Community discussions

just joined
Topic Author
Posts: 1
Joined: Sun Jul 21, 2019 11:39 am

DNAT Issues

Sun Jul 21, 2019 12:35 pm

Hi all, hoping someone can help alleviate my stupidity here!

I have RouterOS running as an OpenVPN server, and a Ubiquiti ERX as the OVPN client. The RouterOS box has various public IPs already loaded into the IP addresses against the interface in RouterOS.

I am aiming to achieve the remote site using one of these IPs as it's internet IP, and effectively achieving a raw breakout.
I have created a source NAT rule (1) to originate all traffic from this particular OpenVPN client through the IP address xx.xx.xx.xx - this is working perfectly, traffic from the remote site arrives at internet with the IP selected.

I am then trying to achieve (with rule 0) for this IP address xx.xx.xx.xx to immediately hit the client firewall on any protocol/port from internet, rather than hitting the RouterOS box as it would by default. This is the part I am unable to get working.
The closest I've got is by adding a masquerade rule out to the openvpn client interface, this does work but obviously the client firewall sees everything as coming from the RouterOS box rather than it's actual source IP. Can anyone offer any pointers as to how I might achieve this? NB: I have no firewall rules in place as this is a test environment, so there shouldn't be any rules on RouterOS preventing this.

NAT rules below:

Code: Select all

[admin@dscore] /ip> firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses= dst-address=xx.xx.xx.xx log=yes log-prefix=""

1 chain=srcnat action=src-nat to-addresses=xx.xx.xx.xx src-address= out-interface-list=WAN log=no log-prefix=""

2 chain=srcnat action=masquerade out-interface-list=WAN

3 chain=srcnat action=masquerade src-address= out-interface-list=WAN log=no log-prefix=""
[admin@dscore] /ip>
Many thanks in advance for any help anyone can offer.

Who is online

Users browsing this forum: Bing [Bot] and 76 guests