Community discussions

MikroTik App
 
leviself56
just joined
Topic Author
Posts: 5
Joined: Sat Jul 25, 2020 7:05 pm

Port Forwarding NAT thru L2TP Tunnel

Sat Jul 25, 2020 8:20 pm

Hi there, first time posting on this forum.
I've been using Mikrotik for awhile & am probably considered intermediate with my skills... by no means a pro.
I have drawn a picture to best explain my situation & will post my configs here.
IMG_1455.jpeg
I am trying to forward port 80 from my public IP, thru the L2TP tunnel, which connects from behind a NAT, to port 80 on a local devices on the 10.19.56.0/24 subnet.

Config of router with the public IP 104.192.158.xx & private subnet 192.168.101.0/24 running L2TP server.
Also, I am able to ping 10.19.56.56 from this router.
 /export hide-sensitive 
# jul/25/2020 11:07:01 by RouterOS 6.45.7
# software id = LHVV-3JEB
#
# model = RB952Ui-5ac2nD
# serial number = 924D0926AFCA

/interface bridge
add admin-mac=B8:69:F4:FA:75:CB auto-mac=no comment=defconf name=bridge

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik10 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-FA75CF wireless-protocol=802.11

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=default-dhcp ranges=192.168.101.10-192.168.101.254

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf

/ppp profile
set *FFFFFFFE bridge=bridge local-address=172.0.0.1 on-up="if ([/interface l2tp-\
    server print count-only where user=\$user && !dynamic] = 0) do={\r\
    \nlog info message=\"L2TP Server Binding current user\"\r\
    \n/interface l2tp-server add name=\$user user=\$user\r\
    \n/interface l2tp-server remove [find where name=\$user]\r\
    \n}" remote-address=172.0.0.2

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface l2tp-server server
set enabled=yes keepalive-timeout=60 mrru=1600 one-session-per-host=yes

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/interface sstp-server server
set default-profile=default-encryption mrru=1600

/ip address
add address=192.168.101.1/24 comment=defconf interface=bridge network=\
    192.168.101.0
add address=104.192.158.67/24 interface=ether1 network=104.192.158.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1

/ip dhcp-server network
add address=192.168.101.0/24 comment=defconf gateway=192.168.101.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "Accept connection from outside to port 80" dst-port=80 in-interface=ether1 \
    log=yes protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=\
    127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=104.192.158.67 dst-port=80 \
    in-interface=ether1 log=yes protocol=tcp to-addresses=10.19.56.56 to-ports=\
    80
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN

/ip route
add distance=1 gateway=104.192.158.1
add distance=1 dst-address=10.19.56.0/24 gateway=<l2tp-remote.vpn>
add distance=1 dst-address=10.22.0.0/24 gateway=<l2tp-remote.vpn>

/ip service
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/
ppp secret
add name=remote.vpn profile=default-encryption

/routing ospf network
add area=backbone network=10.19.56.1/32

/system clock
set time-zone-name=America/Chicago

/system routerboard settings
set protected-routerboot=enabled reformat-hold-button=1m

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN
Config of router behind the ISP router with NAT, gateway IP of 192.168.1.10, private subnet of 10.19.56.0/24, running L2TP client.
I have all of the drop firewall rules disabled temporarily for simplicity.
 /export hide-sensitive 
# jul/25/2020 12:07:36 by RouterOS 6.47
# software id = LIJ2-78ES
#
# model = RB760iGS
# serial number = AE370B5EBDFD

/interface bridge
add admin-mac=C4:AD:34:DA:7B:B3 auto-mac=no comment=defconf name=bridge

/interface ethernet
set [ find default-name=ether1 ] mac-address=E8:2C:6D:23:70:FC name=ether1-WAN
set [ find default-name=ether2 ] mtu=1596 name=ether2-BH
set [ find default-name=ether3 ] name=ether3-NDB
set [ find default-name=ether5 ] poe-out=off

/interface l2tp-client
add connect-to=104.192.158.67 disabled=no mrru=1600 name=l2tp-out1 user=remote.vpn

/interface vlan
add interface=ether2-BH name=vlan22.cctv vlan-id=22
add interface=ether2-BH name=vlan99_cx-traffic vlan-id=99
add interface=ether2-BH name=vlan660.voip vlan-id=660

