Hello,
I have a problem my servers availability when I use port redirection and VPN. Someone can help me?

I have a web server at home behind Mikrotik. I made it available from the internet and it works well, it also updates the Let’s Encrypt certificate. I use these rules:

/ip firewall nat print
;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix=“” ipsec-policy=out,none
chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.0.0/24 log=no log-prefix=“”
chain=dstnat action=dst-nat to-addresses=192.168.1.1 protocol=udp dst-address-type=local dst-port=1194 log=no log-prefix=“”
chain=dstnat action=dst-nat to-addresses=192.168.1.150 to-ports=443 protocol=tcp dst-address-type=local dst-port=443 log=no log-prefix=“”
chain=dstnat action=dst-nat to-addresses=192.168.1.150 to-ports=80 protocol=tcp dst-address-type=local dst-port=80 log=no log-prefix=“”

/ip firewall filter print
chain=input action=accept protocol=tcp dst-address=Public_IP_address dst-port=443 log=no log-prefix=“”
chain=input action=accept protocol=tcp dst-address=Public_IP_address dst-port=80 log=no log-prefix=“”
chain=forward action=accept protocol=tcp dst-address=192.168.1.150 dst-port=443 log=no log-prefix=“”
chain=forward action=accept protocol=tcp dst-address=192.168.1.150 dst-port=80 log=no log-prefix=“”

I have another server, a database server in my home because I have fast internet here.

There is an IPSec/L2TP VPN between our office (where we barely work due to the epidemic but need it due to clients) and my home to access the database server from the office as well. There is a backup server in the office where backups are made at night.

We work with the database server in two ways. On the one hand, everyone (3-4 people) connects directly to the database server via OpenVPN as a remote worker.
On the other hand, we occasionally work from the office through the IPSec/L2TP VPN on the database server. OpenVPN does not work here because IPSec/L2TP VPN must work continuously due to backups and system administration.

The problem is that due of the web server’s http and https availability, the database server cannot be accessed through the IPSec/L2TP VPN. How to can these be available at the same time?

Thank you for your help.
Thanks and Regards

It doesn’t make sense to me. Your webserver uses ports 80 and 443, and dstnat rules for them apply only when destination is router’s address (any of them). So even if your database server used same ports, there would be different address (internal one used by database server) and no conflict.

Btw, your filter rules, first two are useless, because that trafic will be taken by dstnat, it won’t end up in input chain. And next two can be replaced by universal:

/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept

And I hope these four are not your only filter rules, because in that case you wouldn’t have any firewall at all, and everything would be wide open to whole world.

Thanks for your quick reply. I guess you don’t understand why I did that?
The web server (192.168.1.150) must be accessed via http (port 80) and https (port 443) for the Let’s Encrypt Certificate Update to work.
The database server (192.168.1.1) must also be accessed via http (port 80) and https (port 443) to use the services.
Because both are accessible through the WAN interface (the database server from the office via an IPSec / L2TP VPN), http and https requests from the WAN are always routed to the web server due to redirection.
There is no problem with OpenVPN because it connects directly to the database server.

You think the following two filters are unnecessary and I need to delete them:
chain = input action = accept protocol = tcp dst-address = Public_IP_address dst-port = 443 log = no log-prefix = “”
chain = input action = accept protocol = tcp dst-address = Public_IP_address dst-port = 80 log = no log-prefix = “”

and you suggest that instead of the following two filters:
chain = forward action = accept protocol = tcp dst-address = 192.168.1.150 dst-port = 443 log = no log-prefix = “”
chain = forward action = accept protocol = tcp dst-address = 192.168.1.150 dst-port = 80 log = no log-prefix = “”

I need to use the following:
chain = forward connection-nat-state = dstnat action = accept

Do I understand well your suggestion? I understand how the rule works but unfortunately I don’t see how it solves my problem …

Where do I need to place this filter rule in order? Should NAT rules remain unchanged?

Thank you for your help.

