Page 1 of 1

Static NAT from external seems to hijack VPN traffic on same port

Posted: Thu Oct 29, 2015 10:40 pm
by cliffdike
I’ve got a VPN (IPSec Site to Site) setup between two offices and it works great. I also have a static nat (port forward) on the external interface of my office for port 9100 that works as expected.
External if: forward 9100 to 10.0.0.151 on LAN for remote printing.
There is another printer located at 10.0.0.152 on the lan.
The server on the other end of the IPSec tunnel (192.168.1.111) sends traffic to 10.0.0.152:9100 and the router directs it to 10.0.0.151:9100
I’m baffled. I’ll post my config here after I sanitize it.

Re: Static NAT from external seems to hijack VPN traffic on same port

Posted: Fri Oct 30, 2015 9:56 pm
by cliffdike
	# oct/29/2015 17:41:23 by RouterOS 6.32.2
	# software id = TDAR-4EY2
	#
	/interface bridge
	add admin-mac=E4:8D:8C:29:A1:C5 auto-mac=no name=bridge-local
	/interface ethernet
	set [ find default-name=ether1 ] name=ether1-gateway
	set [ find default-name=ether2 ] name=ether2-master-local
	set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
	set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
	set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
	set [ find default-name=ether6 ] name=ether6-master-local
	set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
	set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
	set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
	set [ find default-name=ether10 ] master-port=ether6-master-local name=ether10-slave-local
	/ip neighbor discovery
	set ether1-gateway discover=no
	/ip ipsec proposal
	set [ find default=yes ] enc-algorithms=3des lifetime=8h pfs-group=none
	/ip pool
	add name=default-dhcp ranges=192.168.88.10-192.168.88.254
	/interface bridge port
	add bridge=bridge-local interface=ether2-master-local
	add bridge=bridge-local interface=ether6-master-local
	add bridge=bridge-local interface=sfp1
	/ip address
	add address=10.0.0.100/24 comment="default configuration" interface=bridge-local network=10.0.0.0
	add address=x.x.x.93/29 interface=ether1-gateway network=x.x.x.88
	/ip dhcp-client
	add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
	/ip dhcp-server network
	add address=10.0.0.0/24 comment="default configuration" gateway=10.0.0.100 netmask=24
	/ip dns
	set allow-remote-requests=yes servers=8.8.8.8,75.75.75.75
	/ip dns static
	add address=10.0.0.100 name=router
	/ip firewall filter
	add chain=input comment="default configuration" protocol=icmp
	add chain=input comment="default configuration" connection-state=established,related
	add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
	add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
	add chain=forward comment="default configuration" connection-state=established,related
	add action=drop chain=forward comment="default configuration" connection-state=invalid
	add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
	/ip firewall nat
	add chain=srcnat dst-address=192.168.1.0/24 log=yes log-prefix=IPSEC-OUT src-address=10.0.0.0/24
	add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
	add action=dst-nat chain=dstnat dst-port=9100 in-interface=ether1-gateway log=yes protocol=tcp to-addresses=10.0.0.151 to-ports=9100
	/ip ipsec peer
	# Unsafe configuration, suggestion to use certificates
	add address=x.x.x.162/32 enc-algorithm=3des exchange-mode=aggressive lifetime=8h nat-traversal=no secret=xxxxxxxxxxxxx
	/ip ipsec policy
	add dst-address=192.168.1.0/24 sa-dst-address=x.x.x.162 sa-src-address=x.x.x.93 src-address=10.0.0.0/24 tunnel=yes
	/ip route
	add distance=1 gateway=x.x.x.94
	add distance=1 dst-address=192.168.1.0/24 gateway=ether1-gateway
	/lcd
	set default-screen=informative-slideshow
	/system clock
	set time-zone-name=America/Los_Angeles
	/tool mac-server
	set [ find default=yes ] disabled=yes
	add interface=ether2-master-local
	add interface=ether3-slave-local
	add interface=ether4-slave-local
	add interface=ether5-slave-local
	add interface=ether6-master-local
	add interface=ether7-slave-local
	add interface=ether8-slave-local
	add interface=ether9-slave-local
	add interface=ether10-slave-local
	add interface=sfp1
	add interface=bridge-local
	/tool mac-server mac-winbox
	set [ find default=yes ] disabled=yes
	add interface=ether2-master-local
	add interface=ether3-slave-local
	add interface=ether4-slave-local
	add interface=ether5-slave-local
	add interface=ether6-master-local
	add interface=ether7-slave-local
	add interface=ether8-slave-local
	add interface=ether9-slave-local
	add interface=ether10-slave-local
	add interface=sfp1
	add interface=bridge-local


Re: Static NAT from external seems to hijack VPN traffic on same port

Posted: Fri Oct 30, 2015 9:58 pm
by cliffdike
Log
13:57:55 firewall,info dstnat: in:ether1-gateway out:(none), src-mac 76:54:7d:91:5d:0a, proto TCP (SYN), 192.168.1.111:36078->10.0.0.152:9100, len 60 
13:57:55 firewall,info IPSEC-IN srcnat: in:(none) out:bridge-local, src-mac 76:54:7d:91:5d:0a, proto TCP (SYN), 192.168.1.111:36078->10.0.0.151:9100, NAT 192.168.1.111:36078->(10.0.0.152:9100->10.0.0.151:9100), len 60 
13:57:59 firewall,info dstnat: in:ether1-gateway out:(none), src-mac 76:54:7d:91:5d:0a, proto TCP (SYN), 192.168.1.111:36079->10.0.0.152:9100, len 60 
13:57:59 firewall,info IPSEC-IN srcnat: in:(none) out:bridge-local, src-mac 76:54:7d:91:5d:0a, proto TCP (SYN), 192.168.1.111:36079->10.0.0.151:9100, NAT 192.168.1.111:36079->(10.0.0.152:9100->10.0.0.151:9100), len 60 

Re: Static NAT from external seems to hijack VPN traffic on same port

Posted: Sat Oct 31, 2015 10:23 pm
by troffasky
At a guess, I would say that your inbound NAT rule for the printer is either not specific enough.

Static NAT from external seems to hijack VPN traffic on same port

Posted: Mon Nov 02, 2015 9:52 am
by scampbell
Add your wan address as the dst-address (not the to-address) of you Nat rule. Specifying just the incoming interface will catch IPSec traffic as well as Internet traffic.