I have a PPTP vpn established 24/7 with Vyper-VPN. I also have email inbound on my SFP (WAN) port to my local IP. When the VPN is down, email routes to internal server just fine.
When the VPN is established, all dstnat rules are routing traffic are going back OUT the VPN instead of the sfp-gateway interface it was received and originally dstnat’d on. How do I keep a packet spawned in a reply (ACK) going back out the same interface dstnat discovered it on?
The telnet log in the picture are for port 25 from an external source connecting to the public IP of my modem, which has a DMZ set to RouterOS (private IP of 10.1.10.0 between them), 192.168.11.0 is lan behind RouterOS.
Looking for steps to post configuration dump…
but the Gist is:
Filter------
accept forward Destination port: 25
accept input established
drop sfp1-gateway new
NAT-------
dst-nat destination port: 25 to 192.168.11.35:25
masquerade srcnat
Mangle-----
No Touching, just logging.
Thanks,
-Dustin
Router is 2011UAS-2HnD with firmware 2.41 RouterOS 5.20
/ip firewall filter
add action=accept chain=input comment=“default configuration - Allow ping from ALL” disabled=no protocol=icmp
add action=accept chain=forward disabled=no dst-port=25 protocol=tcp
add action=drop chain=input comment=“Prevent inbound connections from vpn and wan-in” connection-state=new disabled=no in-interface=us1.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=us1.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=hk1.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=hk1.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=uk1.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=uk1.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=de1.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=de1.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=eu1.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=eu1.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=fr1.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=fr1.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=us2.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=us2.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=us3.vpn.giganews.com
add action=drop chain=input connection-state=invalid disabled=no in-interface=us3.vpn.giganews.com
add action=drop chain=input connection-state=new disabled=no in-interface=sfp1-gateway
add action=drop chain=input connection-state=invalid disabled=no in-interface=sfp1-gateway
add action=accept chain=input comment=“default configuration - Allow established” connection-state=established disabled=no
add action=accept chain=input comment=“default configuration - Allow related” connection-state=related disabled=no
add action=drop chain=input comment=“default configuration” disabled=no in-interface=ether1-gateway
/ip firewall nat
add action=dst-nat chain=dstnat comment=“Inbound SMTP to Exchange From MXGuarddog (7 Addresses)” disabled=yes dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=108.166.117.93 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat disabled=yes dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=174.129.28.137 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat disabled=yes dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=64.15.147.141 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat disabled=yes dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=222.229.219.209 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat disabled=yes dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=216.58.39.211 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat disabled=yes dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=184.107.58.155 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat disabled=yes dst-port=25 in-interface=sfp1-gateway protocol=tcp src-address=174.142.104.48 to-addresses=192.168.11.35 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-port=25 in-interface=sfp1-gateway protocol=tcp to-addresses=192.168.11.35 to-ports=25 (Using this for testing to allow from any)
add action=dst-nat chain=dstnat comment=“Inbound SSL for Exchange” disabled=yes dst-port=443 protocol=tcp src-address=!192.168.0.0/16 to-addresses=192.168.11.35 to-ports=443
add action=dst-nat chain=dstnat comment=“Inbound HTTP for Exchange” disabled=yes dst-port=80 protocol=tcp src-address=!192.168.0.0/16 to-addresses=192.168.11.35 to-ports=80
add action=masquerade chain=srcnat comment=“VPN DEF NAT RULE” disabled=no
add action=log chain=srcnat comment=“Enable Logging for traffic hitting below” disabled=yes log-prefix=“Traffic Leaving SFP::” out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment=“Masquerade requests from router (DNS, Ping/Reply) routed through the SFP port (Public-Cable)” disabled=no out-interface=sfp1-gateway
/ip firewall mangle
add action=log chain=prerouting disabled=no dst-port=25 log-prefix=MANGLE:PreRouting:DestPort25:: protocol=tcp
add action=log chain=prerouting disabled=no log-prefix=MANGLE:PreRouting:DestPort25:: protocol=tcp src-port=25
add action=log chain=forward disabled=no dst-port=25 log-prefix=MANGLE:Forward:DestPort25:: protocol=tcp
add action=log chain=forward disabled=no log-prefix=MANGLE:Forward:DestPort25:: protocol=tcp src-port=25
add action=log chain=input disabled=no dst-port=25 log-prefix=MANGLE:Input:DestPort25:: protocol=tcp
add action=log chain=input disabled=no log-prefix=MANGLE:Input:DestPort25:: protocol=tcp src-port=25
add action=log chain=output disabled=no dst-port=25 log-prefix=MANGLE:Output:DestPort25:: protocol=tcp
add action=log chain=output disabled=no log-prefix=MANGLE:Output:DestPort25:: protocol=tcp src-port=25
add action=log chain=postrouting disabled=no dst-port=25 log-prefix=MANGLE:PostRouting:DestPort25:: protocol=tcp
add action=log chain=postrouting disabled=no log-prefix=MANGLE:PostRouting:DestPort25:: protocol=tcp src-port=25
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.1.10.1 routing-mark=email-inbound-smtp scope=30 target-scope=10
add comment=“Default Copy” disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=10.1.10.1 scope=30 target-scope=10
add comment=“Default Copy” disabled=yes distance=1 dst-address=10.1.10.0/24 gateway=sfp1-gateway pref-src=10.1.10.10 scope=10 target-scope=10
add disabled=no distance=1 dst-address=50.19.113.174/32 gateway=10.1.10.1 scope=30 target-scope=10
add check-gateway=ping comment=“Comcast DNS Bypass” disabled=no distance=1 dst-address=68.87.0.0/16 gateway=10.1.10.1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=107.21.252.48/32 gateway=10.1.10.1 scope=30 target-scope=10
add check-gateway=ping comment=fr1.vpn.giganews.com disabled=no distance=1 dst-address=138.199.67.145/32 gateway=10.1.10.1 scope=30 target-scope=10
add check-gateway=ping comment=uk1.vpn.giganews.com disabled=no distance=1 dst-address=138.199.67.149/32 gateway=10.1.10.1 scope=30 target-scope=10
add check-gateway=ping comment=eu1.vpn.giganews.com disabled=no distance=1 dst-address=138.199.67.151/32 gateway=10.1.10.1 scope=30 target-scope=10
add comment=“Default Copy” disabled=yes distance=0 dst-address=192.168.11.0/24 gateway=bridge-local pref-src=192.168.11.1 scope=10 target-scope=10
add check-gateway=ping comment=hk1.vpn.giganews.com disabled=no distance=1 dst-address=203.170.29.31/32 gateway=10.1.10.1 scope=30 target-scope=10
add check-gateway=ping comment=us3.vpn.giganews.com disabled=no distance=1 dst-address=209.99.20.19/32 gateway=10.1.10.1 scope=30 target-scope=10
add check-gateway=ping comment=us1.vpn.giganews.com disabled=no distance=1 dst-address=216.168.2.151/32 gateway=10.1.10.1 scope=30 target-scope=10
add check-gateway=ping comment=us2.vpn.giganews.com disabled=no distance=1 dst-address=216.168.3.17/32 gateway=10.1.10.1 scope=30 target-scope=10