Community discussions

 
Exiver
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sat Jan 10, 2015 6:45 pm

Forward Port from VPN to internal Network

Sun Jan 11, 2015 12:57 am

Hey guys,
im new to mikrotik and now trying to configure my RB951Ui-2HnD properly.

All ports from outside are blocked by my provider, so i have to use portfordwarding via my server. I set up the VPN with OpenVPN and its working without problems until here. I do a dstnat on my server who sends the packets to a local VPN Ip-Adress, which the mikrotic statically has (10.10.0.10). This is working fine. Iam doing a dstnat again on the mikrotik to forward this packets to the raspberry (192.168.101.254).
The Mikrotik Device is only a WLAN Pseudobridge and not the gateway the the internet. The problem is now that answers from the raspberry (which is connected with LAN to the Mikrotik) are sent over the wifi interface to the internet gateway and not routed back to the vpn.
I tried to set up a mangle rule to add a routing mark to the packets and added a new route to the vpn with the routing mark i used at the mangle rule. I thought this would work but it doesnt. Do i have a problem in my configuration or am i just stupid?

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=dstnat action=dst-nat to-addresses=192.168.101.254 to-ports=22000 protocol=tcp dst-address=10.10.0.10 dst-port=22000 log=yes log-prefix=""
[admin@MikroTik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=prerouting action=mark-routing new-routing-mark=route-vpn passthrough=yes protocol=tcp src-address=192.168.101.254 src-port=22000 log=yes log-prefix=""
[admin@MikroTik] /ip route> print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=ovpn-out1 gateway-status=ovpn-out1 reachable via  ovpn-out1 distance=1 scope=30 target-scope=10 routing-mark=route-vpn 

 1 A S  dst-address=0.0.0.0/0 gateway=192.168.101.2 gateway-status=192.168.101.2 reachable via  bridge-local distance=1 scope=30 target-scope=10 

 2 ADC  dst-address=10.10.0.1/32 pref-src=10.10.0.10 gateway=ovpn-out1 gateway-status=ovpn-out1 reachable distance=0 scope=10 

 3 ADC  dst-address=192.168.101.0/24 pref-src=192.168.101.3 gateway=bridge-local gateway-status=bridge-local reachable distance=0 scope=10 
As you see i enabled the log and i see the entrys for the destination nat and for the mangle rule, but it seems like the routing mark does not apply?.
23:46:09 firewall,info dstnat: in:ovpn-out1 out:(none), proto TCP (SYN), 134.xxx.xxx.xxx:51701->10.10.0.10:22000, len 60 
23:46:09 firewall,info prerouting: in:bridge-local(ether1-master-local) out:(none), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN,ACK), 192.168.101.254:22000->134.xxx.xxx.xxx:51701, NAT (192.168.101.254:22000->10.10.0.10:22000)->134.xxx.xxx.xxx:51701, len 60 
At sniffer i can see the packet is sent to the gateway via wlan:
[admin@MikroTik] /tool sniffer> pack pr
 #    TIME INTERFACE SRC-ADDRESS                                                           DST-ADDRESS                                                          IP-PROTOCOL  SIZE
 0   3.739 ovpn-out1 134.xxx.xxx.xxx:56938                                                 10.10.0.10:22000                                                     tcp            64
 1   3.739 bridge... 134.xxx.178.112:56938                                                 192.168.101.254:22000                                                tcp            64
 2   3.739 ether1... 134.xxx.xxx.xxx:56938                                                 192.168.101.254:22000                                                tcp            64
 3   3.739 ether1... 192.168.101.254:22000                                                 134.xxx.xxx.xxx:56938                                                tcp            60
 4   3.739 wlan1     10.10.0.10:22000                                                      134.xxx.xxx.xxx:56938                                                tcp            60


Thx for your help :>
 
Exiver
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sat Jan 10, 2015 6:45 pm

Re: Forward Port from VPN to internal Network

Tue Jan 20, 2015 1:18 pm

Hey again,

after a week im trying to bump my post because after i posted it it needed almost a day to be activated by the moderators. I think it was already on the lower part of the site when everyone was able to see it. So my second try.

Thanks for your help ;-)

Who is online

Users browsing this forum: Google [Bot] and 27 guests