Port forwarding with Nat through vpn

Hello

Recently, I decided to set up an SSH connection to my machine in a private network. I have a machine with a public IP and OpenSense installed on it. I have installed WireGuard there. This WireGuard is also connected to my Mikrotik router. Right now, the idea is:

I try to connect to [public_ip]:2000, then it is forwarded to 10.10.0.6:2000, which is a private IP Mikrotik address in my vpn network, and lastly it is forwarded to 192.168.40.252:22, which is SSH in my private server, which is connected with ethernet to my Mikrotik. Of course, it does not work. On Mikrotik, I have created a NAT rule.

```

chain=dstnat action=dst-nat to-addresses=192.168.40.252 to-ports=22 protocol=tcp dst-address=10.10.0.6 in-interface=wireguard1 dst-port=2000 log=yes log-prefix=""

```

And also, I created a rule in my firewall

```

chain=forward action=accept protocol=tcp dst-address=192.168.40.252 in-interface=wireguard1 dst-port=22

```

When I start connecting with SSH on port 2000, I can see these rules are working in the Mikrotik panel. Also, I can see a connection going in with tcpdump on my server where I am trying to connect. I believe it is going in, meaning forwarding in Opnsense and Mikrotik works correctly, but it is not going out. In tcp dump, I can see the source address is my home pc address (ISP's to be exact), so I believe that the server does not know where to send packets back. I tried messing with srcnat so the src IP would be my router.

```

chain=srcnat action=masquerade protocol=tcp connection-mark=from_wg out-interface=bridge dst-port=22 log=no log-prefix=""

```

But this was not successful. I believe I am on the right track, but I just can't set up ``srcnat`` on my own.

I am trying to set up for hours and just do not have any idea what to do at this point.

I will also send my whole firewall configuration.

```

[admin@MikroTik] > /ip firewall nat print Flags: X - disabled, I - invalid; D - dynamic 0 ;;; defconf: masquerade chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out, none 1 ;;; aang forward chain=dstnat action=dst-nat to-addresses=192.168.40.252 to-ports=22 protocol=tcp dst-address=10.10.0.6 in-interface=wireguard1 dst-port=2000 log=yes log-prefix="" 2 ;;; sokka forward chain=dstnat action=dst-nat to-addresses=192.168.40.253 to-ports=22 protocol=tcp dst-address=10.10.0.6 in-interface=wireguard1 dst-port=2001 3 ;;; katara forward chain=dstnat action=dst-nat to-addresses=192.168.40.254 to-ports=22 protocol=tcp dst-address=10.10.0.6 in-interface=wireguard1 dst-port=2002 4 chain=srcnat action=masquerade protocol=tcp connection-mark=from_wg out-interface=bridge dst-port=22 log=no log-prefix=""

```

```

[admin@MikroTik] > /ip firewall filter print Flags: X - disabled, I - invalid; D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 1 ;;; defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked 2 ;;; defconf: drop invalid chain=input action=drop connection-state=invalid 3 ;;; defconf: accept ICMP chain=input action=accept protocol=icmp 4 ;;; defconf: accept to local loopback (for CAPsMAN) chain=input action=accept dst-address=127.0.0.1 5 chain=input action=accept in-interface=wireguard1 log=no log-prefix="" 6 X ;;; sokka forward chain=forward action=accept protocol=tcp dst-address=192.168.40.253 in-interface=wireguard1 dst-port=22 7 ;;; aang forward chain=forward action=accept protocol=tcp dst-address=192.168.40.252 in-interface=wireguard1 dst-port=22 8 X ;;; katara forward chain=forward action=accept protocol=tcp dst-address=192.168.40.254 in-interface=wireguard1 dst-port=22 9 ;;; defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN 10 ;;; defconf: accept in ipsec policy chain=forward action=accept ipsec-policy=in,ipsec 11 ;;; defconf: accept out ipsec policy chain=forward action=accept ipsec-policy=out,ipsec 12 ;;; defconf: fasttrack chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 13 ;;; defconf: accept established,related, untracked chain=forward action=accept connection-state=established,related,untracked 14 ;;; defconf: drop invalid chain=forward action=drop connection-state=invalid 15 ;;; defconf: drop all from WAN not DSTNATed chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

```

I would appreciate any help and ideas, and I would be happy to send more information about my setup if needed.

Didnt understand anything in the first paragraph, please add a network diagram.

Thanks for the reply. I want to connect to the ssh server which is behind my mikrotik. Mikrotik itself does not have public IP so I forward the connection with wireguard.

On my PC I want to connect to ssh on port 2000 to my opnsense. Then it should be forwarded to mikrotik and then to the ssh server. As I said before I can see the connection on the ssh server, but it probably does not go back to my pc.

I hope this is more clear.

Screenshot_2025-11-06_19-10-071122×966 43.3 KB

Okay, not clear enough but I can make some guesses. The situation it appears is that you have two routers connected to the internet at two different locations, which have a wireguard connection with the opensense (with public IP:) acting as host for handshake.

You would like the PC, which is not clear yet but
a. either behind the open sense on its LAN subnets
OR
b. somewhere in a third location and its internet connection is not relevant.

In any case you want the PC to reach the SSH server on the Mikrotik.

To me the obvious Reply is for the two cases.
a. simply, via wireguard allow the user to access the ssh server directly over the VPN tunnel.
b. simply, wireguard from PC to the OpenSense and then reach the SSH server via the associated VPN tunnel to the MT and its server.

**** No port forward through NAT is required at all. ****

For some reason if you want to port forwarding ( less secure ) then it would be up to you to all the work on the open sense as the MT has very little to do with that approach.

So let me know which approach is preferred and your latest MT config
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys, dhcp lease lists )