Hi,
I’m experiencing trouble with configuring port forwarding through a VPN.
Here is the setup
I want to be able to access the webserver on the webcam via the router VPN IP using port 82.
Here is the result of /ip firewall export
may/23/2018 14:17:33 by RouterOS 6.40.4
software id = V0YQ-PIAD
model = RouterBOARD wAP R-2nD
/ip firewall filter
add action=accept chain=input comment=“Accept established related” connection-state=established,related
add action=accept chain=input comment=“Allow LAN access to router and Internet” in-interface=bridge
add action=drop chain=input comment=“Drop all other input”
add action=accept chain=forward comment=“Accept established related” connection-state=established,related
add action=accept chain=forward comment=“Allow LAN access to router and Internet” connection-state=new in-interface=bridge
add action=accept chain=forward comment=“Accept Port forwards” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all other forward”
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.99.99.2 log=yes log-prefix=CAM protocol=tcp src-port=82 to-addresses=192.168.88.15 to-ports=80
add action=masquerade chain=srcnat out-interface=ovpn-out1 src-address=192.168.88.15 to-addresses=10.99.99.2
add action=dst-nat chain=dstnat dst-address=10.99.99.2 dst-port=82 protocol=udp to-addresses=192.168.88.15 to-ports=80
Hi, what kind of VPN are you configuring??
Hi, the VPN server is an openVPN one and is hosted on the Pfsense machine.
The VPN configuration is working since i can log on the webfig through the IP 10.99.99.2
I changed the NAT rules and it’s working now.
Here is the updated export
# may/23/2018 16:37:09 by RouterOS 6.40.4
# software id = V0YQ-PIAD
#
# model = RouterBOARD wAP R-2nD
# serial number = 86C407807850
/ip firewall filter
add chain=input comment="Accept established and related packets" connection-state=established,related
add chain=input comment="Accept all connections from local network" in-interface-list=LAN
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface-list=WAN src-address-list=\
NotPublic
add chain=forward comment="Accept established and related packets" connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface-list=WAN \
src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic \
in-interface-list=LAN
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface-list=LAN src-address=\
!192.168.88.0/24
add action=accept chain=forward connection-nat-state=dstnat connection-state=established,related in-interface=ovpn-out1
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.99.99.2 dst-port=82 protocol=tcp to-addresses=192.168.88.15 to-ports=80
add action=masquerade chain=srcnat out-interface=ovpn-out1
I’m having trouble configuring port forwarding over SSTP VPN.
I will use the colleague’s example.
I want to access the camera through the public address 4.3.2.1(for example) on port 8085