Hi Steve, it would be pointless to make any recommendations on a part config, many related parts.
Please post config
/export hide-sensitive file=anynameyouwish

I was curious as to what is the purpose of this rule?.. as I am not real smart when it comes to src nat rules!
chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.0.0/24 log=no log-prefix=“”

I understand why webserver must be accessible from internet if you want to use it to get LE certificates. But if database server using same ports gets accessed from office and you have VPN for that, I’d expect that you’re connecting directly to its internal address. Otherwise what’s the point of VPN?

About the rules, yes, that’s what I meant, and no, it won’t solve this problem, it’s just bonus advice. I should have made that clearer.

Here is my full firewall export. Would that be necessary?

/ip firewall address-list
add address=0.0.0.0/8 comment=“Self-Identification [RFC 3330]” list=bogons
add address=10.0.0.0/8 comment=“Private[RFC 1918] - CLASS A # Check if you nee
d this subnet before enable it” disabled=yes list=bogons
add address=127.0.0.0/8 comment=“Loopback [RFC 3330]” list=bogons
add address=169.254.0.0/16 comment=“Link Local [RFC 3330]” list=bogons
add address=172.16.0.0/12 comment=“Private[RFC 1918] - CLASS B # Check if you
need this subnet before enable it” list=bogons
add address=192.0.2.0/24 comment=“Reserved - IANA - TestNet1” list=bogons
add address=192.88.99.0/24 comment=“6to4 Relay Anycast [RFC 3068]” list=
bogons
add address=198.18.0.0/15 comment=“NIDB Testing” list=bogons
add address=198.51.100.0/24 comment=“Reserved - IANA - TestNet2” list=bogons
add address=203.0.113.0/24 comment=“Reserved - IANA - TestNet3” list=bogons
add address=224.0.0.0/4 comment=
“MC, Class D, IANA # Check if you need this subnet before enable it”
list=bogons
/ip firewall filter
add action=accept chain=forward comment=“forward l2tp/ipsec remote client”
dst-address=192.168.1.0/24 in-interface=all-ppp src-address=
192.168.1.0/24
add action=accept chain=forward comment=“forward l2tp/ipsec remote client”
dst-address=192.168.1.0/24 out-interface=all-ppp src-address=
192.168.1.0/24
add action=accept chain=input comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=input comment=
“drop all DNS udp query not coming from LAN” dst-port=53 in-interface=
ether1 protocol=udp
add action=drop chain=input comment=
“drop all DNS udp query not coming from LAN” disabled=yes dst-port=53
protocol=udp src-address=!192.168.0.0/23
add action=drop chain=input comment=
“drop all DNS tcp query not coming from LAN” dst-port=53 in-interface=
ether1 protocol=tcp
add action=drop chain=input comment=
“drop all DNS tcp query not coming from LAN” disabled=yes dst-port=53
protocol=tcp src-address=!192.168.0.0/23
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“allow l2tp/ipsec IKE (500)” dst-port=
500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=“allow l2tp (1701)” dst-port=1701
in-interface-list=WAN protocol=udp
add action=accept chain=input comment=“allow l2tp/ipsec NAT (4500)” dst-port=
4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=“allow l2tp/ipsec vpn (ipsec-esp)”
in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input dst-address=Public_IP_Home in-interface-list=WAN
src-address=Public_IP_Office
add action=accept chain=input comment=
“accept all from LAN works with drop input” in-interface=bridge
add action=accept chain=input comment=
“accept all from LAN works with drop input” in-interface=bridge1
add action=accept chain=input disabled=yes dst-port=4569 protocol=udp
add action=accept chain=input disabled=yes dst-port=10000-20000 protocol=udp
add action=accept chain=input comment=“accept ssh subnets” dst-address=
192.168.1.0/24 dst-port=22 protocol=tcp src-address=192.168.0.0/24
add action=drop chain=input comment=“drop all input from blacklist”
src-address-list=ssh-blacklist
add action=add-src-to-address-list address-list=ssh-blacklist
address-list-timeout=2h chain=input comment=
“add IP address ssh request from WAN to blacklist” connection-state=new
dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment=“dropping port scanners”
src-address-list=“port scanners”
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=5d chain=input comment=“add port scanners to list”
connection-state=new protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN
add action=drop chain=input comment=“drop all other input” disabled=yes
in-interface-list=WAN
add action=accept chain=input comment=“accept traffic to Nethserver”
dst-address=Public_IP_Home dst-port=443 protocol=tcp
add action=accept chain=input comment=“accept traffic to Nethserver”
dst-address=Public_IP_Home dst-port=80 protocol=tcp
add action=accept chain=forward comment=“port forward to Nethserver”
dst-address=192.168.1.150 dst-port=443 protocol=tcp
add action=accept chain=forward comment=“port forward to Nethserver”
dst-address=192.168.1.150 dst-port=80 protocol=tcp
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=accept chain=forward in-interface=bridge src-address=
192.168.1.0/24
add action=accept chain=forward in-interface=bridge1 src-address=
172.16.1.0/24
add action=accept chain=forward comment=“forward openVPN to Zentyal”
dst-address=192.168.1.1 dst-port=1194 in-interface=pppoe-out1 protocol=
udp
add action=drop chain=forward comment=“WiFi-Guest rule” in-interface=
bridge-VLAN10 out-interface=bridge
add action=drop chain=forward comment=“WiFi-Guest rule” in-interface=bridge
out-interface=bridge-VLAN10
add action=drop chain=forward comment=“Isolate port 2 from port 5” disabled=
yes dst-address=172.16.1.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment=“Isolate port 5 from port2” disabled=
yes dst-address=192.168.1.0/24 src-address=172.16.1.0/24
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=“Drop to bogon list” dst-address-list=
bogons
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=“drop all other forward”
/ip firewall mangle
add action=change-mss chain=forward dst-address=192.168.0.0/24 new-mss=1350
passthrough=yes protocol=tcp src-address=192.168.1.0/24 tcp-flags=syn
tcp-mss=!0-1350
add action=change-mss chain=forward new-mss=1440 out-interface=pppoe-out1
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1440
add action=mark-connection chain=prerouting disabled=yes dst-port=4569
new-connection-mark=VoIP-Conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=VoIP-Conn disabled=
yes new-packet-mark=VoIP-Pkt passthrough=no
add action=mark-packet chain=forward connection-mark=rtp-connection disabled=
yes new-packet-mark=RTP passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=
192.168.1.0/24
add action=dst-nat chain=dstnat comment=
“port forward openVPN port to Zentyal” dst-port=1194 protocol=udp
to-addresses=192.168.1.1 to-ports=1194
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=
WAN protocol=tcp to-addresses=192.168.1.150 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=
WAN protocol=tcp to-addresses=192.168.1.150 to-ports=80
/ip firewall service-port
set sip disabled=yes

