one of our customers asked for a double-nat port forwarding to reach a specific device over a VPN. Please don’t ask questions about why using a double-nat, I don’t like the whole idea either, but he would like it that way.
Network diagram should look like this:
Client (public) ---> OPNsense OpenVPN server ---> Mikrotik OpenVPN client ---> Server that needs to be accessed
xxx.yyy.zzz.aaa (dynamic v4) ---> static public ip:3200 ---> vpn ip:8000 ---> local ip:8000
I just setup both port forwarding rules in OPNsense VPN server and the Mikrotik, when enabling logging for the NAT roule on the MikroTik I can see incoming packages from the client is well:
dstnat in:ovpn1 out:(unknown 0), proto TCP (SYN). xxx.yyy.zzz.aaa:dynport->local ip:8000, len 52.
My issue is that unless I setup a manual route:
xxx.yyy.zzz.aaa/32 via VPNserver gateway
i am unable to access the webui behind 8000. This makes sense, since the default route is 0.0.0.0/0 over its local eth1 gateway.
Even ticking “Add Default Route” in the OpenVPN interface settings won’t help, which creates a 0.0.0.0/0 route via the VPNserver gateway.
So I just need a default route with everything that came in via VPN has to be routed back via VPN. I think marking packets is the right way here, but so far I haven’t had any luck with it.
Marking connections is the right way. First create new routing table with default route in it pointing to VPN, then mark new connections coming from VPN, and finally mark routing for responses belonging to marked connections, to make them use the new routing table.
So when the MT is the OVPN client and these rules are for routing inside the MT itself then.it should be Static. The client using the VPN Route can be defined in the marking with “!IP-list”, My assumption is correct?