Questions about VPN, NAT and routing

Hello everyone,

I have been running a configuration for some years now, but I’d like to modify/improve it a bit.
This is the situation:
In my office I use a Routerboard for Internet access, which is also a SSTP and PPTP server.
I have installed Routerboards in my clients’ office, to create site-to-site SSTP with my office. These Routerboards create their own subnets (different for each client) and are connected to the Internet via the client’s router (with dhcp, static ip or public ip).
I have a local FTP server reachable from inside and outside my LAN.
My ISP provides me 5 public IP addresses, of which one is used for Internet access and VPNs and one for the FTP server.
This is the configuration:

/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface list
add name=WAN
add name=LAN
add name=MANAGEMENT
/ip pool
add name=cable-dhcp-pool ranges=192.168.100.235-192.168.100.254
add name=wifi-dhcp-pool ranges=192.168.3.10-192.168.3.254
add name=pptp-pool ranges=192.168.100.225-192.168.100.234
/ip dhcp-server
add address-pool=cable-dhcp-pool disabled=no interface=ether2 lease-time=1d \
    name=cable
add address-pool=wifi-dhcp-pool disabled=no interface=ether3 lease-time=1d \
    name=wifi
/ppp profile
add incoming-filter=sstp-filter-in local-address=172.20.0.1 name=sstp \
    only-one=yes
add local-address=192.168.100.1 name=pptp only-one=yes remote-address=\
    pptp-pool
/ip neighbor discovery-settings
set discover-interface-list=MANAGEMENT
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether2 list=MANAGEMENT
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set enabled=yes
/ip address
add address=x.x.x.202/29 interface=ether1 network=x.x.x.200
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
add address=192.168.3.1/24 interface=ether3 network=192.168.3.0
add address=x.x.x.203/29 interface=ether1 network=x.x.x.200
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.3.1
add address=192.168.100.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.100.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=0.0.0.0/8 comment="RFC 6890" list=NotPublic
add address=10.0.0.0/8 comment="RFC 6890" list=NotPublic
add address=100.64.0.0/10 comment="RFC 6890" list=NotPublic
add address=127.0.0.0/8 comment="RFC 6890" list=NotPublic
add address=169.254.0.0/16 comment="RFC 6890" list=NotPublic
add address=172.16.0.0/12 comment="RFC 6890" list=NotPublic
add address=192.0.0.0/24 comment="RFC 6890" list=NotPublic
add address=192.0.2.0/24 comment="RFC 6890" list=NotPublic
add address=192.168.0.0/16 comment="RFC 6890" list=NotPublic
add address=198.18.0.0/15 comment="RFC 6890" list=NotPublic
add address=198.51.100.0/24 comment="RFC 6890" list=NotPublic
add address=203.0.113.0/24 comment="RFC 6890" list=NotPublic
add address=224.0.0.0/4 comment="RFC 4601" list=NotPublic
add address=240.0.0.0/4 comment="RFC 6890" list=NotPublic
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="dropping port scanners" \
    src-address-list=port_scanners
add action=jump chain=forward comment="jump to ppp" jump-target=ppp
add action=jump chain=input jump-target=ppp
add action=accept chain=sstp-filter-in comment="sstp filter" \
    connection-state=established,related,untracked
add action=drop chain=sstp-filter-in
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP \
    protocol=icmp
add action=accept chain=input comment="allow port 443" dst-address=\
    x.x.x.202 port=443 protocol=tcp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="allow local winbox" dst-port=8291 \
    in-interface-list=MANAGEMENT protocol=tcp
add action=accept chain=input comment="allow winbox from pptp" dst-port=8291 \
    protocol=tcp src-address=192.168.100.225-192.168.100.234
add action=accept chain=input comment="allow local ssh" dst-port=22 \
    in-interface-list=MANAGEMENT protocol=tcp
add action=accept chain=input comment="allow ssh from pptp" dst-port=22 \
    protocol=tcp src-address=192.168.100.225-192.168.100.234
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
    3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
    address-list-timeout=1w chain=input comment="detect DoS attack" \
    connection-limit=10,32 protocol=tcp
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=input comment="port scanners to list" \
    in-interface-list=WAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=input comment="NMAP FIN Stealth scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=input comment="SYN/FIN scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=input comment="SYN/RST scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=input comment="FIN/PSH/URG scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=input comment="ALL/ALL scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=input comment="NMAP NULL scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="drop everything else"
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=forward comment="Drop all packets from public internet w\
    hich should not exist in public network" in-interface-list=WAN \
    src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to \
    internet which should not exist in public network" connection-state="" \
    dst-address-list=NotPublic in-interface-list=LAN out-interface=!all-ppp
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=\
    0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=\
    3:3 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=\
    3:4 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=\
    8:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" \
    icmp-options=11:0-255 limit=5,5:packet protocol=icmp
add action=drop chain=ICMP comment="drop everything else (ICMP)" protocol=\
    icmp
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 src-address=\
    192.168.100.0/24 to-addresses=x.x.x.202
add action=src-nat chain=srcnat out-interface=ether1 src-address=\
    192.168.3.0/24 to-addresses=x.x.x.202
add action=dst-nat chain=dstnat comment="redirect ftp" dst-address=\
    x.x.x.203 dst-port=21 protocol=tcp to-addresses=192.168.100.13
/ip route
add distance=1 gateway=x.x.x.201
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.100.0/24
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGEMENT

