10.1.1.0/24,10.2.1.0/24 port=60090
set api-ssl disabled=yes
/ppp secret
add name=chrisckr profile=OVPN service=ovpn
add name=hb535l2tp profile=L2TP service=l2tp
add disabled=yes name=ckl2tp profile=L2TP service=l2tp
add name=adu1n02l2tp profile=L2TP remote-address=10.2.1.150 service=l2tp
add name=adu1hql2tp profile=L2TP remote-address=10.2.1.151 service=l2tp
/snmp
set contact=christos322009@hotmail.com enabled=yes location=hq.ckrcontrol.com \
trap-community=dcos_com_only_ trap-target=172.168.188.2,38.242.199.xx \
trap-version=2
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=bbhq.ckrcontrol.com
/system logging
add action=email topics=critical
add action=email disabled=yes topics=interface
add action=email topics=firewall
/system ntp client
set enabled=yes primary-ntp=213.7.231.xx secondary-ntp=172.168.188.2
/tool e-mail
set address=mail.ckrcontrol.com from=r1@ckrcontrol.com port=587 start-tls=yes \
user=r1@ckrcontrol.com
/tool graphing interface
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=pppoe-ctfiber
/tool graphing resource
add
/tool netwatch
add disabled=yes down-script="interface set ether5 disable=no" host=\
213.7.231.xx interval=1s up-script="interface set ether5 disable=yes"
add disabled=yes down-script="tool e-mail send to=christos322009@hotmail.com s\
ubject=Uplink_from_CPE_DOWN start-tls=yes body=Uplink_from_CPE_is_DOWN" \
host=213.7.231.xx interval=10s up-script="tool e-mail send to=christos3220\
09@hotmail.com subject=Uplink_from_CPE_UP start-tls=yes body=Uplink_from_C\
PE_is_UP"