Community discussions

MikroTik App
 
User avatar
zeeh1975
just joined
Topic Author
Posts: 7
Joined: Mon Apr 19, 2021 8:17 pm

Looking for help on NAT rule

Fri Apr 23, 2021 6:19 pm

Image

Context: I've two VMs one with Windows Server 2019 (Public IP xxx.xxx.100.23, Private IP 10.20.30.3) and a Mikrotik CHR (Public IP xxx.xxx.57.231, Private IP 10.20.30.2), I've configured an IPSec tunnel, peers: xxx.xxx.57.231 (Mikrotik VM2) <--> xxx.xxx.114.69 (Office router), encripted endpoints: xxx.xxx.100.23 (VM1 public IP) <--> 192.168.1.55 (Office workstation).
Tunnel is established without problems but at the moment of testing connectivity both ends can't reach each other.
I've managed to solve outgoing traffic (From VM1 to office workstation) with this nat rule:

/ip firewall nat
add action=netmap chain=srcnat src-address=10.20.30.3 to-addresses=xxx.xxx.100.23

But I don't know what is the correct rule to map 10.20.30.3 <--> xxx.xxx.100.23 for incoming (i.e. from office workstation to VM1) tunnel connections.
Attached is current configuration, public IPs and passwords are obfuscated for security reasons.

Any help would be appreciated.

p.d.: English is not my born language so forgive any grammatical mistake.

Current config:
# apr/22/2021 10:43:14 by RouterOS 6.47.9
# software id = 
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-256 lifetime=8h name="vc test"
add dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 name=oficina
/ip ipsec peer
add address=xxx.xxx.114.69/32 name=oficina profile=oficina
add address=xxx.xxx.76.46/32 name="vc test" profile="vc test"
/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=8h name="vc test" pfs-group=modp1536
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=oficina pfs-group=\
    modp1536
/ip address
add address=xxx.xxx.57.231 interface=ether1 network=xxx.xxx.57.231
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall filter
add action=log chain=output disabled=yes log=yes src-address=192.168.1.55
add action=log chain=input disabled=yes log=yes src-address=192.168.1.55
add action=log chain=forward disabled=yes log=yes src-address=192.168.1.55
add action=accept chain=forward dst-address=10.20.30.3 log=yes src-address=\
    192.168.1.55
add action=accept chain=forward dst-address=192.168.1.55 src-address=10.20.30.3
add action=accept chain=forward dst-address=10.20.30.3 src-address=xxx.xxx.76.42
add action=accept chain=forward dst-address=xxx.xxx.76.42 src-address=10.20.30.3
add action=accept chain=input protocol=tcp src-address=0.0.0.0 src-port=8291
add action=accept chain=forward dst-address=xxx.xxx.100.23 src-address=\
    192.168.1.55
/ip firewall nat
add action=netmap chain=srcnat src-address=10.20.30.3 to-addresses=\
    xxx.xxx.100.23
add action=accept chain=srcnat dst-address=192.168.1.55 src-address=\
    xxx.xxx.100.23 to-addresses=10.20.30.3
add action=accept chain=srcnat dst-address=xxx.xxx.100.23 src-address=10.20.30.3
add action=accept chain=srcnat dst-address=192.168.1.55 src-address=10.20.30.3
add action=accept chain=srcnat dst-address=xxx.xxx.76.42 src-address=10.20.30.3
/ip ipsec identity
add peer="vc test" secret=************
add peer=oficina secret=************
/ip ipsec policy
add dst-address=xxx.xxx.76.42/32 peer="vc test" proposal="vc test" \
    sa-dst-address=xxx.xxx.76.46 sa-src-address=10.20.30.2 src-address=\
    10.20.30.3/32 tunnel=yes
add dst-address=192.168.1.55/32 peer=oficina proposal=oficina sa-dst-address=\
    xxx.xxx.114.69 sa-src-address=10.20.30.2 src-address=xxx.xxx.100.23/32 \
    tunnel=yes
/system clock
set time-zone-autodetect=no
/system clock manual
set time-zone=-03:00
/system logging
add action=echo disabled=yes topics=ipsec
/system ntp client
set enabled=yes primary-ntp=86.3.245.8 secondary-ntp=85.199.214.101

Who is online

Users browsing this forum: cesarfernandez63, mszru, SanchoHa and 47 guests