Route Trafic with VPN and NAT

Good morning,

So far my hAP ac² I’m able to reach internet get my Webserver working from internet with my http://publicip:443.

1. Now, I would like that the Mikrotik route the traffic of any user from LAN, between Internet (0.0.0.0/00) and the VPN-net (192.168.199.0/24). I guess this should be done with Masquerade, as the others computers do not know what my LAN is. [Note: the IP of the Mikrotik in the VPN-LAN is received from VPN-DHCP (dynamically)]

   add action=masquerade chain=srcnat comment="ZT masquerade" out-interface-list=VPN

2. On the other hand, I would like to NAT traffic coming from VPN-NET on port 8096 to a specific Server in my LAN. When I monitor the traffic with “Torch” I can see some traffic coming, but not going out.

add action=dst-nat chain=dstnat comment="NAT ZT:8096 > multimediaserver:8096" \
    dst-address=192.168.199.254 dst-port=8096 log=yes log-prefix=8096 \
    protocol=tcp to-addresses=10.0.10.10 to-ports=8096

Can you please help me to correct/improve my config?

Here is the whole config:

# feb/23/2022 22:00:54 by RouterOS 7.1.3
# software id = L7ZV-Q83I
#
# model = RBD52G-5HacD2HnD

/interface bridge
add name=BR1 protocol-mode=none
/interface ethernet
set [ find default-name=ether5 ] name=ether5-access
/interface vlan
add interface=BR1 name=vlan10 vlan-id=10
add interface=BR1 name=vlan20 vlan-id=20
add interface=BR1 name=vlan30 vlan-id=30
add interface=BR1 name=vlan40 vlan-id=40
add interface=BR1 name=vlan99 vlan-id=99
/interface ethernet switch port
set 1 default-vlan-id=99 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=99 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=VPN

