Hi Guys,
I’m trying to get a SSTP server configuration that enables a remote SSTP VPN client to access LAN services, using the “Remote address” assigned by the router.
I have a working SSTP config, where the remote client gets assigned a remote address which is inside the LAN (All be it with a /32).
The issue I have is:
When the remote client connects to a service on the LAN (eg web, ssh whatever), the source address is the router’s WAN address! (The WAN address used as target for SSTP client to connect to.)
How do I get the remote user’s “Remote address” to be used as the from address when accessing local resources?
By fixing your srcnat rule(s). By default, router does not change any address. If your source address changes, it’s done by some srcnat/masquerade rule in “/ip firewall nat”.
Could you post an example how you would force the SSTP client to appear on LAN using the “Remote” address that has been assigned by the router when they log in.
I can’t find any reference or variation of src nat rule that would do that.
Essentially, I need sstp (Or any VPN client type accessing the LAN) to have a local LAN address. Ideally fixed per user, but not essential. This way I can lock down services to only talk to local addresses. ie: no access to the outside.
As I already wrote, no address is changed by default. If it changes for you, it’s because you added something extra. It’s some too broad srcnat rule, but I can’t know what exactly you have there. If you don’t see it, post it here and someone will probably tell you what exactly is the problem.