Community discussions

 
fizzyade
just joined
Topic Author
Posts: 5
Joined: Thu Feb 16, 2017 12:20 pm

VPN Issues

Thu Feb 16, 2017 12:30 pm

Hi Guys,

I bit the bullet and went with a Mikrotik router and it's been working brilliantly, love it.

However, I need a little bit of advice. I have a VPN server which runs on a synology NAS on my LAN which is on 192.168.0.2.

I created a rule in the NAT:

/ip firewall nat
add action=dst-nat chain=dstnat comment=VPN dst-port=500,4500,1701 protocol=\
udp to-addresses=192.168.0.2

so that I can access the VPN from outside, works great.

However, I just tried to connect to my office VPN and it wouldn't connect and it would appear to be because of this rule, if I disable the rule then I can connect to my office VPN using L2TP/IPSEC but obviously the forward is then missing to allow me to connect to my VPN externally.

Any ideas on how I can have both working?

I'm slowly learning the bits and bobs of the RouterOS and it can do so much, I have loads of stuff set up on it already which I couldn't do with my old router.

Thanks guys.
 
erlinden
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Jun 12, 2013 1:59 pm

Re: VPN Issues

Thu Feb 16, 2017 1:27 pm

Assuming you are using a domain name, I would resolve the name internally to the NAS and externally to your public IP. Still a bit puzzled why one would like to use a VPN on a internal network.
 
fizzyade
just joined
Topic Author
Posts: 5
Joined: Thu Feb 16, 2017 12:20 pm

Re: VPN Issues

Thu Feb 16, 2017 1:38 pm

Assuming you are using a domain name, I would resolve the name internally to the NAS and externally to your public IP. Still a bit puzzled why one would like to use a VPN on a internal network.
I'm not running a VPN on the internal network, my VPN server is on the internal network.

I'm not using the built in server on the Mikrotik because it was very slow at logging in for some reason whereas the synology VPN server is and has always been very quick, hence why the ports are forwarded.

Edit:

I think what I'm missing is some sort of state based rule, so if the UDP packet on one of those ports went out then it needs to go back to that client rather than to my default rule.
Last edited by fizzyade on Thu Feb 16, 2017 1:50 pm, edited 1 time in total.
 
nescafe2002
Long time Member
Long time Member
Posts: 629
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: VPN Issues

Thu Feb 16, 2017 1:46 pm

You should limit your dstnat rule to incoming connections from WAN side to your router's address.

Add in-interface=ether1-gateway (wan interface name) and/or dst-address-type=local to your rule.
 
fizzyade
just joined
Topic Author
Posts: 5
Joined: Thu Feb 16, 2017 12:20 pm

Re: VPN Issues

Thu Feb 16, 2017 2:20 pm

You should limit your dstnat rule to incoming connections from WAN side to your router's address.

Add in-interface=ether1-gateway (wan interface name) and/or dst-address-type=local to your rule.
Thank you! That solved it, that makes sense.

Just to be clear (for my own knowledge) without the ether1 it was forwarding all packets regardless of whether they originated from the LAN, when I limited it to ether1 this meant that only packets that originated (by that I mean didn't have a tracked state as we're dealing with UDP) from the WAN would be forwarded to the VPN server, any connection which came from the LAN going out (but back in the same port) would head to the connect destination inside the LAN.

Incidentally, this has also fixed the WIFI calling on my phone which broke when I enabled my VPN, I actually fudged a rule in (above my VPN rule) which checked the IP and if it was from my cellular network provider then it routed to the correct device on the LAN. So that bodge rule is no longer needed!

Thank you so much!

Who is online

Users browsing this forum: No registered users and 41 guests