/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no frequency=auto \
    hide-ssid=no installation=indoor mode=ap-bridge security-profile=\
    profile_Base ssid=BASE vlan-id=99 vlan-mode=use-tag
set [ find default-name=wlan2 ] country=spain disabled=no frequency=auto \
    installation=indoor mode=ap-bridge security-profile=profile_miC ssid=\
    MiC vlan-id=30 vlan-mode=use-tag
/ip pool
add name=VLAN10_POOL ranges=10.0.10.2-10.0.10.254
add name=VLAN20_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=10.0.99.231-10.0.99.254
add name=VLAN30_POOL ranges=10.0.30.2-10.0.30.254
add name=VLAN40_POOL ranges=10.0.40.2-10.0.40.254
/ip dhcp-server
add address-pool=VLAN10_POOL interface=vlan10 name=VLAN10_DHCP
add address-pool=VLAN20_POOL interface=vlan20 name=VLAN20_DHCP
add address-pool=BASE_POOL interface=vlan99 name=BASE_DHCP
add address-pool=VLAN30_POOL interface=vlan30 name=VLAN30_DHCP
add address-pool=VLAN40_POOL interface=vlan40 name=VLAN40_DHCP
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    identity=**identity** name=zt1 port=**port**
/zerotier interface
add instance=zt1 mac-address=EE:EE:EE:EE:EE:EE name=zerotier1 network=\
    9999999999999999
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=wlan1
add bridge=BR1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface detect-internet
set detect-interface-list=all
/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether2,ether3,ether4 switch=switch1 vlan-id=10
add independent-learning=no ports=switch1-cpu switch=switch1 vlan-id=20
add independent-learning=no ports=switch1-cpu,ether4 switch=switch1 vlan-id=30
add independent-learning=no ports=switch1-cpu,ether2 switch=switch1 vlan-id=40
add independent-learning=no ports=switch1-cpu,ether2,ether4 switch=switch1 vlan-id=99
/interface list member
add interface=ether1 list=WAN
add interface=vlan99 list=VLAN
add interface=vlan10 list=VLAN
add interface=vlan20 list=VLAN
add interface=vlan99 list=BASE
add interface=ether5-access list=BASE
add interface=vlan30 list=VLAN
add interface=vlan40 list=VLAN
add interface=zerotier1 list=VPN
/ip address
add address=10.0.1.2/30 interface=ether1 network=10.0.1.0
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20 network=10.0.20.0
add address=192.168.5.1/24 interface=ether5-access network=192.168.5.0
add address=10.0.30.1/24 interface=vlan30 network=10.0.30.0
add address=10.0.40.1/24 interface=vlan40 network=10.0.40.0
add address=10.0.99.1/24 interface=vlan99 network=10.0.99.0
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=199.85.126.10,1.1.1.2 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=176.103.130.132,176.103.130.134 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
add address=10.0.99.0/24 dns-server=10.0.99.1 gateway=10.0.99.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1
/ip firewall address-list
add address=192.168.1.1 list="Router Vodafone"
add address=10.0.1.1 list="Router Vodafone"
add address=10.0.10.10 list="multimediaserver Server"
add address=10.0.40.2 list=Webserver
/ip firewall filter
add action=drop chain=forward comment="Drop forward invalid" \
    connection-state=invalid
add action=drop chain=input comment="Drop Input Invalid" connection-state=\
    invalid
add action=accept chain=input comment="--> Ping" protocol=icmp
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related log-prefix=4
add action=accept chain=input comment="Base -> Winbox" dst-port=\
    8291,443 in-interface-list=BASE protocol=tcp
add action=drop chain=input comment="--> Winbox" dst-port=8291,80,443,23,21 \
    protocol=tcp
add action=accept chain=forward comment="BASE -> Router Vodafone" \
    in-interface=ether1 out-interface-list=BASE src-address-list=\
    "Router Vodafone"
add action=drop chain=forward comment=" --> Router Vodafone" in-interface=\
    ether1 src-address-list="Router Vodafone"
add action=fasttrack-connection chain=forward connection-state=\
    established,related disabled=yes hw-offload=yes log-prefix=fasttrack
add action=accept chain=forward connection-state=\
    established,related,untracked disabled=yes
add action=accept chain=input comment="VLAN -> DNS tcp" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="VLAN -> DNS udp" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=forward comment="Base -> VLANs" in-interface-list=\
    BASE out-interface-list=VLAN
add action=accept chain=forward comment="VLAN  -> Internet" \
    in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="VLAN -> multimediaserver" dst-address-list=\
    "multimediaserver Server" dst-limit=1,5,dst-address/1m40s dst-port=8096 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=forward disabled=yes dst-address-list="multimediaserver Server" \
    dst-port=8096 in-interface=zerotier1 protocol=tcp
add action=accept chain=forward comment="Internet -> Web server" \
    dst-address-list=Webserver dst-port=443 in-interface=ether1 \
    out-interface=vlan40 protocol=tcp 
add action=accept chain=forward comment="Internet -> Web server" \
    dst-address-list=Webserver dst-port=80 in-interface=ether1 log=yes \
    log-prefix=Certbot_Webserver- out-interface=vlan40 protocol=tcp 
add action=drop chain=input comment="Drop all rest"

/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="ZT masquerade" \
    out-interface-list=VPN
add action=dst-nat chain=dstnat comment="NAT ZT:8096 > multimediaserver:8096" \
    dst-address=192.168.199.254 dst-port=8096 log=yes log-prefix=8096 \
    protocol=tcp to-addresses=10.0.10.10 to-ports=8096
add action=dst-nat chain=dstnat comment="NAT Internet:443 > Webserver:443" \
    dst-address=10.0.1.2 dst-port=443 protocol=tcp to-addresses=10.0.40.2 \
    to-ports=443
add action=dst-nat chain=dstnat comment="NAT Internet:80 > Webserver:80" \
    dst-address=10.0.1.2 dst-port=80 protocol=tcp to-addresses=10.0.40.2 \
    to-ports=80
    
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.1.1 pref-src=\
    0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl address=10.0.99.0/24 disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=RouterSwitchAP
/system ntp client
set enabled=yes
/system ntp client servers
add address=130.206.3.166
add address=150.214.94.5
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

The only thing that’s odd here is the router has a private address as it’s “WAN”/ether1, 10.0.1.2/30. You’re doing a src-nat NAT to this network, which means that will convert any of those VLAN/VPN address to the 10.0.1.2 there – all traffic upstream, VPN or LANs, will look like that address to the router. This line is doing that is based on /interface/list WAN contain ether1:

/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN

and based on your routing table, it goes to 10.0.1.1 – so device configuration that actually matters the most, since all “non-local” traffic will go:

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.1.1 pref-src=\
    0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    10

The above has actually a configuration error: the “perf-src” very likely not be 0.0.0.0. Maybe your upstream router needs that, hard to know. Again why 10.0.1.1’s configuration is relevant.

