One image worth a thousand words:
I already have the 2 mikrotiks working together with an SSTP (server/client) tunnel on different locations with different wan IPs.
I took the web server to the shop for some hardware maintenance, and need to test some things online.
Is there a way to forward all traffic and requests coming from the office network to the shop as if the web server was sitting in the office?
Let me know if more information is needed.
Thank you
Does the ping command pass from the office network to the internal address of this server? Routing between local subnets of office and shop works?
Let’s assume, that the internal address of this server is 192.168.88.80. In this case, you need something like this on the router in the office:
/ip firewall nat add action=dst-nat chain=dstnat comment=WEB dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.80 to-ports=80
Спасибо братан!!
Yes. routes were added when i setup the SSTP link, so i am able to ping the clients in the shop from the office network and the other way around.
Ok, I just setup a TESTING instance with just plain apache server on it and i can access it on 192.168.88.2 from the shop network and also the office LAN.
I added this rule on the server Mikrotik in the office:
/ip firewall nat add action=dst-nat chain=dstnat comment=WEB dst-port=80 in-interface-list=WA
N protocol=tcp to-addresses=192.168.88.2 to-ports=80
I have a subdomain pointed to the office’s wan IP cloud.mydomain.com
I am trying to access the new server with the domain and it is not reaching it. I tried with the WAN IP and same thing..
And i will be needing the server to go outside the network using the WAN ip in the office, or the SSL i need to get with letsencrypt will not work.
Thank you!!
This might help:
I masked WAN ip addresses and sensitive information left behind by /export hide-sensitive file=somefile
Office config:
# jul/30/2022 14:53:59 by RouterOS 6.49.6
# software id = W0PA-KWSM
#
# model = CRS109-8G-1S-2HnD
# serial number = D54XXXXXXF6A
/interface bridge
add arp=proxy-arp name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge \
ssid=NCnet wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,3des
add enc-algorithm=aes-256 name=profile1
/ip ipsec peer
# This entry is unreachable
add name=peer1 passive=yes profile=profile1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms="ae\
s-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-\
128-ctr,aes-128-gcm" lifetime=0s pfs-group=none
/ip pool
add name=dhcp ranges=10.0.0.2-10.0.0.244
add name=l2tppool1 ranges=10.0.0.245-10.0.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=10.0.0.1 name=\
vpn-prof remote-address=l2tppool1 use-upnp=no
set *FFFFFFFE change-tcp-mss=default dns-server=8.8.8.8 local-address=\
10.0.0.1 remote-address=l2tppool1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 fast-leave=yes interface=*D
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 default-profile=vpn-prof enabled=yes \
one-session-per-host=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 require-client-certificate=yes
/interface sstp-server server
set authentication=mschap2 certificate=SERVER enabled=yes force-aes=yes pfs=\
yes port=4430
/ip address
add address=10.0.0.1/8 interface=bridge1 network=10.0.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10h10m
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.0.0.10 mac-address=FC:A2:12:28:A8:4B server=dhcp1
add address=10.0.0.11 client-id=\
ff:b5:5e:67:ff:0:2:0:0:ab:11:1e:36:a9:55:2a:9f:b4:bc mac-address=\
00:A0:58:59:4F:61 server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/8 gateway=10.0.0.1 netmask=8
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=43.230.209.0/24 comment=AFGHANISTAN list=CountryIPBlocks
add address=43.231.131.0/24 comment=AFGHANISTAN list=CountryIPBlocks
add address=197.157.204.0/22 comment=ZIMBABWE list=CountryIPBlocks
add address=197.221.224.0/19 comment=ZIMBABWE list=CountryIPBlocks
/ip firewall filter
add action=accept chain=input dst-port=80,8443 in-interface-list=WAN \
protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input dst-port=443 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=\
tcp
add action=accept chain=input comment="SSTP server nancy 4430" dst-port=4430 \
in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=1701,500,4500 in-interface-list=WAN \
protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward disabled=yes in-interface-list=WAN \
src-address-list=CountryIPBlocks
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=2xx.xxx.xxx.xx9 dst-port=443 \
protocol=tcp to-addresses=10.0.0.11 to-ports=443
add action=dst-nat chain=dstnat comment=WEB dst-port=80 in-interface-list=WAN \
protocol=tcp to-addresses=192.168.88.2 to-ports=80
add action=dst-nat chain=dstnat dst-address=2xx.xxx.xxx.xx9 dst-port=8443 \
protocol=tcp to-addresses=10.0.0.11 to-ports=8443
add action=dst-nat chain=dstnat disabled=yes dst-address=2xx.xxx.xxx.xx9 \
dst-port=80 protocol=tcp to-addresses=10.0.0.11 to-ports=80
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ppp secret
add local-address=10.0.0.1 name=ncvpn profile=vpn-prof remote-address=\
10.0.0.252 service=l2tp
