Portforwarding and VPN problem

abaratian · July 18, 2019, 4:21am

Hello every one,
I use a LGH5 to connect to my ISP. The LAN cable then goes to a set of Netgear Orbis in AP mode to provide wifi and ethernet access in home.
The connection to the ISP is ppoe and then a static IP is assigned. I also have setup a VPN connection on my router according to this guide. This connection assigns a dynamic IP. I have a list of IPs that should be access with my ppoe connection and the rest of traffic goes through VPN. I also run some services that require portforwarding. My firewall rules and routes are listed here

/ip firewall filter
add action=accept chain=input src-address-list=admin-access
add action=drop chain=input dst-port=21,22,23,80,443,8291 protocol=tcp

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!ppoeIPs \
    new-routing-mark=PureVPN-PPTP passthrough=yes src-address=192.168.12.0/24
add action=mark-routing chain=prerouting dst-address-list=ppoeIPs \
    new-routing-mark=ppoeIPs passthrough=yes src-address=192.168.12.0/24
    
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=PORT protocol=\
    tcp src-address-type="" to-addresses=192.168.12.1 to-ports=PORT
add action=dst-nat chain=dstnat dst-port=PORT protocol=udp \
    to-addresses=192.168.12.2 to-ports=PORT
    
 /ip route
add distance=1 gateway=PureVPN-PPTP routing-mark=PureVPN-PPTP
add distance=1 gateway=pppoe-out1 routing-mark=ppoeIPs

My problems:

The port forwarding is really spotty and unreliable. It works and sometimes not. To get it to work again I try rebooting and disabling re-enabling these rules which seems to randomly cure the problem.
I can’t use port forwarding from my internal network. When I use the URL pointing to my external IP, the connection fails.

By the way I have also tried the following in masquerade, no luck.

add action=masquerade chain=srcnat dst-address-list=ppoeIPs \
    out-interface=pppoe-out1
add action=masquerade chain=srcnat dst-address-list=!ppoeIPs \
    out-interface=PureVPN-PPTP

Please help as it’s driving me crazy.

sindy · July 18, 2019, 6:23am

As you effectively have two “logical WANs” (the physical one and the VPN one), you have to make sure that the responses from the internal server use the proper WAN (the one through which the reqeuests to that server came in). As you have only posted the part of you configuration which you think is relevant, it is impossible to say what is actually wrong. I’d recommend to follow the hint in my automatic signature below, analysis tends to provide better results than divination.

abaratian · July 18, 2019, 8:20am

This the complete config:

# jul/18/2019 12:41:16 by RouterOS 6.44.3
# software id = 
#
# model = RouterBOARD LHG 5nD
# serial number = XXXXXX
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-eC \
    disabled=no frequency=5660 frequency-mode=superchannel mode=\
    station-bridge radio-name=XXXXXXX-Baratian scan-list=5660 ssid=XXXXXXX
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=wlan1 \
    name=pppoe-out1 user=XXXXXXX
/interface pptp-client
add add-default-route=yes connect-to=se1.pointtoserver.com dial-on-demand=yes \
    disabled=no name=PureVPN-PPTP user=XXXXXXX
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.12.1-192.168.12.199
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge1 lease-time=2d name=defconf
/interface bridge port
add bridge=bridge1 disabled=yes interface=wlan1
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=discover
add interface=ether1 list=mactel
add interface=ether1 list=mac-winbox
add interface=wlan1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/ip address
add address=192.168.12.254/24 comment=defconf interface=ether1 network=\
    192.168.12.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=wlan1 \
    use-peer-dns=no
/ip dhcp-server lease
add address=192.168.12.1 client-id=X mac-address=\
    X server=defconf
add address=192.168.12.2 client-id=X mac-address=\
    X server=defconf
add address=192.168.12.64 client-id=X mac-address=\
    X server=defconf
add address=192.168.12.128 client-id=X mac-address=\
    X server=defconf
add address=192.168.12.13 mac-address=X server=defconf
add address=192.168.12.14 mac-address=X server=defconf
add address=192.168.12.21 always-broadcast=yes client-id=X \
    mac-address=X server=defconf
add address=192.168.12.15 mac-address=X server=defconf
add address=192.168.12.16 mac-address=X server=defconf
add address=192.168.12.12 mac-address=X server=defconf
add address=192.168.12.4 client-id=X mac-address=\
    X server=defconf
add address=192.168.12.11 always-broadcast=yes mac-address=X \
    server=defconf
add address=192.168.12.23 client-id=X mac-address=\
    B0:E8:92:F8:CC:0A server=defconf
add address=192.168.12.129 mac-address=X server=defconf
add address=192.168.12.130 mac-address=X server=defconf
/ip dhcp-server network
add address=192.168.12.0/24 dns-server=192.168.12.1,1.1.1.1 gateway=\
    192.168.12.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.12.254 name=router
/ip firewall address-list
add address=XXX.XXX.XXX.0/24 list=admin-access
add address=XXX.XXX.XXX.0/22 list=ppoeIPs