This is to allow both subnets to be browsed from each.

I don’t know how your VPN is configured, but you want it so that from office you can connect directly to 192.168.1.1.

Yes, that is exactly my goal. In addition, I can connect to the office printer, backup server, etc. from home.

What’s stopping you? How is the L2TP/IPsec configured? Is it something that already works and is used for something, or you’re still trying to set it up? If it’s the latter, how much it must be this type?

edit, not useful input.

I’m so sorry but I probably misunderstood something. Unfortunately, English is not my native language. In the meantime, I had to leave because I was working and I left the machine turned on as usual.

Would a full config export be required? I thought you were just thinking about the firewall …

Everything I have set up so far works. The only problem is that if I enable the redirection of the http and https ports from the Internet to the home web server (192.168.1.150), the http and https ports of the home database server (192.168.1.1) cannot be accessed from the office via the IPSec / L2TP VPN. . IPSec / L2TP VPN works between office and home Mikrotik routers well.

What should I send?

Thank you for your help.

Sorry bout that, I though Steve was an english name LOL.
Yes full export please
/export hide-sensitive file=anynameyouwish

I missed it, but you silently changed dstnat rules from first post. Originally you posted:

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.1.150 to-ports=443 protocol=tcp dst-address-type=local dst-port=443 log=no log-prefix=""
add chain=dstnat action=dst-nat to-addresses=192.168.1.150 to-ports=80 protocol=tcp dst-address-type=local dst-port=80 log=no log-prefix=""

But now you have:

/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.150 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.150 to-ports=80

And yes, with the new ones it’s possible that they catch connections to 192.168.1.1, if you added VPN interface in WAN interface list. Use those you posted originally and it won’t happen, because dst-address-type=local will match only addresses assigned to router itself, which 192.168.1.1 isn’t, if it’s the server.

