dst-nat through VPN

sopro · Tue Jan 16, 2018 9:26 pm

Hello,

I need to view remote ip cameras using a mobile phone app.

NVR is in remote site, can't access through public ip.
Remote site 192.168.10.0/24 and local site 192.168.77.0/24 connected through VPN SSTP
I can access remote site with no problem if connected to my local site, so VPN works.

I would like to connect remotely using my smartphone by configuring the app to connect to my server router's public ip and forward connection through VPN to the client router.
I configured dst-nat to foward port 6060 to the remote site NVR's local ip.

Looks like the traffic is not coming back.correctly, I can't view the cameras when connecting from outside.

Server router:

 # jan/16/2018 16:15:10 by RouterOS 6.41
# model = RouterBOARD 962UiGS-5HacT2HnT

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=6060 protocol=tcp to-addresses=192.168.10.102 to-ports=6060

What am I doing wrong?
Please help.

paolopoz · Wed Jan 17, 2018 10:38 am

NVR needs to know where to send the reply packet, so the router on remote site it should have the gateway through the VPN.
If you cannot do this, you can workaround by src-nat the packet with an IP from the local router (e.g. 192.168.77.1) which is reachable from the NVR.

sopro · Wed Jan 17, 2018 2:07 pm

Can you help me with an example of how to do that in Winbox?

paolopoz · Wed Jan 17, 2018 3:02 pm

You just put another rule under the dst-nat, this time with src-nat.
You then need to match the packets you already dst-natted.
A rule could be something like this:

/ip firewall nat
add action=src-nat chain=srcnat dst-port=6060 protocol=tcp dst-addresses=192.168.10.102 to-address=192.168.77.1

sopro · Wed Jan 17, 2018 3:14 pm

Thanks for your help.

I added that rule but no success.

I read something about marking packets, I've tried that too but maybe I am doing something wrong cause still can't see the cameras.

paolopoz · Wed Jan 17, 2018 3:24 pm

Does the packet counter for src-nat rule increment?
If you want to mark packets then you can bind to that packet mark for the src-nat to work.

sopro · Wed Jan 17, 2018 3:29 pm

You then need to match the packets you already dst-natted.

How to match the packets?

paolopoz · Wed Jan 17, 2018 3:35 pm

Matching criteria inside the NAT rule.
You know: src-address, dst-address, protocol, etc.

sopro · Wed Jan 17, 2018 4:36 pm

Local site:

WAN: something.sn.mynetname.net
LAN: 192.168.77.1/24
VPN: 10.10.10.1

/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=NVR port forward dst-port=6060 protocol=tcp to-addresses=192.168.10.102 to-ports=6060

[admin@MikroTik] /ppp active> print
Flags: R - radius 
 #   NAME         SERVICE CALLER-ID         ADDRESS         UPTIME   ENCODING                                                                                                                                                                             
 4   laguna       sstp    191.xxx.xxx.xxx   10.10.10.2      1h45m25s AES256-CBC                                                                                             
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          190.xxx.xxx.xxx               1
 3 ADC  10.10.10.2/32      10.10.10.1      <sstp-laguna>             0

11 ADS  192.168.10.0/24                    <sstp-laguna>             1
15 ADC  192.168.77.0/24    192.168.77.1    bridge2                   0

Remote site:
LAN: 192.168.10.1/24
VPN: 10.10.10.2

NVR: 192.168.10.102 listening at port 6060

[admin@MikroTik Laguna] /ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.8.1               1
 1 ADC  10.10.10.1/32      10.10.10.2      vpn sopro                 0
 2 A S  172.16.0.0/24                      192.168.10.102            1
 3 ADC  192.168.8.0/24     192.168.8.100   ether1                    0
 4 ADC  192.168.10.0/24    192.168.10.1    bridge2                   0

[admin@MikroTik Laguna] /ip firewall connection> print
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, 
F - fasttrack, s - srcnat, d - dstnat 
 #          PR.. SRC-ADDRESS           DST-ADDRESS           TCP-STATE  
309  SAC  s  tcp  10.10.10.1:35558      192.168.10.102:6060   close      
323  SAC  s  tcp  10.10.10.1:43726      192.168.10.102:6060   close  