/ip firewall filter
add action=accept chain=input src-address-list=admin-access
add action=drop chain=input dst-port=21,22,23,80,443,8291 protocol=tcp
add action=accept chain=input disabled=yes in-interface=pppoe-out1 protocol=\
    icmp
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!ppoeIPs \
    new-routing-mark=PureVPN-PPTP passthrough=yes src-address=192.168.12.0/24
add action=mark-routing chain=prerouting dst-address-list=ppoeIPs \
    new-routing-mark=ppoeIPs passthrough=yes src-address=192.168.12.0/24
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes out-interface=all-ppp \
    to-addresses=my.public.ip
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat disabled=yes dst-address-list=ppoeIPs \
    out-interface=pppoe-out1
add action=masquerade chain=srcnat disabled=yes dst-address-list=!ppoeIPs \
    out-interface=PureVPN-PPTP
add action=dst-nat chain=forward dst-port=PORT protocol=tcp src-address-list=\
    "" to-addresses=192.168.12.1 to-ports=PORT
add action=dst-nat chain=dstnat dst-port=PORT protocol=tcp to-addresses=\
    192.168.12.1 to-ports=PORT
add action=dst-nat chain=dstnat dst-port=PORT protocol=tcp to-addresses=\
    192.168.12.1 to-ports=PORT
add action=dst-nat chain=dstnat dst-port=PORT protocol=tcp to-addresses=\
    192.168.12.1 to-ports=PORT
add action=dst-nat chain=dstnat dst-port=PORT protocol=tcp to-addresses=\
    192.168.12.1 to-ports=PORT
add action=dst-nat chain=dstnat disabled=yes dst-port=PORT protocol=udp \
    to-addresses=192.168.12.2 to-ports=PORT
/ip route
add distance=1 gateway=PureVPN-PPTP routing-mark=PureVPN-PPTP
add distance=1 gateway=pppoe-out1 routing-mark=ppoeIPs
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/system clock
set time-zone-name=XXXXX
/system identity
set name=XXXXXX
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

sindy · July 18, 2019, 9:39am

Multiple issues.

You force routing of anything that comes from the 192.168.12.0/24 subnet (which includes the server at 192.168.12.1) via the VPN “WAN”, except the single /22 destination subnet in address-list ppoe-destinations which you force via the PPPoE WAN. So if the client’s address is outside that subnet, the server response always goes via the VPN WAN regardless which way the client’s request came, so clients connecting to your PPPoE address get responses from the currently assigned VPN address which they ignore (or don’t get them at all because some stateful firewall in the VPN path drops them as it could not see the initial packet of the connection).
So the simplest way is to force the traffic from the server to any destination via the PPPoE connection or, if you need clients to connect to both public IPs, to use the complete connection-marking approach as explained here (read the last paragraph of the post first to synchronize the context).
you permit both the /interface pppoe-client and /interface pptp-client to add a default route to your routing table. Whereas the forwarded traffic from hosts connected to your LAN is routing-marked by the /ip firewall mangle rules in chain=prerouting, packets sent by Mikrotik itself are not handled by these rules (check this set of diagrams to see why), so they take one of the two routes added by the tunneling protocols. So first of all it is surprising for me that your pptp tunnel doesn’t break once it establishes, but the default route provided by pppoe-client probably wins in most or all cases (does /ip route print while VPN is up confirm this assumption?). Second, the dynamic DNS service of Mikrotik’s cloud associates with your fqdn the IP from which it has actually received the registration request. So as you haven’t been very clear about the “url representing your address”, I suppose that you expect the clients to come to public IP assigned by the pptp, but you register to the cloud DNS the other one.

