Redirect NAT through VPN tunnel to HTTP Server

RouterOS Beginner Basics
1

Hi,

I’d like to reproduce the following configuration that works with pFsense but using Mikrotik instead:

The IPs I use for this are private as this is a lab:

First the systems setup:

INTERNET CLIENT:
IP: Any

MIKROTIK OPENVPN SERVER:
RouterOS version: 6.4
WAN IP: 192.168.101.164/24
LAN IP: 172.20.30.1/24
OPENVPN POOL: 10.10.10.0/24

MIKROTIK OPENVPN CLIENT:
RouterOS version: 6.4
WAN IP: 192.168.101.165/24
LAN IP: 172.20.40.1/24

HTTP SERVER:
LAN IP: 172.20.40.101/24
HTTP Server listening port: 80

BASIC SCHEMA:

see attachment

WHAT WORKS so far:

-Certificates created using OpenVPN package on UBUNTU
-OpenVPN is connected
-ping works from both networks through the VPN tunnel
-Client in network 172.20.30.0/24 is able to reach server 172.20.40.101 on port 80 through the VPN tunnel

WHAT DOESN’T WORK so far:
-Internet client cannot reach HTTP Server by first connecting to MIKROTIK OPENVPN SERVER on port 8080

WHAT I WOULD LIKE TO ACHIEVE:
Internet client connects to MIKROTIK OPENVPN SERVER on port 8080, MIKROTIK OPENVPN SERVERS redirects using NAT the request through the VPN tunnel to HTTP SERVER on port 80. Internet client receives page “IT works!!!”

Any help would be appreciated.
mikrotik_basic_nat_redirect_through_vpn_schema.pdf (101 KB)

2

Try the following re-direct rule. Please, post if this what you were looking for.
/ip firewall nat
add action=redirect chain=dstnat comment=“Redirect :8080 to :80” dst-port=8080 protocol=tcp to-ports=80

3

Hi ssofet,

I found my problem:

Actually re-direct wasn’t exactly what I wanted to achieve. The goal was to reach the HTTP Server at site B by hitting site A first and have the traffic sent to site B through the VPN and back. That’s where the problem was; the traffic wasn’t coming back and I received only “syn sent”. But I found my mistake: I just forgot the Mangle rule prerouting chain at site B so that the traffic comes back through the correct path, my bad :blush: :unamused: .

Thanks for your time, should I rename the case as [SOLVED]?

4

No, I would just leave it as is. Glad, you got working :slight_smile:

5

I’m wondering how this rule looks like because I’m having hard time getting this to work. Can you copy/paste or explain that mangle rule.

Thank you!

6

I assume you have your VPN up and running and you’re able to reach systems form both sites.

On the client side:

First the mangle rule

From “winbox” go to → IP → Firewall → Mangle

click (+)

Tab: - General

  • Chain: prerouting

  • Src. Address: the network where your VPN client is.
    Everything else: default

  • Advanced
    Everything: default

  • Extra
    Everything: default

  • Action
    Action: mark routing
    New Routing Mark: Enter a new name for this routing mark. Something like: “VPN_to_siteA” otherwise in 6 months you may say WTF is this mangle rule doing here? DELETE
    Passthrough: default

Now we use the newly created Routing Mark

From “winbox” go to → IP → Routes

click (+)

Tab: - General

  • Dst. Address: 0.0.0.0/0
  • Gateway: choose your OpenVPN interface, probably: ovpn-out1
  • Type: unicast
  • Distance: 1
  • Routing Mark: the routing mark you created the step above: “VPN_to_siteA”
  • Attributes
    Everything: default

This should be enough and now a request on site A from the Internet can be redirected to a server on site B through the VPN and back and should not generate a “syn sent”.

As I understand it, you allow the traffic from your client site to reply to world (0.0.0.0/0) request coming from the VPN tunnel back through the VPN tunnel instead of your default gateway.

Hope this helps!

7

As far as I see the mangle rule is catching all the traffic generated on SiteB and via the route it is all routed towards SiteA over the tunnel.
If that is the case, all traffic from SiteB via tunnel to SiteA you do not need a mangle rule there.
Only a route stating 0.0.0.0/0 to go to SiteA over the tunnel should be enough.