Hello, I am so newbie and so limited in time I require help.. I tried several NATing solution but could not figure out how to establish the following
I have one router board which has a site to site vpn connection over internet which requires a specific IP from my side (ipA) for their internal routing for me to able to reach my destination at the remote end of the tunnel. . My internal network is working fine and i can make src-nats to let the inner clients (who can access to internet too) to access to the other end of the vpn tunnel via ipA when needed.
But I have an external host (ipB) that needs to access to the remote end of the tunnel.
What I tried so far:
I added a src-nat rule that will convert the ipB to one of my internal ip and then hoped the existing src-nat do its job, but i have not seen any traffic activity. I guess the packets are not routed autoMagically.
I tried to dst-nat (despite i know it is not the case) to an empty IP and hoped src-nat would do it’s job, i see packets coming but src-nat is not seeing any flow.
How can I act the ipB as one of my internal network IP without establishing any VPN/tunnel etc between my board and the external host(ipB)?
If I understand it correctly and you have one router with tunnel and ipB device is somewhere else, you first need to get packets from ipB to your router. If you don’t want to set up another tunnel between you and ipB with proper routing, another way is to connect from ipB to public address of your router and use dstnat to forward these connections through tunnel to whatever destination you need. You also need srcnat for these connections. And the it should work.
Yes, ipB can access to the routerboard through the public IP of routerboard. I tried dstNat on the incoming packets of ipB from public IP of the routerBoard; i see packets are received by router but I don’t think they are put into the existing tunnel. Should I also create a srcnat from tunnel back to the IP?
/ip firewall nat
add chain=dstnat dst-address=<your public address> protocol=<protocol> dst-port=<original port>
src-address=<ipB> action=dst-nat to-addresses=<target on the other end of tunnel> to-ports=<target port, if it's different>
add chain=srcnat src-address=<ipB> action=src-nat to-addresses=<ipA>
It can be also influenced by the rest of your firewall, but it would work with default one.
Thanks for your kind pursuit ot the topic. Let me please understand what’s happening here: I am changing the protocol headers but is the order executed in reverse order? I mean when packet comes in from ipB, will it be srcNat’ed first and then dst-nat’ed if I give the config in the above order; or vice versa?
Should I do something on return packets (assuming its TCP) or will they be handled once the connection establised. (connection is always established from ipB to the end of the tunnel)
It’s two different chains, the order is set in stone, it’s always dstnat first and srcnat after that, no matter in which order you add rules. See image in this post.
Dstnat looks for connection to : with protocol and when there’s such, it changes destination to :<target port, if it’s different>. You can omit to-ports option if you’re not changing the port. Router knows where is, so it it will send packet there. And srcnat rule is simplified one, if packets come from , it will change source to . If is going to be accessing only device through tunnel, it’s ok like this. If you have also other forwarded ports to some local servers that could be accessing, add dst-address= to srcnat rule, to make it apply only to tunneled traffic.
Packets belonging to established connections are handled automatically, you don’t need any manual config for them.