If some of my assumptions are wrong, it’s because they are assumptions, taken in absence of relevant information in your posts.

abaratian · July 18, 2019, 1:28pm

Multiple issues.

You force routing of anything that comes from the 192.168.12.0/24 subnet (which includes the server at 192.168.12.1) via the VPN “WAN”, except the single /22 destination subnet in address-list ppoe-destinations which you force via the PPPoE WAN. So if the client’s address is outside that subnet, the server response always goes via the VPN WAN regardless which way the client’s request came, so clients connecting to your PPPoE address get responses from the currently assigned VPN address which they ignore (or don’t get them at all because some stateful firewall in the VPN path drops them as it could not see the initial packet of the connection).
So the simplest way is to force the traffic from the server to any destination via the PPPoE connection or, if you need clients to connect to both public IPs, to use the complete connection-marking approach as explained here (read the last paragraph of the post first to synchronize the context).

you permit both the /interface pppoe-client and /interface pptp-client to add a default route to your routing table. Whereas the forwarded traffic from hosts connected to your LAN is routing-marked by the /ip firewall mangle rules in chain=prerouting, packets sent by Mikrotik itself are not handled by these rules (check this set of diagrams to see why), so they take one of the two routes added by the tunneling protocols. So first of all it is surprising for me that your pptp tunnel doesn’t break once it establishes, but the default route provided by pppoe-client probably wins in most or all cases (does /ip route print while VPN is up confirm this assumption?). Second, the dynamic DNS service of Mikrotik’s cloud associates with your fqdn the IP from which it has actually received the registration request. So as you haven’t been very clear about the “url representing your address”, I suppose that you expect the clients to come to public IP assigned by the pptp, but you register to the cloud DNS the other one.

If some of my assumptions are wrong, it’s because they are assumptions, taken in absence of relevant information in your posts.

Thanks for the reply. I am already using mangle to send traffic to different WANs. I added the new mangle rule

add action=mark-routing chain=prerouting new-routing-mark=ppoeIPs passthrough=\
    yes protocol=tcp src-address=192.168.12.1 src-port=PORT

This fixes the port forwarding problem. (The URL points to ppoe IP as it is static.)
so first problem solved.
The second problem is that I can’t use the same URL that works from outside. I should use the IP address to access 192.168.12.1:PORT from 192.168.12.0/24. how can I overcome this one?

sindy · July 18, 2019, 1:45pm

You again expect us to know that you talk about the case when clients in your LAN connect to the fqdn which resolves to the public IP of the PPPoE instead of stating that clearly in the OP. “My clients” doesn’t necessarily mean “clients in my LAN”.

Now what happens is the so-called routing triangle: the client PC sends the initial (SYN) packet to the public address, the Mikrotik dst-nats the packet to the server’s private IP and sends it there, but the source address remains the LAN client’s one so the server’s response goes directly to it, while the client expects it to come from the public one so it ignores it.

One possibility is to add a src-nat rule chain=srcnat action=src-nat src-address=192.168.12.0/24 dst-address=192.168.12.1 to-addresses=192.168.12.254 to make sure that the server will respond to Mikrotik’s own address so the firewall’s connection tracker will be able to “un-src-nat” and then “un-dst-nat” the response prior to forwarding it to the client. This is called hairpin NAT.

Another possibility is to use a static DNS on your Mikrotik, so for the LAN clients the fqdn will resolve to 192.168.12.1 straight away.

abaratian · July 18, 2019, 2:04pm

The second problem is that I can’t use the same URL that works from outside. I should use the IP address to access 192.168.12.1:PORT from 192.168.12.0/24. how can I overcome this one?

You again expect us to know that you talk about the case when clients in your LAN connect to the fqdn which resolves to the public IP of the PPPoE instead of stating that clearly in the OP. “My clients” doesn’t necessarily mean “clients in my LAN”.

Now what happens is the so-called routing triangle: the client PC sends the initial (SYN) packet to the public address, the Mikrotik dst-nats the packet to the server’s private IP and sends it there, but the source address remains the LAN client’s one so the server’s response goes directly to it, while the client expects it to come from the public one so it ignores it.

One possibility is to add a src-nat rule chain=srcnat action=src-nat src-address=192.168.12.0/24 dst-address=192.168.12.1 to-addresses=192.168.12.254 to make sure that the server will respond to Mikrotik’s own address so the firewall’s connection tracker will be able to “un-src-nat” and then “un-dst-nat” the response prior to forwarding it to the client. This is called hairpin NAT.

