I got a request from a friend that is using an RB951G-2HnD MikroTik to help with the configuration to allow access to his application hosted in the machine through VPN IPsec site-to-site. But I am coming from Layer 2 world with Layer 3 awareness + never really used MikroTik devices so I want to make sure that I understand the topic well before I recommend doing something. You may wonder why I put 1:1 NAT in the topic name but talking about VPN so let me explain:
FYI, I am posting changed IPs, interface names, etc. for security reasons.
They are having the following interfaces configured:
ether1-WAN
ether2-LAN
ether3-WAN2
WAN1 and WAN2 are fed from two different ISP vendors where "1" is active and "2" is standby (failover).
The local machine is within the LAN network and has an IP 192.168.2.2. The whole LAN subnet is defined by 192.168.2.0/24.
The VPN provider informed that they cannot build the connection as they are already using the 192.168.2.0/24 network and asked if the NAT 1:1 can be performed to translate this local machine.
They proposed using the 172.16.9.224/29 network and port 64123. Then they will build VPN IPSec Site-to-Site where LAN Address Pool will be 172.16.9.224/29 on the user side and 172.16.224.0.24 on the VPN Provider side.
Let's say we want to map the 192.168.2.2 to 172.16.9.225. So based on the official wiki the correct commands in this case would be:
Code: Select all
/ip firewall nat add chain=dstnat dst-address=172.16.9.225 dst-port=64123 protocol=tcp action=netmap to-addresses=192.168.2.2 to-port 64123
/ip firewall nat add chain=srcnat src-address=192.168.2.2 dst-port=64123 protocol=tcp action=netmap to-addresses=172.16.9.225 to-port 64123
Please let me know if I am missing anything important here and feel free to shoot me with any docs/video/examples.
So far I have been reading this wiki.
Appreciate your help. Thanks.