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip dhcp-server
add disabled=no interface=bridge lease-time=1d name=dhcp-default

/ip pool
add name=default-dhcp_pool ranges=10.19.56.100/31
add name=dhcp-cctv_pool ranges=10.22.0.100-10.22.0.200
add name=dhcp-voip_pool ranges=10.66.0.2-10.66.0.20

/ip dhcp-server
add address-pool=dhcp-cctv_pool disabled=no interface=vlan22.cctv lease-time=1d name=dhcp.cctv
add address-pool=dhcp-voip_pool disabled=no interface=vlan660.voip lease-time=1d name=dhcp.voip

/port
set 0 name=serial0

/ppp profile
set *FFFFFFFE bridge=bridge

/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp

/interface bridge port
add bridge=bridge comment=defconf interface=ether3-NDB
add bridge=bridge interface=vlan99_cx-traffic

/ip neighbor discovery-settings
set discover-interface-list=all

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN

/ip address
add address=10.19.56.1/24 interface=bridge network=10.19.56.0
add address=10.22.0.1/24 interface=vlan22.cctv network=10.22.0.0
add address=10.66.0.1/24 interface=vlan660.voip network=10.66.0.0

/ip dhcp-client
add comment=defconf disabled=no interface=ether1-WAN

/ip dhcp-server config
set store-leases-disk=1d

/ip dhcp-server network
add address=10.19.56.0/24 comment=defconf dns-server=1.1.1.3 gateway=10.19.56.1
add address=10.22.0.0/24 dns-server=1.1.1.3 gateway=10.22.0.1
add address=10.66.0.0/24 dns-server=1.1.1.3 gateway=10.66.0.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.3

/ip dns static
add address=192.168.88.1 name=router.lan type=A

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow Remote Winbox Connection" in-interface=RemoteWinboxVPN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip route
add distance=1 dst-address=192.168.101.0/24 gateway=l2tp-out1

/ip service
set www port=98

/system clock
set time-zone-name=America/Chicago

/system identity
set name=hEX-CoreRouter

/tool graphing interface
add interface=ether1-WAN

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN
When I try accessing the public IP on port 80, it attempts to load but never gives an output on the webpage, from outside the network or inside.
I've read lots of guides & threads but have not successfully got anywhere yet.
Any help would be appreciated. Thanks a bunch.
Levi
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port Forwarding NAT thru L2TP Tunnel

Tue Jul 28, 2020 8:22 pm

Problem is that when server sends response to client, router sends it to own default gateway, it doesn't forward it back via tunnel. There are two ways how to solve it.

Simple one is to add masquerade rule on router with public address, for connections forwarded to server. Router behind NAT will think that all connections came from VPN server and it will route responses there. Downside is that server won't be able to see real source addresses.

Better solution is to add another default route in different routing table (on router behind NAT) with gateway being L2TP server, mark new incoming connection from tunnel and then mark routing for responses to marked connections, to make them use the other routing table. Server will see original source addresses and router will forward responses correctly to tunnnel.
 
User avatar
Halfeez92
Member Candidate
Member Candidate
Posts: 101
Joined: Tue Oct 30, 2012 12:58 pm
Location: 127.0.0.1
Contact:

Re: Port Forwarding NAT thru L2TP Tunnel

Sat May 01, 2021 9:36 pm

Problem is that when server sends response to client, router sends it to own default gateway, it doesn't forward it back via tunnel. There are two ways how to solve it.

Simple one is to add masquerade rule on router with public address, for connections forwarded to server. Router behind NAT will think that all connections came from VPN server and it will route responses there. Downside is that server won't be able to see real source addresses.

Better solution is to add another default route in different routing table (on router behind NAT) with gateway being L2TP server, mark new incoming connection from tunnel and then mark routing for responses to marked connections, to make them use the other routing table. Server will see original source addresses and router will forward responses correctly to tunnnel.
Hi I have the same problem. What if I select default route option in L2TP settings? Do I need to use the better solution too? Because the default route is already through the L2TP tunnel. Please advise thanks

Who is online

Users browsing this forum: No registered users and 14 guests