Community discussions

MikroTik App
 
Experimentator
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sat Nov 24, 2012 9:12 pm

Port forwarding to a host behind VPN

Thu Apr 19, 2018 4:32 pm

Dear All,

I really need help with a port forwarding rule. I thought it will be easy, but reality is somewhat different...
I have the following setup:

Router A:
WAN: x.x.x.x (fixed public IP)
Local net 192.168.1.0/24

Router B
WAN: dynamic address
Local net: 192.168.2.0/24
"Target server": 192.168.2.11

I have setup IPsec and GRE on top of it to be able to route internal traffic between both routers.
I can access 192.168.2.0/24 from 192.168.1.0/24, and vice versa (icmp and tcp traffic works fine). So the IPsec and GRE part seem to be Ok.

Now, I need to make a port forwarding, so that my "target server" behind Router B is reachable from the Internet at Router A's WAN IP (x.x.x.x).

A simple dst-nat rule at Router A works perfectly fine if machines are located in Router A's local network.
But if I change the "to-address" in the dst-nat rule to be my "target server" IP (which is in Router B's network), connection simply times out.

Am I missing something obvious here?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding to a host behind VPN

Thu Apr 19, 2018 5:12 pm

Am I missing something obvious here?
The most likely thing to miss is that the initial packet arrives to the device at site B properly, but the device sends its response to the source address of the request using router B's local routing table, which most likely means it uses that router's uplink. So the client has sent its request to public IP address of router A but the response has arrived from public address of router B, if at all, because many firewalls along the way (possibly already the one at router B) drop packets which do not fit to expected connection state from their perspective (a response is normally not the first packet of a connection to be seen at the firewall).

Better post the output of
/export hide-sensitive
after systematically replacing each occurrence of any public IP address eventually present by a distinctive pattern like
my.public.ip.A1
.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding to a host behind VPN

Thu Apr 19, 2018 5:17 pm

It's because when you forward port to remote network B from source host a.b.c.d, target machine in network B will send reply to router B (it will happen in any case), but router B will by default use its own default gateway to send it out. And it will fail, because a.b.c.d expects reply from router A's address (in fact, the reply probably won't reach a.b.c.d at all, but it wouldn't work even if it did).

You have two options:

a) Use srcnat on router A and make all forwarded connections look like they come from router A's end of tunnel. That way, router B will send replies back to tunnel. But you will lose original source address.

b) On router B, mark incoming connections from tunnel, add default route via tunnel in another routing table, and mark routing for replies to marked connections. This will allow you to keep original source address.
 
Experimentator
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sat Nov 24, 2012 9:12 pm

Re: Port forwarding to a host behind VPN

Thu Apr 19, 2018 5:30 pm

The most likely thing to miss is that the initial packet arrives to the device at site B properly, but the device sends its response to the source address of the request using router B's local routing table, which most likely means it uses that router's uplink. So the client has sent its request to public IP address of router A but the response has arrived from public address of router B, if at all, because many firewalls along the way (possibly already the one at router B) drop packets which do not fit to expected connection state from their perspective (a response is normally not the first packet of a connection to be seen at the firewall).
Hmm, it sounds like this is probably the cause!
What could be the workaround (if any) to get the response packets routed back via the IPsec / GRE link?
Better post the output of
/export hide-sensitive
after systematically replacing each occurrence of any public IP address eventually present by a distinctive pattern like
my.public.ip.A1
.
Overall setup is waaaay more complicated than what I described. In fact, the entire chain consists of three routers connected like this:
Router A <--> Router B <--> Router C
With Router A having the public IP I need to use, and the "target machine" being behind Router C.
(router B has a fixed IP as well, but I don't use it for this particular case)

I will post some sections of the config, if you tell me what you would like to see.
 