add name=axtest profile=vpn-prof service=l2tp
add local-address=10.0.0.1 name=nctunelaxo remote-address=10.0.0.2 routes=\
"192.168.88.0/24 10.0.0.2 1" service=sstp
add local-address=10.0.0.1 name=nctunelnancy remote-address=10.0.0.3 routes=\
"192.168.90.0/24 10.0.0.3 1" service=sstp
/system clock
set time-zone-name=America/New_York
/system identity
set name=NCnet
/system ntp client
set enabled=yes primary-ntp=129.6.15.28 secondary-ntp=129.6.15.29
shop router:
# jul/30/2022 15:05:52 by RouterOS 6.49.6
# software id = Q0V4-43P8
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7DXXXXXDCB
/interface bridge
add admin-mac=CC:4D:A0:D4:52:54 auto-mac=no comment=defconf name=bridge
add name=bridge-loopback
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
default-forwarding=no disabled=no distance=indoors frequency=auto mode=\
ap-bridge ssid=MikroSSID station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
ap-bridge ssid=MikroSSID-5G station-roaming=enabled wireless-protocol=\
802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec policy group
add name=group.vpn.ike2
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256 name=profile.vpn.ike2
/ip ipsec peer
add exchange-mode=ike2 local-address=2xx.xxx.xxx.xx2 name=peer2xx.xxx.xxx.xx2 \
passive=yes profile=profile.vpn.ike2
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
name=proposal.vpn.ike2 pfs-group=none
/ip kid-control
add name=mam
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
add name=pool.vpn.ike2 ranges=192.168.90.2-192.168.90.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip ipsec mode-config
add address-pool=pool.vpn.ike2 address-prefix-length=32 name=\
modeconf.vpn.ike2 split-dns="" split-include=0.0.0.0/0 static-dns=\
192.168.90.1 system-dns=no
/ppp profile
set *FFFFFFFE dns-server=192.168.88.1 local-address=192.168.88.1 \
remote-address=dhcp
/interface sstp-client
add authentication=mschap2 connect-to=216.215.129.149:4430 disabled=no \
http-proxy=0.0.0.0:4430 name=sstp-out1 pfs=yes profile=default-encryption \
user=nctunelaxo
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set authentication=mschap2 default-profile=default-encryption force-aes=yes \
pfs=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
add address=192.168.90.0/24 interface=bridge-loopback network=192.168.90.0
/ip cloud
set ddns-update-interval=30m
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set servers=192.168.88.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.88.10-192.168.88.255 list=client
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=forward comment="LUNA TABLET BLOCK" disabled=yes \
src-mac-address=1C:93:C4:B4:EF:29
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=reject chain=forward comment="Client Isolation" disabled=yes \
dst-address-list=client reject-with=icmp-network-unreachable \
src-address-list=client
add action=drop chain=forward comment="Stop internet" disabled=yes hotspot="" \
out-interface=!all-wireless time=\
15h47m-15h48m,sun,mon,tue,wed,thu,fri,sat
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=2xx.xxx.xxx.xx2 dst-port=443 \
protocol=tcp to-addresses=192.168.88.100 to-ports=443
add action=dst-nat chain=dstnat dst-address=2xx.xxx.xxx.xx2 dst-port=80 \
protocol=tcp to-addresses=192.168.88.100 to-ports=80
add action=dst-nat chain=dstnat comment="RDP Externo" dst-address=\
2xx.xxx.xxx.xx2 dst-port=4000 protocol=tcp src-port="" to-addresses=\
192.168.88.100 to-ports=4000
add action=dst-nat chain=dstnat comment="iperf tests" dst-address=\
2xx.xxx.xxx.xx2 dst-port=5201 protocol=tcp to-addresses=192.168.88.100 \
to-ports=5201
add action=dst-nat chain=dstnat comment="SSH Externo" dst-address=\
2xx.xxx.xxx.xx2 dst-port=4022 protocol=tcp to-addresses=192.168.88.100 \
to-ports=22
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.88.0/24
add action=netmap chain=dstnat disabled=yes dst-port=80 in-interface=ether1 \
protocol=tcp to-addresses=192.168.88.89 to-ports=80
add action=dst-nat chain=dstnat comment=HTTP:80 disabled=yes dst-address=\
2xx.xxx.xxx.xx2 dst-port=80 protocol=tcp src-port=80 to-addresses=\
192.168.88.100 to-ports=80
add action=dst-nat chain=dstnat comment=HTTPS:443 disabled=yes dst-address=\
2xx.xxx.xxx.xx2 dst-port=443 protocol=tcp src-port=443 to-addresses=\
192.168.88.100 to-ports=443
/ip ipsec policy
add dst-address=192.168.90.0/24 group=group.vpn.ike2 proposal=\
proposal.vpn.ike2 src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 dst-address=10.0.0.0/8 gateway=sstp-out1
/ip service
set telnet disabled=yes
set www disabled=yes
/ip smb
set allow-guests=no domain=casaSSD
/ip smb users
add name=casa read-only=no
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
For sure you need BOTH a DNAT and SOURCE-NAT because the returning packet from your webservers at the shop must not carry any public-IP or it will be routed out of the SHOP’s own Internet uplink. “Shop WAN 100.x.x.x” = Internet right ?
You can perform the source-NAT also on the SHOP-router, so why not perform snat on the packets coming in from the SSTP-tunnel and directed at 192.168.88.2 on TCP/443 ?
The reason why your testing works from the “Office LAN” is offcourse because it carries a 10.0.0.0 and your routing is OK.