Another possibility is to use a static DNS on your Mikrotik, so for the LAN clients the fqdn will resolve to 192.168.12.1 straight away.

Hi again.
I have clearly mentioned “internal network” in my OP.
adding this rule to NAT doesn’t solve the problem. any idea?

add action=src-nat chain=srcnat dst-address=192.168.12.1 src-address=\
    192.168.12.0/24 to-addresses=192.168.12.254

sindy · July 18, 2019, 3:43pm

Sorry, I’ve mixed up several topics.

Sorry again (same reason), in your case that rule is redundant as everything is always src-nated thanks to the rule
action=masquerade chain=srcnat ..no other conditions…
Leaving aside whether such wide-matching rule is a good idea or not, the reason of your trouble must be different. In fact it’s the policy routing again - you assign the routing-mark PureVPN-PPTP to everything from 192.168.12.0/24 via the VPN “WAN”, but there is no specific route to 192.168.12.1 (or 192.168.12.0/24) with that routing-mark, so the marked packets take the default route with that routing-mark instead. So the fastest way out is
/ip route rule add dst-address=192.168.12.0/24 action=lookup-only-in-table table=main
More details here.

abaratian · July 18, 2019, 6:14pm

I have clearly mentioned “internal network” in my OP.

Sorry, I’ve mixed up several topics.
adding this rule to NAT doesn’t solve the problem. any idea?
add action=src-nat chain=srcnat dst-address=192.168.12.1 src-address=\
    192.168.12.0/24 to-addresses=192.168.12.254
Sorry again (same reason), in your case that rule is redundant as everything is always src-nated thanks to the rule
action=masquerade chain=srcnat ..no other conditions…
Leaving aside whether such wide-matching rule is a good idea or not, the reason of your trouble must be different. In fact it’s the policy routing again - you assign the routing-mark PureVPN-PPTP to everything from 192.168.12.0/24 via the VPN “WAN”, but there is no specific route to 192.168.12.1 (or 192.168.12.0/24) with that routing-mark, so the marked packets take the default route with that routing-mark instead. So the fastest way out is
/ip route rule add dst-address=192.168.12.0/24 action=lookup-only-in-table table=main
More details here.

Many thanks!
This solves the problem with one caveat: if i want to access a server using the same port out of my LAN from inside, I can’t and get redirected to 192.168.12.1:PORT. how can i solve this?
and can you tell me whats wrong with having just one masquerade rule? I searched very much and couldn’t find whats the best practice for setting up masquerade.

sindy · July 18, 2019, 7:25pm

I had to re-read this several times before understanding the problem The problem is that your dst-nat rules do not check the dst-address, only the dst-port. So add dst-address=your.pppoe.public.ip to them and you’ll be good.

First, the best practice is to use src-nat rather than masquerade where IP of the outgoing interface is static, as masquerade on purpose erases all tracked connections in the firewall when the interface goes down and up again, which maxes out the CPU for a while, but let’s say that’s not a issue in home environment.
Next, with your single LAN subnet, the only issue is that not only connections from your LAN clients get to the server with the IP of the Mikrotik as source but also connections from clients in the internet. So if this doesn’t bother you, you can stay as you are. With more LAN subnets, the same problem would be more annoying.

abaratian · July 19, 2019, 4:43am

if i want to access a server using the same port out of my LAN from inside, I can’t and get redirected to 192.168.12.1:PORT. how can i solve this?

I had to re-read this several times before understanding the problem The problem is that your dst-nat rules do not check the dst-address, only the dst-port. So add dst-address=your.pppoe.public.ip to them and you’ll be good.

and can you tell me whats wrong with having just one masquerade rule? I searched very much and couldn’t find whats the best practice for setting up masquerade.

First, the best practice is to use src-nat rather than masquerade where IP of the outgoing interface is static, as masquerade on purpose erases all tracked connections in the firewall when the interface goes down and up again, which maxes out the CPU for a while, but let’s say that’s not a issue in home environment.
Next, with your single LAN subnet, the only issue is that not only connections from your LAN clients get to the server with the IP of the Mikrotik as source but also connections from clients in the internet. So if this doesn’t bother you, you can stay as you are. With more LAN subnets, the same problem would be more annoying.

Thanks a million!