Hello All!

I have a little problem with my routers configuration over PPTP.

What was till few days ago:
My router (MikroTik1) standing at my desk, with five public ip addresses assigned and VPN server enabled. Also I had my servers standing under my desk connected to the mikrotik. Ports where forwarded to the servers (web server, exchange, build server etc...). Everything was fine except that my wife doesn't like noise much. Me neither to be honest...

So, a few days ago - I got the opportunity to move my 'server farm' to another location. The point is - this location has some ISP that's ain't giving no static address nor even public... It's behind NAT. Cool, hmm?

So what I try to achieve for last four days is: direct the traffic from specific remote ports over tunnel to my home router and route them away to the World.

My current config:
Mikrotik1 (home):
public addresses: 1.1.1.1 - 1.1.1.5
local LAN: 10.0.1.0/24
local LAN IP: 10.0.1.1
also a guest lan, but it's completely different seperated from my 'office' lan.

Mikrotik2 (remote)
public address: unknown/dynamic/behind NAT
local LAN: 10.0.2.0/24
local LAN IP: 10.0.2.1

Between Mikrotik1 and Mikrotik2 there is a PPTP Tunnel with addresses: 10.0.1.1 for Mikrotik1 and 10.0.1.10 for Mikrotik2 (remote).
Routes are set and I can see/ping/connect to remote site servers from my local LAN and vice-versa.

Now, the problem: On my Mikrotik1 I have a DST-NAT rule for everything that comes from one of my public IP's (1.1.1.2) on ports 80 and 443 is to be dst-natted to my machine in remote site with ip 10.0.2.2. It works - I can see it on torch in MT and in server's logs. The problem is with the response. The response comes out of the server to MT2 (10.0.2.1), then is SRC-NATted to 10.0.1.1 (I've tried every possible IP here) router and I can see the packets in torch tool on my MT1 (local) coming from machine 10.0.2.2 over PPTP interface and then - they dissappears.

The whole point is that I've created a SRC-NAT rule on my MT1 for everything coming from 10.0.2.2 and it seems - this rule isn't respected at all (packets count don't increase). However - if I'll create a DST-NAT rule for this IP - the packets count increases. So it seems that the packets coming from PPTP tunnel are threated as incoming instead of outgoing, so I have completely no idea on how to send them back to the Internet.

Please help!

Thank you in advance and best regards
Tom

The response comes out of the server to MT2 (10.0.2.1), then is SRC-NATted to 10.0.1.1 (I've tried every possible IP here) ...

I don't understand this part. Are you trying to srcnat packets from server on Mikrotik2? Why? Also, srcnat on Mikrotik2 can't do anything to reply packets that belong to forwarded port, because they are already part of established connection.

The response comes out of the server to MT2 (10.0.2.1), then is SRC-NATted to 10.0.1.1 (I've tried every possible IP here) ...

I don't understand this part. Are you trying to srcnat packets from server on Mikrotik2? Why? Also, srcnat on Mikrotik2 can't do anything to reply packets that belong to forwarded port, because they are already part of established connection.

The problem is that my MT1 has an public IP address 1.1.1.1 and my dns is pointing to this address. My MT2 has some other public IP address, let's say 2.2.2.2.

When the request comes from some client (e.g. 3.3.3.3) to my DNS name, it's resolved to 1.1.1.1 (my MT1), then it's directed to MT2 over PPTP tunnel, and then to my server. The server sends a response, but the response is sent out to 3.3.3.3 from an address 2.2.2.2 as it's masqueraded on MT2.

What I'm trying to achieve is to forward all of the responses from my server through the tunnel back to MT1 where they can be send back to original host (3.3.3.3) using my MT1's public IPs.

It's easy then. On Mikrotik2:

1) Add new default route with gateway 10.0.1.1 and routing mark "vpn".
2) Add mangle rule for new connections coming in from tunnel and give them connection mark "vpnconn".
3) Add mangle rule for connections coming in from LAN with connection mark "vpnconn" and give them routing mark "vpn".

It's basically the same config as used for multi-WAN setup.

Hmm, that sound easy At this point I have all the traffic coming to 0.0.0.0/0 routed to the tunnel, except of my MT1's address for the vpn to work It's messy, but it's effective at the moment.

I'll give a try to Your suggestion during the weekend and I'll report back if it's working