Hello everyone,
I have a RB4011 making NAT for a remote client, connected through a L2TP/IPSec tunnel.
Like this:
FROM INTERNET → PORT 19980 → RB4011 → L2TP VPN → HEX → DEVICE WEB PAGE 80
Inside LAN, even in another VPN access like my office, i can access the device HTTP server. But, using the NATed port from outside, without VPN connection with the RB4011, it doesnt load.
In my HEX, i have the following rules, to send back through the VPN Tunnel the connections originated from my RB4011, it works for simple connections, like tcp syn/ack.
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=l2tp-central new-connection-mark=\
nat-conn-central passthrough=yes src-address-list=!local_address
add action=mark-routing chain=prerouting connection-mark=nat-conn-central dst-address-list=!local_address new-routing-mark=\
nat-central passthrough=yes
add action=change-mss chain=forward connection-mark=nat-conn-central disabled=yes new-mss=500 passthrough=yes protocol=tcp \
tcp-flags=syn tcp-mss=501-65535
The address-list:
ip firewall address-list/print
Columns: LIST, ADDRESS, CREATION-TIME
# LIST ADDRESS CREATION-TIME
0 local_address 172.16.0.0/12 jun/01/2023 15:42:07
The routing table:
ip route print where routing-table=nat-central
Flags: A - ACTIVE; s, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
3 As 0.0.0.0/0 172.25.1.254 1
Last thing i tested, is to reduce MSS, default is 1310, tested with 1300, 1290, 1250 and finally with 500, in connections, but it also dont make differences.
Wireshark output Retransmissions and RST flags
There anything missing in the above rules?