Also reverent are the ZeroTier “Managed Routes”, assuming you have one for “0.0.0.0 via 192.168.199.254”, that’s all you should need (and on your ZeroTier clients enabling the “Allow Default Route Override”). If you didn’t want all ZeroTier to route all traffic to the router, then you’d need to add “Managed Routes” would need to include routes like “10.0.X.0 via 192.168.199.254” for each to those VLAN you’d want the VPN client to be able to access. Either way, you can control routes on both the ZeroTier and Mikrotik sides, so should NOT be a reason for a NAT since you can likely avoid it by static routes being defined on both sides.

I’d focus on the 10.0.1.1 router first. If it’s a “business/enterprise” router, it may be as simple as adding static routes on the ISP router (10.0.1.1) for your VLANs, and then still let it do the NAT OR reconfiguring it to put ether1 into a DMZ/Internet subnet. Like ZeroTier, if foreign router has ipv4 static routes for LAN subnets, so’d similar not need NAT. Now if this is some home router from your ISP, most don’t allow you set static routes – and likely not what you’d want to since I’m guessing you want the Mikrotik to be the “Internet router”. Right now 10.0.1.1 seem to be, and all the LAN on the Mikrotik will be a “Double NAT” (e.g. 10.0.10.x is netted to 10.0.1.2 which is then NAT’ed to a public IP (of the device at 10.0.1.1). Double NATs are bad. something you

Anyway, hard to know but 10.0.1.1’s configuration is what’s gong to guide your Mikrotik firewall rules. Right now, it looks like you have a double NAT – which can theoretically work but stuff like ZeroTier’s tunnels may not like the “double NAT”, so that’s another potential issue.

Thanks for your comments.
Here i join another diagram which describes the situation about “10.0.1.2/30” interface (note that this interface can be change to another IP range, in order to let the 10.0.0.1/16 range pure LAN)

I can understand the dificulty a router may have when dealing with a WAN , some VLAN and a VPN all with local IP range. But, only if the “Internet” route would not be the default one.

In my case, there should be “only” be 4 cases (3 of them with defined IP range / interface)

• trafic goes from LAN to VPN IP range (192.168.199.0/24) → ZEROTIER1 interface (masquerade)
  
  
  
• trafic comes from ZEROTIER1 interface port 8096 → route to the multimediaIP (NAT)
  
  
  
• trafic inter VLAN (remains in LAN)
  
  
  
• rest goes through internet

I think there is something i miss.

What is the exact problem your having. I kinda assume the LAN/VLAN stuff was working as you want BEFORE you added the VPN. If not, be good to clarify.

As I said, you have a “double NAT” situation with the NAT rules you do have. I worry ZeroTier tunnels may not like it. Since there is another some NAT running on the 10.0.2.1 router, that another area to look for trouble. Let’s assume you have reasons of the double-NAT (e.g. a private internet WAN address) on your Mikrotik. And I’ll presume ZeroTier on your Mikrotik is actually get the 192.168.199.254 address and has some “peers” lists in ZeroTier>Peers – if not, that’s be the first thing to look at here.