Now to the questions:

1. How can I configure Hairpin nat to reach my FTP server from inside my LAN using its public IP? I tried all the guides I found, but none of them worked.
2. I can’t ping client from LAN (ether2) to WLAN (ether3) even if I disable all drop rules on the firewall, how can I achieve this? I don’t want clients on WLAN to be able to ping clients on LAN.
3. I use proxy-arp on ether2 in order to ping clients on my LAN even when I’m connecting from outside using PPTP. Is there another way to achieve this without setting proxy-arp?
4. Is it correct to use 2 IPs on ether1 and use NAT rules to use one of them for Internet access and the other one for FTP server?
5. I use the subnet 192.168.100.0/24 on my LAN because I thought that if I used 192.168.1.0/24 it could cause conflicts with my clients’ routers, which are set to use this subnet in most cases. I mean, on my client’s Routerboards I have to set up a static route to 192.168.100.0/24 to reach my network, but they also have a route to 192.168.1.1 to reach the client’s router.

Thank you

1. Simple “/ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.100.0/24 action=masquerade” should work.
2. The rule with out-interface=!all-ppp matches also when out-interface is you LAN.
3. You can use separate subnet for VPN clients.
4. Yes.
5. Not a question. And yes, conflicting subnets are bad.

Hi Sob,
Thank you for the replies. Unfortunately, I already tried the solution you suggest for the first question, but that NAT rule never get hit. FTP client reaches the public IP address, but then the FTP server doesn’t respond (when I try from inside my LAN).
About the second answer, I already tried to disable all drop rules, but I cannot ping clients on WLAN segment, I can only ping the gateway of that subnet, which is the Routerboard. It is strange, because if I try to do the same with a clean configuration with only two subnets set, I can ping one subnet from another. I can’t find how my configuration broke this.

Let’s take it step by step:

1. Device 192.168.100.X tries to connect to x.x.x.203:21
2. Dstnat rule redirects it to 192.168.100.13:21
3. It must successfully pass through firewall filter in forward chain
4. Srcnat rule (the one I posted) changes source from 192.168.100.X to 192.168.100.1

So if 4) gets no hits, something before didn’t happen. I don’t see anything that would prevent 2) from working, so it leaves 3). From what you posted, it can be only the last rule:

/ip firewall filter
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" connection-state="" dst-address-list=NotPublic in-interface-list=LAN out-interface=!all-ppp

dst-address-list=NotPublic - check (dst-address is now 192.168.100.13)
in-interface-list=LAN - check (in-interface is ether2)
out-interface=!all-ppp - check (out-interface is ether2 and it’s not ppp)

So if you disable this rule, ftp should be able to connect.

As I wrote, ping between subnets would be affected by same rule, but if you already tried to disable it and it didn’t help, that’s strange, because there’s nothing else that could block it. Other drop rules affect only connections from WAN.

Ok, hairpin NAT is working disabling that firewall rule.
Still no ping between LAN and WLAN, I will dig into this because it’s very strange, since routes seem correct.