[admin@MikroTik Laguna] /ip firewall connection> print detail
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 0  SAC     protocol=tcp src-address=192.168.8.100:39045 dst-address=190.45.xxx.xxx:443 reply-src-address=190.45.xxx.xxx:443 reply-dst-address=192.168.8.100:39045 
            tcp-state=established timeout=4m59s orig-packets=4 729 orig-bytes=3 532 945 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=4 165 
            repl-bytes=590 509 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=152.4kbps repl-rate=37.9kbps 

 1  SAC     protocol=tcp src-address=10.10.10.1:51829 dst-address=192.168.10.1:8291 reply-src-address=192.168.10.1:8291 reply-dst-address=10.10.10.1:51829 
            tcp-state=established timeout=4m59s connection-mark="VPN_SoPro" orig-packets=24 171 orig-bytes=1 570 375 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=30 750 repl-bytes=34 311 553 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=13.2kbps repl-rate=141.5kbps 

 6  SAC  s  protocol=tcp src-address=10.10.10.1:27312 dst-address=192.168.10.102:6060 reply-src-address=192.168.10.102:6060 reply-dst-address=192.168.10.1:27312 
            tcp-state=close timeout=4s connection-mark="VPN_SoPro" orig-packets=10 orig-bytes=896 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=6 
            repl-bytes=600 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps 

 13  S C  s  protocol=udp src-address=192.168.10.102:30008 dst-address=54.165.xx.xxx:3478 reply-src-address=54.165.xx.xxx:3478 reply-dst-address=192.168.8.100:30008 
            timeout=7s orig-packets=1 orig-bytes=56 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=1 repl-bytes=116 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps 

14  S C  s  protocol=udp src-address=192.168.10.102:30006 dst-address=54.165.xx.xxx:3478 reply-src-address=54.165.xx.xxx:3478 reply-dst-address=192.168.8.100:30006 
            timeout=7s orig-packets=1 orig-bytes=56 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=1 repl-bytes=116 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps 

21  SAC  s  protocol=tcp src-address=10.10.10.1:19507 dst-address=192.168.10.102:6060 reply-src-address=192.168.10.102:6060 reply-dst-address=192.168.10.1:19507 
            tcp-state=established timeout=23h59m59s connection-mark="VPN_SoPro" orig-packets=4 orig-bytes=340 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=3 repl-bytes=300 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps

sopro · Wed Jan 17, 2018 4:54 pm

That is what it shows when I try to connect with my smartphone from outside.
Don't know how to redirect the packets.
Is there something wrong?
Shall I change the routes in the remote site in some way?

sopro · Wed Jan 17, 2018 5:42 pm

Does the packet counter for src-nat rule increment?
If you want to mark packets then you can bind to that packet mark for the src-nat to work.

No, it doesn't increment

sopro · Wed Jan 17, 2018 6:02 pm

I know this has a solution, I've read a lot of them but do not know how to implement them.

Some solutions I've tried:

1.- Mangle in the remote site router and redirect through a route:viewtopic.php?f=13&t=114319 or viewtopic.php?t=78664#p394987
2.- srcnat rule in the local site: viewtopic.php?f=2&t=129703#p637384
3.- Masquerade: viewtopic.php?t=115961#p573898
4.- Netmap: viewtopic.php?t=117709#p582291

None of them have worked.

Maybe some error in the implementation

Which one is better?

Can somene please help me here?
@normis @sob @paolopoz

sopro · Wed Jan 17, 2018 8:27 pm

NVR needs to know where to send the reply packet, so the router on remote site it should have the gateway through the VPN.
If you cannot do this, you can workaround by src-nat the packet with an IP from the local router (e.g. 192.168.77.1) which is reachable from the NVR.

I can access the router on remote site, but that router is providing Internet access through an Ubiquiti access point too
Any ideas?

paolopoz · Thu Jan 18, 2018 10:52 am

This:

/ip firewall nat
add action=masquerade chain=srcnat

Should be more specific, for example add the out-interface otherwise it will NAT everything.
You can also put more specific rules before the masquerade, so you are sure the latter will not interfere.

To better understand this situations I find helpful to imagine the packet in every step, request and reply, and check what happens to it following the packet flow:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

sopro · Thu Jan 18, 2018 2:42 pm

This:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat
Should be more specific, for example add the out-interface otherwise it will NAT everything.
You can also put more specific rules before the masquerade, so you are sure the latter will not interfere.