No problem. Steve is the English equivalent of my first name. Many steve are registered so steve800 ... Unfortunately, the browser does not refresh automatically when a new post is received ...

In the meantime, I made a config export as you requested, I hope it will be right ... I tried to hide sensitive data like username, public IP address, etc. I hope it doesn't cause a problem.

feb/06/2022 19:48:06 by RouterOS 6.49.2

software id = KR2J-EIA8

model = RBD52G-5HacD2HnD

serial number =

/interface bridge
add admin-mac=B8:69:F4:C0:51:62 arp=proxy-arp auto-mac=no comment=defconf
name=bridge
add fast-forward=no name=bridge-VLAN10
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=
user-agn
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
country=hungary disabled=no distance=indoors frequency=auto installation=
indoor mode=ap-bridge ssid=MikroTik-C05166 station-roaming=enabled
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-Ceee country=hungary disabled=no distance=indoors frequency=
auto installation=indoor mode=ap-bridge ssid=MikroTik-C05167
station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=
allowed mode=dynamic-keys name=guest-profile1 supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:C0:51:66
master-interface=wlan1 multicast-buffering=disabled name=wlan3-guest
security-profile=guest-profile1 ssid=Guest station-roaming=enabled
vlan-id=10 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=wlan3-guest name=vlan10 vlan-id=10
/ip ipsec peer
add address=Public_IP_Office/32 name=peer1
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=user pfs-group=
none
/ip pool
add name=dhcp ranges=192.168.1.201-192.168.1.240
add name=dhcp_pool1 ranges=192.168.89.201-192.168.89.240
add name=dhcp_pool2 ranges=172.16.1.100-172.16.1.120
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=bridge-VLAN10 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=bridge1 name=server1
/ppp profile
add bridge=bridge dns-server=192.168.1.254 local-address=dhcp name=
l2tp-bridge remote-address=dhcp
/queue simple
add name=Total target=""
add name=VOIP packet-marks=VoIP-Pkt parent=Total priority=2/2 target=""
add name=RTP packet-marks=RTP parent=Total priority=1/1 target=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge-VLAN10 interface=wlan3-guest
add bridge=bridge-VLAN10 interface=vlan10
add bridge=bridge1 interface=ether5 multicast-router=disabled
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 default-profile=l2tp-bridge enabled=
yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.254/24 comment=defconf interface=ether2 network=
192.168.1.0
add address=192.168.89.1/24 interface=bridge-VLAN10 network=192.168.89.0
add address=172.16.1.1/24 interface=ether5 network=172.16.1.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=172.16.1.1,8.8.4.4,8.8.8.8 gateway=
172.16.1.1 netmask=24 ntp-server=84.2.46.19,148.6.0.1
add address=192.168.1.0/24 comment=defconf dns-server=
192.168.1.254,8.8.8.8,8.8.4.4,192.168.1.110 gateway=192.168.1.254
netmask=24 ntp-server=84.2.46.19,148.6.0.1
add address=192.168.89.0/24 dns-server=192.168.89.1,8.8.4.4 gateway=
192.168.89.1
/ip dns
set allow-remote-requests=yes servers=
8.8.8.8,8.8.4.4,193.110.57.4,193.110.56.8,208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.1.254 comment=defconf disabled=yes name=router.lan
add address=192.168.1.160 name=srv03
add address=192.168.1.2 name=sipi-linux
add address=192.168.1.1 name=srv02
add address=192.168.1.254 name=mikrotik
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee
d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you
need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=
"MC, Class D, IANA # Check if you need this subnet before enable it"
list=bogons
/ip firewall filter
add action=accept chain=forward comment="forward l2tp/ipsec remote client"
dst-address=192.168.1.0/24 in-interface=all-ppp src-address=
192.168.1.0/24
add action=accept chain=forward comment="forward l2tp/ipsec remote client"
dst-address=192.168.1.0/24 out-interface=all-ppp src-address=
192.168.1.0/24
add action=accept chain=input comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=input comment=
"drop all DNS udp query not coming from LAN" dst-port=53 in-interface=
ether1 protocol=udp
add action=drop chain=input comment=
"drop all DNS udp query not coming from LAN" disabled=yes dst-port=53
protocol=udp src-address=!192.168.0.0/23
add action=drop chain=input comment=
"drop all DNS tcp query not coming from LAN" dst-port=53 in-interface=
ether1 protocol=tcp
add action=drop chain=input comment=
"drop all DNS tcp query not coming from LAN" disabled=yes dst-port=53
protocol=tcp src-address=!192.168.0.0/23
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow l2tp/ipsec IKE (500)" dst-port=