Does seem your firewall does need some changes to allow this, based on the config you posted. If you goal is for VPN/ZT clients e.g. 192.168.199.0/24 to reach exactly only one device, on one port, this firewall filter rule is okay (BUT nothing in filter AFAIK is allow zerotier1 a path to the WAN):

add action=accept chain=forward disabled=yes dst-address-list="multimediaserver Server" \
    dst-port=8096 in-interface=zerotier1 protocol=tcp

For that to work bidirectionally (MM server@8069), you’d also need to do EITHER:

1. The ZeroTier way… add a Managed Route for 10.0.10.10/32 via 192.168.199.254 for the ZeroTier network. Then any ZeroTier client knows the route to take for the one host, 10.0.10.10. No NAT rule is required on the Mikrotik. And your filter zerotier above prevent anything BUT the on IP/port from ZT VPN.
2. The Mikrotik way… without above, the ZT clients in 192.168.199.0/24 would be able use port forwarding via 192.168.199.0…But have no idea what to do with the 10.0.10.10 addresses. You handle this case by the src-nat rule. The filter allows the IN to port (and nothing else). So the src-add of “10.0.10.10” you want converted/NAT’ed to “192.168.199.254”. And you already have a rule for that cover that. This will cause all any IP in your Mikrotik/WAN subnets to appear as coming from the IP 192.168.199.254 to the VPN (e.g. it masquerades 10.0.10.10 as 192.168.199.254 before going OUT zerotier1/VPN):

/ip firewall nat 
add action=masquerade chain=srcnat comment="ZT masquerade" \
    out-interface-list=VPN

Since you don’t allow some “forward” to “WAN” from “VPN” in /ip/firewall/filter, the internet cannot flow from ZT VPN → WAN right now. You may or may not want this. While have this NAT rule above, but it’s not going to do this. So if you wanted internet from VPN, you need another FILTER rule to ALLOW it. e.g.

/ip/firewall/filter/add chain=forward in-interface-list=VPN out-interface-list=WAN

Basically I think it’s this line that’s giving you trouble, and can try disabling it to see if it fixes your issue:

/ip firewall nat 
add action=dst-nat chain=dstnat comment="NAT ZT:8096 > multimediaserver:8096" \
    dst-address=192.168.199.254 dst-port=8096 log=yes log-prefix=8096 \
    protocol=tcp to-addresses=10.0.10.10 to-ports=8096

As I said, you have avoid NATs by adjusting the routing table of your 10.0.10.1 router and in my.zerotier.com under Managed Route. If those list a dst of the Mikrotik subnet you want forwarded, then there is no need for NAT rules on the Mikrotik.

Sorry to harp on this… But IMO, you’re better off avoiding NAT by adding static routes as needed. The /ip/firewall/filter stop routes any unwanted paths, so the NAT isn’t really about security. You generally need src-nat rules between private IP address ONLY when you can’t fix the routing tables elsewhere – if you can, that’s almost always preferable to add more src-nat rules. Now WANs with a Public IP, you can’t avoid NAT there, but everywhere else…

With ZeroTier, there “managed routes” so avoid a NAT to ZeroTier is pretty easy. AND actually flow rules that could also restrict traffic before your Mikrotik even sees it (e.g. you can add a flow rule to only allow 10.0.10.10:8096 so traffic be dropped by ZeroTeir before even hitting your Mikrotik filters. Anyway get things working first – but since you have some pretty restricted internal firewalls, the flow rules on ZeroTier, could extend even your security model further (and reduce traffic hitting your router from the VPN).

Hi,

thank you for your suggestion, however, as i do not trust all computers sharing my Zerotier, i wanted to only open some specific ports (NAT) and on the other hand, Masquerade to access others computers.

At the end i managed to get that works, cleaning up my previous rules

• masquerade for each VPN / WAN
  
  
  
• Generic “Allow forward rule”
  
  
  
• Specific NAT rule

if this can help anybody, here you have:

/ip firewall filter
add action=accept chain=forward comment="Internet -> Web server"  in-interface=ether1 protocol=tcp 
add action=accept chain=forward comment="ZT -> Emby" in-interface=zerotier1 protocol=tcp 
	
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat comment="ZT masquerade"   out-interface-list=VPN
add action=dst-nat chain=dstnat comment="NAT ZT:8096 > Multimedia:8096" dst-port=8096 in-interface-list=VPN protocol=tcp to-addresses=10.0.10.10 to-ports=8096
add action=dst-nat chain=dstnat comment="NAT Internet:443 > WebServer:443" dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=10.0.40.2 to-ports=443