Requests to a target device from VPN

Hello,

I’m struggling to setup a system that would work like this:

On site A, i have a Router with an OpenVPN server (ip)
On site B, i have Mikrotik mAP that is between a network and a target device. (ether1 and ether2 are bridged and i added a DHCP client on bridge)
I would like to be able to connect to said target device from Site A, first using http, and if possible later, through VNC and read SNMP. Here is a schematic:

I established VPN connexion successfully and both RouterOS can ping each other.
Here is the NAT rule i added:

chain=dstnat action=dst-nat to-addresses=172.18.1.22 in-interface=ovpn-out1 log=yes log-prefix="nat"

For easier testing, i replaced target device by a webserver so i can check the logs.
From Site B routerOS i can properly query target:

[admin@MikroTik] /ip> /tool/fetch url="http://172.18.1.22/index.html"
      status: finished
            downloaded: 10KiB
       total: 10KiB
    duration: 0s

When i try the same from RouterA’s console, i see an attempt to forward from RouterB but no request come through:

 [admin@GPCA-CHR] > /tool/fetch url="http://10.183.255.254/index.html"
  status: failed
    
failure: connection timeout

On RouterB’s log:

23:20:58 firewall,info nat dstnat: in:ovpn-out1 out:(unknown 0), proto TCP (SYN), 10.183.0.1:41534->10.183.255.254:80, len 60
23:20:58 firewall,info filter forward: in:ovpn-out1 out:bridge, proto TCP (SYN), 10.183.0.1:41534->172.18.1.22:80, NAT 10.183.0.1:41534->(10.183.255.254:80->172.18.1.22:80), len 60
23:20:59 firewall,info filter forward: in:ovpn-out1 out:bridge, proto TCP (SYN), 10.183.0.1:41534->172.18.1.22:80, NAT 10.183.0.1:41534->(10.183.255.254:80->172.18.1.22:80), len 60
(...and so on...)

I tried:

• specifying adress(es) instead/with interfaces in NAT rule matching.
• using netmap instead of dstnat
• tinkering with mangle-prerouting but i’m not skilled enough.

I suspect having the target device with a gateway (172.18.1.1) that is not my RouterB doesn’t play well with NAT-ing. If that’s the case, is there a workaround? (target device doesn’t have VPN capabilities, and i can’t reconfigure SiteB’s gateway)

Here is an export from RouterB’s config: https://pastebin.com/JKDs6T78

I have also required help on Mikrotik’s subreddit (link to post).

Thanks for your time.

If target device doesn’t have mAP as gateway, then it won’t send responses to it. You can either:

a) On site B’s gateway add route to 10.183.0.0/16 with 172.18.1.28 (mAP) as gateway.
b) If target device doesn’t need to see real source addresses, then on mAP add srcnat rule to make all connections from site A appear as if they are from mAP:

/ip firewall nat
add chain=srcnat src-address=10.183.0.0/16 dst-address=172.18.1.22 action=masquerade

That was the question, do you have access to the main gateway at site B:

a. forward ports on the MAIN GATEWAY on SITE B?
b. can you create static routes on the MAIN GATEWAY on site B.

Just out curiosity, what about SITE A, do you have access to the MAIN GATEWAY there??

Reading your post more carefully, you have no control over SITE Bs main gateway at all.

Personally I would use Wireguard instead. The Server being at Site A and the client being the maplite.
Note: This assumes you have the ability to port forward rom Site A Main gateway to the MT VM device.
If not, ignore the rest! )

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Assumption1: Local LAN site A, is 192.168.0.0/24, admin IP is 192.168.0.5 (or one could use a list of admin IPs - pc, laptop, iphone etc)
Assumption2: Admin at site A, also wants to be able to configure maplite remotely, via maplite winbox port 8787 using IP address 172.18.0.1:8787

MT VM Server Site A

Wireguard Interface Settings
name=WG1
listening port=14295
public key= (to put on maplite peer settings)

Wireguard Peer Settings
name=WG1
public key= (from maplite interface settings)
allowed addresses: 172.18.1.0/24

/ip route
dst-address=172.18.1.0/24 gwy=WG1 table=main { ensures admin bound traffic goes through tunnel }

/ip firewall
Input chain
add chain=input action=accept dst-port=14295 protocol=udp { for initial handshake connection to get tunnel up }
Forward chain
add chain=forward action=accept src-address=192.168.0.0/24 out-interface=WG1 { assumes drop all rule at end of forward chain }
OR BETTER
add chain=forward action=accept src-address-list=authorized out-interface=WG1 { authorized=firewall address list of Admin IPs - pc, laptop, ipad etc. }

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MT Maplite Client Site B

Wireguard Interface Settings
name=WG2
listening port=X you can put in same as above but not going to be used 14295
public key = ( to put on MT VM peer settings)

Wireguard Peer Settings
name=WG2
endpoint=‘mynetname’ (for VM Wireguard)
endpoint port =14295
keep alive=30 seconds
public key= (from MT VM)
allowed addresses=192.168.0.0/24

/ip firewall address list
add IP=VM-MTmynetnamexxxxx list=mynetname { used to identify IP address of Site A public IP }

/ip route
dst-address=192.168.0.0/24 gwy=WG2 table=main { ensures return traffic is passed back through the tunnel to Site A }

/ip firewall
Input chain
add chain=input action=accept in-interface=WG2 src-address=192.168.0.5/32 dst-port=winboxport { allow admin to configure maplite }
Forward chain
add chain=forward action=accept in-interface=WG2 src-address=192.168.0.5/32 dst-address=172.16.1.22/32 { allow admin to subnet device }

Note: If one has a list of admin IPs, then use src-address-list. One can see that by use of firewall rules, many users could be allowed to the LAN device but only one IP to configure the maplite.

Sob,

Thanks a lot! This did the job.

anav,

You are right in the assumption that i control gateway A, and most of the times won’t control gateway B (i’d like to monitor many Site B-clones)
As i managed to establish http with Rob’s masquerade rule, i’ll dig into simple vpn+NAT for now but i’ll keep your detailed answer at hand : there’s a high chance your solution can circumvent future problems (UDP through NAT, multiple target devices on same mAP, etc…)
In fact i had an initial look at wireguard for this scenario but -if project is accepted- we will manage 250-300 target devices and i need to setup a common management platform and um7+api seemed easier to implement (nothing’s final atm).

Thanks both of you for your help.

Wow laums thats an impressive number of devices. I manage less than 5 (all home stuff). Just to indicate my minimal knowledge level.

If I was controlling that many devices, have you thought of zerotier?
I like this one because its built into Vers7 and no ports need forwarding

Another option may be something like .co , where they provide a dedicated API server and thus one could automate any tasks for one or more devices and their forte is also monitoring.
I like this one as its https based, and thus no ports need to be forwarded!!

Okay, I checked out your maplite config. Im a tad confused LOL.

WHERE IS THE IP ADDRESS of the device listed?

I dont get how the Maplite is both a ROUTER but has NO LAN ??
You seem to be giving out LANIPS from the main router and not the Map ??

Isnt it just acting as a switch,
IF so, the wireguard wont work as it needs routing which is a router function right/wrong?

Appears only in NAT rules

I removed address lists entries and filter rules, and Yes -in a way- mAP is not a router (no device anywhere has mAP as it’s gateway).
however it still need to foward packets from vpn to device and back

Exactly, since mAP need to be in the same network as target device (must integrate nicely into existing networks), thus the idea to bridge ports and add a dhcp client to the bridge.