To better understand this situations I find helpful to imagine the packet in every step, request and reply, and check what happens to it following the packet flow:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

Thanks Paolo but I can't make it work
Can somebody help me with configuration instructions in order to view the cameras?

Tdaddysimi · Thu Jan 18, 2018 4:08 pm

Just connect to your router through a VPN on your phone. I can do this easily on my android, and then view it that way.

sopro · Thu Jan 18, 2018 4:21 pm

Just connect to your router through a VPN on your phone. I can do this easily on my android, and then view it that way.

Thanks for your reply.

I've done that using my android phone, and it works fine.

Matter is this cameras belong to a customer.

She doesn't know (nor want to learn) how to connect to a vpn, specially when she can watch another cameras without needing to connect to a VPN everytime.
Another reason is she has an iphone and iOs removed PPTP VPN connections, only L2TP, that's another complication when connecting iPhones to Mikrotiks.

Plus I know there must be a way to port forward through a VPN, so I would love to learn how for future references.

Tdaddysimi · Thu Jan 18, 2018 4:38 pm

Its easy. Here is how I used dst-nat to access winbox behind a public IP.

/ip firewall>
add action=dst-nat chain=dstnat comment="DST NAT for \"Tiny Tik\" Moms Wifi Router" \
port=31 protocol=tcp src-port="" to-addresses=192.168.1.31 to-ports=8291
add action=dst-nat chain=dstnat comment="To RB2011" port=10 protocol=tcp src-port="" \
to-addresses=192.168.1.10 to-ports=8291
add action=dst-nat chain=dstnat comment="To Silo Winbox" port=17 protocol=tcp src-port=\
"" to-addresses=192.168.1.17 to-ports=8291

To get to other equipment, it all depends on the ports:
/ip firewall>
add action=dst-nat chain=dstnat comment="DST NAT For Moms Bullet CPE" port=22303 \
protocol=tcp src-port="" to-addresses=192.168.1.171 to-ports=443
add action=dst-nat chain=dstnat comment="DST NAT For WT AP" port=22304 protocol=tcp \
src-port="" to-addresses=192.168.1.210 to-ports=443
add action=dst-nat chain=dstnat comment="DST NAT For .30 Netonix Switch" port=22305 \
protocol=tcp src-port="" to-addresses=192.168.1.30 to-ports=443

In your case, figure out what port the NVR uses, its local IP, and configure as such. Assign any port to it to connect to it from the outside, like I mainly used 223XX, but you can use almost whatever ports you want.

sopro · Thu Jan 18, 2018 4:45 pm

Its easy. Here is how I used dst-nat to access winbox behind a public IP.

/ip firewall>
add action=dst-nat chain=dstnat comment="DST NAT for \"Tiny Tik\" Moms Wifi Router" \
port=31 protocol=tcp src-port="" to-addresses=192.168.1.31 to-ports=8291
add action=dst-nat chain=dstnat comment="To RB2011" port=10 protocol=tcp src-port="" \
to-addresses=192.168.1.10 to-ports=8291
add action=dst-nat chain=dstnat comment="To Silo Winbox" port=17 protocol=tcp src-port=\
"" to-addresses=192.168.1.17 to-ports=8291

To get to other equipment, it all depends on the ports:
/ip firewall>
add action=dst-nat chain=dstnat comment="DST NAT For Moms Bullet CPE" port=22303 \
protocol=tcp src-port="" to-addresses=192.168.1.171 to-ports=443
add action=dst-nat chain=dstnat comment="DST NAT For WT AP" port=22304 protocol=tcp \
src-port="" to-addresses=192.168.1.210 to-ports=443
add action=dst-nat chain=dstnat comment="DST NAT For .30 Netonix Switch" port=22305 \
protocol=tcp src-port="" to-addresses=192.168.1.30 to-ports=443

In your case, figure out what port the NVR uses, its local IP, and configure as such. Assign any port to it to connect to it from the outside, like I mainly used 223XX, but you can use almost whatever ports you want.

You are forwarding to different devices in the same subnet, not at all the problem I am trying to solve.