500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow l2tp (1701)" dst-port=1701
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow l2tp/ipsec NAT (4500)" dst-port=
4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow l2tp/ipsec vpn (ipsec-esp)"
in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input dst-address=Public_IP_Home in-interface-list=WAN
src-address=Public_IP_Office
add action=accept chain=input comment=
"accept all from LAN works with drop input" in-interface=bridge
add action=accept chain=input comment=
"accept all from LAN works with drop input" in-interface=bridge1
add action=accept chain=input disabled=yes dst-port=4569 protocol=udp
add action=accept chain=input disabled=yes dst-port=10000-20000 protocol=udp
add action=accept chain=input comment="accept ssh subnets" dst-address=
192.168.1.0/24 dst-port=22 protocol=tcp src-address=192.168.0.0/24
add action=drop chain=input comment="drop all input from blacklist"
src-address-list=ssh-blacklist
add action=add-src-to-address-list address-list=ssh-blacklist
address-list-timeout=2h chain=input comment=
"add IP address ssh request from WAN to blacklist" connection-state=new
dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="dropping port scanners"
src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=5d chain=input comment="add port scanners to list"
connection-state=new protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
disabled=yes in-interface-list=!LAN
add action=drop chain=input comment="drop all other input" disabled=yes
in-interface-list=WAN
add action=accept chain=input comment="accept traffic to Nethserver"
dst-address=Public_IP_Home dst-port=443 protocol=tcp
add action=accept chain=input comment="accept traffic to Nethserver"
dst-address=Public_IP_Home dst-port=80 protocol=tcp
add action=accept chain=forward comment="port forward to Nethserver"
dst-address=192.168.1.150 dst-port=443 protocol=tcp
add action=accept chain=forward comment="port forward to Nethserver"
dst-address=192.168.1.150 dst-port=80 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related"
connection-state=established,related
add action=accept chain=forward in-interface=bridge src-address=
192.168.1.0/24
add action=accept chain=forward in-interface=bridge1 src-address=
172.16.1.0/24
add action=accept chain=forward comment="forward openVPN to Zentyal"
dst-address=192.168.1.1 dst-port=1194 in-interface=pppoe-out1 protocol=
udp
add action=drop chain=forward comment="WiFi-Guest rule" in-interface=
bridge-VLAN10 out-interface=bridge
add action=drop chain=forward comment="WiFi-Guest rule" in-interface=bridge
out-interface=bridge-VLAN10
add action=drop chain=forward comment="Isolate port 2 from port 5" disabled=
yes dst-address=172.16.1.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="Isolate port 5 from port2" disabled=
yes dst-address=192.168.1.0/24 src-address=172.16.1.0/24
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=
bogons
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all other forward"
/ip firewall mangle
add action=change-mss chain=forward dst-address=192.168.0.0/24 new-mss=1350
passthrough=yes protocol=tcp src-address=192.168.1.0/24 tcp-flags=syn
tcp-mss=!0-1350
add action=change-mss chain=forward new-mss=1440 out-interface=pppoe-out1
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1440
add action=mark-connection chain=prerouting disabled=yes dst-port=4569
new-connection-mark=VoIP-Conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=VoIP-Conn disabled=
yes new-packet-mark=VoIP-Pkt passthrough=no
add action=mark-packet chain=forward connection-mark=rtp-connection disabled=
yes new-packet-mark=RTP passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=
192.168.1.0/24
add action=dst-nat chain=dstnat comment=
"port forward openVPN port to Zentyal" dst-port=1194 protocol=udp
to-addresses=192.168.1.1 to-ports=1194
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=
WAN protocol=tcp to-addresses=192.168.1.150 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=
WAN protocol=tcp to-addresses=192.168.1.150 to-ports=80
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=peer1
/ip ipsec policy
add dst-address=192.168.0.0/24 peer=peer1 proposal=user src-address=
192.168.1.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/23,172.16.1.0/24
set ssh address=192.168.0.0/23
set api disabled=yes
set winbox address=192.168.0.0/23
set api-ssl disabled=yes
/ppp secret
add name=vpn profile=l2tp-bridge service=l2tp
add name=isipos profile=l2tp-bridge service=l2tp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system ntp client
set enabled=yes primary-ntp=84.2.46.19 secondary-ntp=148.6.0.1
server-dns-names=8.8.8.8
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=2048KiB file-name=rsync3.pcap memory-limit=2048KiB

