Page 1 of 1

Port forwarding to External OpneVPN Server

Posted: Thu May 28, 2020 7:06 am
by nevolex
Hi all.

I have an Open Vpn server (on a raspberry pi in my lan)

It has an ip of 10.0.0.6 and port 33445

Can somebody please advise how to do port forwarding to that port 33445 (UDP only)

External port is also 33445 (I have a static public IP)


These are my current rules:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Can somebody please advise

Thanks a lot

Re: Port forwarding to External OpneVPN Server

Posted: Thu May 28, 2020 8:31 am
by nevolex
Would that rule work?

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6 to-ports=33445

Re: Port forwarding to External OpneVPN Server

Posted: Thu May 28, 2020 11:02 am
by sindy
Would that rule work?

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6 to-ports=33445
Add it just before or just after any already existing rules in chain=dstnat - it is for a particular port, so it is unlikely to get shadowed by another one in the same chain, and it is unable to shadow another one itself.

Just a remark, you only need to use to-addresses and/or to-ports if the address or port needs to be changed. So here, translation to the value found in to-ports will eat several CPU cycles in vain.

Re: Port forwarding to External OpneVPN Server

Posted: Thu May 28, 2020 11:34 am
by nevolex
Would that rule work?

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6 to-ports=33445
Add it just before or just after any already existing rules in chain=dstnat - it is for a particular port, so it is unlikely to get shadowed by another one in the same chain, and it is unable to shadow another one itself.

Just a remark, you only need to use to-addresses and/or to-ports if the address or port needs to be changed. So here, translation to the value found in to-ports will eat several CPU cycles in vain.
Ah I see, what would be the most efficient rule for nat in this case, my ports will never change ?
Thank you

Re: Port forwarding to External OpneVPN Server  [SOLVED]

Posted: Thu May 28, 2020 11:41 am
by jvanhambelgium
Would that rule work?

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6 to-ports=33445
Add it just before or just after any already existing rules in chain=dstnat - it is for a particular port, so it is unlikely to get shadowed by another one in the same chain, and it is unable to shadow another one itself.

Just a remark, you only need to use to-addresses and/or to-ports if the address or port needs to be changed. So here, translation to the value found in to-ports will eat several CPU cycles in vain.
Ah I see, what would be the most efficient rule for nat in this case, my ports will never change ?
Thank you
Then simply omit/remove the last "port" part I guess.

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6
[/quote]