I want to access a remote device 192.168.10.102 listening on port 6060 through a router 192.168.77.1 with a public ip
Router 192.168.10.1 and 192.168.77.1 are connected via SSTP VPN tunnel

sopro · Fri Jan 19, 2018 1:22 am

msatter · Fri Jan 19, 2018 4:06 am

Maybe it is easier to make first a site to site SSTP and you have to put a route in it so the traffic knows where to go.

https://wiki.mikrotik.com/wiki/Manual:I ... -Site_SSTP

sopro · Fri Jan 19, 2018 4:18 am

Maybe it is easier to make first a site to site SSTP and you have to put a route in it so the traffic knows where to go.

https://wiki.mikrotik.com/wiki/Manual:I ... -Site_SSTP

Thanks for your reply
The picture shows I already made a site to site SSTP tunnel

Sob · Fri Jan 19, 2018 4:21 am

On first look, I'd say that paolopoz almost had it, except the remote router doesn't have route to 192.168.77.1, so the right rule would be (on left router):

/ip firewall nat
add action=src-nat chain=srcnat dst-port=6060 protocol=tcp dst-addresses=192.168.10.102 to-address=10.10.10.1

But on second look, it shouldn't really be needed at all, because your broad masquerade rule has exactly the same effect, i.e. changes source of packets going out via VPN to 10.10.10.1. You can see it in "/ip firewall connection" you posted (both sides), source address is 10.10.10.1. But there's also some connection mark there (remote side) and it's not clear what exactly you've done with that.

Basically it's one or the other, NAT or connection/route marks. In a way, the latter is better, more "clean" solution (coming mostly from a fact that NAT is generally evil). But in your case, NAT should work equally well and it's much simpler to set up, so I'd probably start with that. Scrap everything you've done on remote router and start from beginning with just VPN client and nothing else. From what I've seen, it should just work. In fact, it looks like it already works, because those two connections are established (there are packets in both directions). Maybe test it from somewhere else first (not just from that one mobile phone), to make sure that the problem is really at your end (again, it doesn't seem like it is).

sopro · Fri Jan 19, 2018 5:59 am

SOLVED!!
It was just a problem of another port, my NVR uses sdk port 6060 and media port 7070
No need of src-nat rule, special routes, no mangle, no netmap, etc.
You just need to have a vpn running and a dst-nat rule at the server router.
Thanks all for your help

Sob · Fri Jan 19, 2018 7:23 pm

No need of src-nat rule, ...

Not exactly true. You need srcnat rule, it's just than in your case, this rule:

/ip firewall nat
add action=masquerade chain=srcnat

already masquerades everything that comes through your router. It's kind of wrong, because if you had e.g. webserver in your 192.168.77.x LAN, it would not be able to see real addresses of clients, everything would appear as from 192.168.77.1.

If you had the usual rule only for outgoing traffic:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=<WAN>

then dstnat through VPN would not work and you'd need to add another srnat rule for that.

meelist · Thu Feb 07, 2019 3:23 pm

Hi,
i am trying to do basically the same thing but not working.
I have 2 routerboards.
Server RB1100AHx2 - vpn server
Remote site RBSXTR - 3G router
Connected via VPN and connection between is OK. But now i have device behind remote router and i can not access it.
What was the solution that you had?
basically what i have/need:
accessing from internet - to server WAN 194.204.*.*:90 (port 90) - vpn site to site is server side 192.168.24.113-remote site 192.168.24.114 (3G router) - device connected is 192.168.9.9:80
i thought that i make Nat port forward from server side WAN to VPN and then remote router VPN to device. but it is not working like this.
Can anyone help me please?

thank you in advance.

paolopoz · Tue Feb 12, 2019 6:48 pm

Hi,
i am trying to do basically the same thing but not working.
I have 2 routerboards.
Server RB1100AHx2 - vpn server
Remote site RBSXTR - 3G router
Connected via VPN and connection between is OK. But now i have device behind remote router and i can not access it.
What was the solution that you had?
basically what i have/need:
accessing from internet - to server WAN 194.204.*.*:90 (port 90) - vpn site to site is server side 192.168.24.113-remote site 192.168.24.114 (3G router) - device connected is 192.168.9.9:80
i thought that i make Nat port forward from server side WAN to VPN and then remote router VPN to device. but it is not working like this.

You don't need NAT, you just have to route the traffic to 192.168.9.9 inside the VPN. It depends on what type of VPN you use either you need an ip route or to modify the networks configuration for the VPN.

dst-nat through VPN [SOLVED]

dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN [SOLVED]

Re: dst-nat through VPN

Re: dst-nat through VPN

Re: dst-nat through VPN

Who is online