Routing through VPN

OlivierL · November 5, 2016, 1:48am

Hello,

My RouterOS has a VPN connection to a linux server (RouterOs is client with IP 10.8.0.2, Linux server has 10.8.0.1).
On my LAN (RouterOS side), I have a SSH server (192.168.0.136) listening on port 1022
I want to connect to the SSH server from the linux side.

I’ve added a NAT rule on the RouterOS to forward port 1022 to the SSH server:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1022 in-interface=ovpn-sw1 protocol=tcp to-addresses=192.168.0.136 to-ports=1022

I’ve also added these rules to route back the response packets to the Linux server:

/ip firewall mangle
add action=mark-connection chain=forward comment="Mark new connections from ovpn-sw1" connection-state=new in-interface=ovpn-sw1 new-connection-mark=from_sw1 passthrough=no
add action=mark-routing chain=prerouting comment="Route back packets to ovpn-sw1" connection-mark=from_sw1 new-routing-mark=go_SW1 passthrough=no src-a 192.168.0.136
/ip route
add distance=1 gateway=10.8.0.1 routing-mark=go_SW1

And this works. I can ssh from the Linux server to 192.168.0.136 on my LAN

Now I want to forward port 1022 from the public IP of the Linux server.
I’ve enabled forwarding and added a an iptable rule on the Linux server:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1022 -j DNAT --to 10.8.0.2:1022

And that does not work…
You might think that this has nothing to do with RouterOS, and that I should post on a Linux forum. But here comes the weird thing:

If I enable the packet sniffer or the torsh on the VPN interface, it works!
You might think that it is a coïncidence, but I’ve spent many (too much!) hours on that issue and I am sure about that point.

It is very difficult to determine where the problem is without the packet sniffer, but I suspect that the packets arrives to the SSH server, the response is sent back but is not routed through the VPN by the RouterOS.
I have tried different methods to add the ‘go_SW1’ mark on the packets, but it does not change anything: the packets are routed only when the sniffer (or the torsh) are started.

I believe that something must be wrong somewhere in my config, but I can’t figure out what…

If you have any idea, any suggestion, please tell me!

Thanks for reading

Sob · November 5, 2016, 6:35pm

I don’t have any experience with that myself yet, but it’s probably related to fasttrack or fastpath (see e.g. here).

OlivierL · November 5, 2016, 9:03pm

You’re a boss!
It’s now working after disabling fast path on the bridge

Thank you so much!

sopro · January 17, 2018, 6:40pm

satman1w:

I’ve added a NAT rule on the RouterOS to forward port 1022 to the SSH server:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1022 in-interface=ovpn-sw1 protocol=tcp to-addresses=192.168.0.136 to-ports=1022

I’ve also added these rules to route back the response packets to the Linux server:

/ip firewall mangle
add action=mark-connection chain=forward comment="Mark new connections from ovpn-sw1" connection-state=new in-interface=ovpn-sw1 new-connection-mark=from_sw1 passthrough=no
add action=mark-routing chain=prerouting comment="Route back packets to ovpn-sw1" connection-mark=from_sw1 new-routing-mark=go_SW1 passthrough=no src-a 192.168.0.136
/ip route
add distance=1 gateway=10.8.0.1 routing-mark=go_SW1

And this works. I can ssh from the Linux server to 192.168.0.136 on my LAN

Hi Olivier, this doesn’t work for me, can you help me?

sebastia · January 17, 2018, 8:05pm

Mangling is bypassed with FastTrack enabled, that explains your issue.

But do you actually need mangling: if you were to define a route to the other part of your vpn in your main routing table, you wouldn’t need to mangle and fast track could be enabled.