Public IP DNAT Trough EoIP Tunnel.

RouterOS General
1

Hi all,

I have a little complicated scenario that i would like some help.

On POP1 i have a public IP address who handles some services.
POP2 is a remote location where i have a branch that i need to use the same public IP from POP1
VPN-EoIP2.png
What im trying to achieve is:

  • The server uses the same internet connection and default gateway, but all the incoming traffic from the tunnel reply trough it.
  • So then, i Make a DNAT from 1.1.1.1 to 10.0.100.2 →
  • Then make another DNAT from 10.0.100.2 → 192.168.88.2
  • Its mandatory to use 1.1.1.1 as public IP instead of the Dyn IP from POP2
  • I need to DNAT tcp port 8080 - 3306. so if i access 1.1.1.1:8080 – 192.168.88.2 replies.

I think this is a routing problem, because the connection is established from the tunnel but the servers reply uses the default gateway (POP2 router). so it tries to reply trough internet instead of the tunnel.
im a little blocked out… and not looking outside the box.. so im asking for any help / feedback that can help.

thanks in advance.. Regards.
JB

2

It’s very easy, you need to mark new incoming connections from tunnel and then route replies back to tunnel. It’s pretty much the same thing as used for multi-WAN. Check PCC example (https://wiki.mikrotik.com/wiki/Manual:PCC) and you’ll get it.

3

Thank you so much..
great idea.. i haven’t think about pcc…

I just did:

/ip firewall mangle
add action=mark-connection chain=forward dst-address-type=!local in-interface=EoIP-Tunnel new-connection-mark=Tunnel-Conn passthrough=yes per-connection-classifier=dst-address-and-port:1/0
add action=mark-routing chain=prerouting connection-mark=Tunnel-Conn \    new-routing-mark=Tunnel-Route passthrough=yes

/ip route
add distance=1 gateway=10.0.100.1 routing-mark=Tunnel-Route

I think its working now, i just telnet the public ip to the dst port and the connection stablished, but i cant load the web page on the browser, so i’m thinking that may be a firewall on the server side… i will check out.
thanks

4

Somehow the connection is established but doesnt go data over it… about 10secs later the connection is dropped… im not sure what i did wrong… =S any help?

5

You don’t want exactly PCC, it’s just that I remember that PCC example shows how to mark new incoming connections based on interface and then mark routing to send responses back. So per-connection-classifier option in your config is useless, but otherwise something like this should work. Make sure that if you already do something with connection marks, it doesn’t interfere with this. And I think you’ll need to exclude these connections from fasttrack too, if you use it (I don’t, so I’m not completely sure here).