I’m not sure this problem can be solved. Because I think the packet passes through the same WAN interface from the Internet and through the Office IPSec / L2TP VPN, and if I set up a port redirection on the firewall to the web server, all http and https requests are sent to the web server and the database server is will be out of reach from the office. But I may be wrong … Please confirm or disprove this.

When connecting to database server from office, what do you use as destination address? Is it its internal 192.168.1.1? Of so (and that would be correct), then it’s coming to your router via tunnel, so it’s not same incoming interface as when something is connecting to your public address.

Another thing, you don’t have just L2TP/IPSec, you have also policy based IPSec tunnel. So that makes sense, there is same incoming interface for traffic from there. You can distinguish it using ipsec-policy=in,ipsec / ipsec-policy=in,none, but better solution is to use right dstnat rules. So instead of:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.150 to-ports=80

Use either (if you have static public address):

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 dst-address=<your public address> protocol=tcp to-addresses=192.168.1.150

Or (if you don’t have static public address; it’s also the same rule that you claimed in first post to have):

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 dst-address-type=local protocol=tcp to-addresses=192.168.1.150

When I connect to database sever from the office I use https://192.168.1.1/service_name. The name is depend what I need to connect service. Example …/SOGo. …/owncloud and etc.

If I enable 80 and 443 (http and https) ports redirect to web server (192.168.1.150) on the firewall nat then I can’t connect to http or https://192.168.1.1/service_name over IPSec/L2TP VPN from office to home.

The only common point is ether1 which is the WAN port … Both traffic, https (http) and IPSec / L2TP VPN pass through this. Mikrotik will see it in the IPSec package after unpacking it, but I don’t know if the nat rule still applies to it …

You’re mixing L2TP/IPSec and policy-based IPSec. Your config has both.

Yes, I use a fixed IP address in both the office and at home.

I modified the port forwarding rules for ports 443 and 80 as described and enabled them. I can access the web server from the Internet and I can access the database server from the office via the IPSec / L2TP VPN. I hope it will work tomorrow …
I ask if I need these firewall filter rules then because you previously suggested that I delete them:

add action=accept chain=input comment=“accept traffic to Nethserver” dst-address=Public_IP_Home dst-port=443 protocol=tcp
add action=accept chain=input comment=“accept traffic to Nethserver” dst-address=Public_IP_Home dst-port=80 protocol=tcp
add action=accept chain=forward comment=“port forward to Nethserver” dst-address=192.168.1.150 dst-port=443 protocol=tcp
add action=accept chain=forward comment=“port forward to Nethserver” dst-address=192.168.1.150 dst-port=80 protocol=tcp

Please explain this:

I just wanted to create an IPSec / L2TP VPN between the two sites and I don’t know how the mixed solution came about. Is this correct at all?

Thank you for your help.