I have a RB4011 making NAT for a remote client, connected through a L2TP/IPSec tunnel.
Like this:
FROM INTERNET -> PORT 19980 -> RB4011 -> L2TP VPN -> HEX -> DEVICE WEB PAGE 80
Inside LAN, even in another VPN access like my office, i can access the device HTTP server. But, using the NATed port from outside, without VPN connection with the RB4011, it doesnt load.
In my HEX, i have the following rules, to send back through the VPN Tunnel the connections originated from my RB4011, it works for simple connections, like tcp syn/ack.
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=l2tp-central new-connection-mark=\
nat-conn-central passthrough=yes src-address-list=!local_address
add action=mark-routing chain=prerouting connection-mark=nat-conn-central dst-address-list=!local_address new-routing-mark=\
nat-central passthrough=yes
add action=change-mss chain=forward connection-mark=nat-conn-central disabled=yes new-mss=500 passthrough=yes protocol=tcp \
tcp-flags=syn tcp-mss=501-65535
Code: Select all
ip firewall address-list/print
Columns: LIST, ADDRESS, CREATION-TIME
# LIST ADDRESS CREATION-TIME
0 local_address 172.16.0.0/12 jun/01/2023 15:42:07
Code: Select all
ip route print where routing-table=nat-central
Flags: A - ACTIVE; s, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
3 As 0.0.0.0/0 172.25.1.254 1
Wireshark output Retransmissions and RST flags
There anything missing in the above rules?