Experimentator
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sat Nov 24, 2012 9:12 pm

Re: Port forwarding to a host behind VPN

Thu Apr 19, 2018 5:53 pm

Sob, thanks a lot!
Can you please elaborate a bit?

a) Use srcnat on router A and make all forwarded connections look like they come from router A's end of tunnel. That way, router B will send replies back to tunnel. But you will lose original source address.
Do you mean I need to masquarade the traffic from router A to Router B? If yes, how shall I tell the IP address of the target machine?

b) On router B, mark incoming connections from tunnel, add default route via tunnel in another routing table, and mark routing for replies to marked connections. This will allow you to keep original source address.
This looks like a better option, but is a bit more complex to set up.
I need to wrap my head around this solution...
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding to a host behind VPN  [SOLVED]

Thu Apr 19, 2018 5:54 pm

I will post some sections of the config, if you tell me what you would like to see.
No point in doing so - if you are able to create complex configurations, you'll understand the descrption below :-)

Hmm, it sounds like this is probably the cause!
What could be the workaround (if any) to get the response packets routed back via the IPsec / GRE link?
The simplest workaround is to use src-nat at the router which uses dst-nat when forwarding the packets via the internal network. That way, the server receives the request with a source address on the internal network and responds there, and the router with src-nat and dst-nat undoes both nats while forwarding the response. The drawback is that the server doesn't learn the actual source address of the request which, depending on the application, may not be a problem at all or may be a show stopper - it's up to you to decide.

If you need the source address of the client to be preserved all the way to the server, you'll have to use connection marking at least at the router C (to which the server is connected). The first packet from the client marks the connection using an
action=mark-connection
rule in
chain=prerouting
of
/ip firewall mangle
. Still the same chain in the same table route-marks all packets from the server belonging to connections marked with that connection mark with a routing mark, and a default route in a dedicated routing table whose name equals the routing mark points towards the router through which the initial packet of the connection has come in.

You can do this either at both B and C, or you can create a direct tunnel between A and C, thus saving the uplink bandwidth of B by bypassing it completely. If for some reason a direct tunnel is impossible to set up, you could create it inside the existing tunnels AB and BC, but as that would cost you even more MTU, the connection marking and route marking also at router B is a better approach in that case.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding to a host behind VPN

Thu Apr 19, 2018 6:10 pm

Seems the forum badly needs an indicator that someone else is working on the same topic :-) I hope that at least @CZFan and @tippenring enjoy as well when @Sob and me write the same rather than "interfere" :-)
 
Experimentator
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sat Nov 24, 2012 9:12 pm

Re: Port forwarding to a host behind VPN

Thu Apr 19, 2018 6:17 pm

Thanks a lot to both of you! :)

I got the point with the srcnat and masquerading, and I have my setup working already!

Now, I'll take a timeout to understand the other option based on traffic marks! :)

Thanks again for all the help and support!!!

P.S. Yes, I do plan to set up a direct connection between Router A and Router C, if this whole thing proves to work as expected (network connectivity at Router C being the major concern, but it's surely out of scope of this thread).
 
iu2frl
just joined
Posts: 3
Joined: Wed Aug 03, 2022 9:38 pm

Re: Port forwarding to a host behind VPN

Fri Aug 05, 2022 12:42 pm

Hi, I'm having the same necessity but I can't figure out the solution, can you please explain what you did to solve?
 
oliverbedi
just joined
Posts: 22
Joined: Thu Aug 10, 2017 11:49 am

Re: Port forwarding to a host behind VPN

Tue Jan 31, 2023 3:11 pm

Hi everybody,

I see a solution to my problem here, but I'm not proficient enough to do it myself according to the solution.

I would like domain.com:3390 to be redirected to a device on the client's network and I can't figure it out.

Server:
domain.com:3390
Local 192.168.2.0/23
L2TP/IPSec: 10.251.251.1

1 out of 2 clients
Local 192.168.88.0/24
L2TP/IPSec: 10.251.251.2

So how to configure NAT more precisely so that it passes from the public address of the server to the device 192.168.88.2?

Well thank you.

Who is online

Users browsing this forum: Bing [Bot], Maggiore81, mkx and 101 guests