Hi!
We need to port forward a few services through a IPSEC tunnel to a server on another site. How to set this up, we already have a configured IPSEC tunnel up and running
Site A
WAN IP: 1.1.1.1
INT IP: 172.16.0.0/16
want to port forward port 80 to 172.17.10.10 in site B
Site B
WAN IP: 2.2.2.2
INT IP: 172.17.0.0/16
want to receive packets on port 80 through site A on 1.1.1.1
[Internet]->1.1.1.1:80 (WAN Site A) -> [IPSEC tunnel] -> 172.17.10.10:80 (LAN Site B)
how to configure this?
Re: Port forward through IPSEC tunnel
It should probably work using two NAT rules. One standard port forward, dstnat 1.1.1.1:80 to 172.17.10.10:80. And then masquerading the source of forwarded packets to match IPSec policy, srcnat everything for 172.17.10.10:80 to 172.16.?.? (whatever address router has).
Re: Port forward through IPSEC tunnel
Thanks alot! It works!
Re: Port forward through IPSEC tunnel
Hi i have same problem. Please can you explain step by step how to create second nat rule?
Re: Port forward through IPSEC tunnel
It's very simple. Using addresses from original post, client connects from x.x.x.x (its own address) to 1.1.1.1:80. Dstnat rule changes destination to 172.17.10.10:80. But source address remains x.x.x.x and because the tunel is configured to only forward stuff between 172.16.0.0/16 and 172.17.0.0/16, it won't take packet from x.x.x.x. So in addition to changing destination, you also need to change source:
Even though it works, this solution is not completely correct, because it will catch and change source of all packets going to 172.17.10.10:80. So if for example you'd like to access 172.17.10.10:80 directly from 172.16.0.0/16 and want server to see individual addresses, instead of just 172.16.1.1, you'd have to exclude this traffic from that srcnat rule.
ros code
/ip firewall add chain=srcnat dst-address=172.17.10.10 protocol=tcp dst-port=80 \ action=src-nat to-addresses=172.16.1.1You'll end up with packet from 172.16.1.1 to 172.17.10.10:80 and that can go through tunnel just fine. Reply will come back through tunnel and thanks to contrack it will be correctly rewritten back to packet from 1.1.1.1:80 to x.x.x.x and everything will work.
Even though it works, this solution is not completely correct, because it will catch and change source of all packets going to 172.17.10.10:80. So if for example you'd like to access 172.17.10.10:80 directly from 172.16.0.0/16 and want server to see individual addresses, instead of just 172.16.1.1, you'd have to exclude this traffic from that srcnat rule.
Re: Port forward through IPSEC tunnel
Thank you...I have been racking my brain for days to setup special mangle rules to route certain traffic back through the tunnel.
Re: Port forward through IPSEC tunnel
Hello,
i have a similar situation, it works but the speed is slow when using ext IP from Local site A to access port 80 on one server from site B.
The speed is max 5-6 Mbps but if i do speed test directly from site A to site B speed is about 40 Mbps.
Also speed from site A/B to Internet is 100 Mbps download / 50 Mbps upload.
What can be the issue ?
i have a similar situation, it works but the speed is slow when using ext IP from Local site A to access port 80 on one server from site B.
The speed is max 5-6 Mbps but if i do speed test directly from site A to site B speed is about 40 Mbps.
Also speed from site A/B to Internet is 100 Mbps download / 50 Mbps upload.
What can be the issue ?
Re: Port forward through IPSEC tunnel
Which RB's are you using? Maybe they cannot cope with the encryption.
Re: Port forward through IPSEC tunnel
RB450G with 6.29.1 OS Version
Re: Port forward through IPSEC tunnel
Nobody ? I read everything i could find...
I can't image why the speed is so slow when accessing site B www server through site A ext IP.
I can't image why the speed is so slow when accessing site B www server through site A ext IP.
Re: Port forward through IPSEC tunnel
Have you checked if CPU goes to 100% when doing such transfer? do you have Queues?
Re: Port forward through IPSEC tunnel
Hmm,
i had 1 unlimited queue once i disabled it traffic got to 18 Mbps instead of 5, but is not stable... oscillating a lot
Processor is about 50 %
Much better anyway
i had 1 unlimited queue once i disabled it traffic got to 18 Mbps instead of 5, but is not stable... oscillating a lot
Processor is about 50 %
Much better anyway
Re: Port forward through IPSEC tunnel
Ok, I'm trying to follow this guide but I'm struggling.
The attached file has the network diagram.
Currently I can acces devices on the remote LAN no worries. Trying to get a port from the internet however, much tougher.
Here are the relevant parts of the firewall from the HAP ac
add action=dst-nat chain=dstnat comment="Port Translation for Work Cisco SSH" dst-port=50003 in-interface=ether1 protocol=tcp to-addresses=192.168.6.1 to-ports=22
add action=src-nat chain=srcnat dst-address=192.168.6.1 dst-port=23 protocol=tcp to-addresses=192.168.1.200 to-ports=22
The first line is getting hits when I try use it so I suspect that is working.
The second line is getting no hits so I suspect its munted somehow. The source address change address (underlined) I dont really know what to use here, do I use the bridge IP or what?
From the mAP lite the relevant firewall rules
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.6.0/24
add action=masquerade chain=srcnat out-interface=wlan1
Any help would be greatly appreciated.
The attached file has the network diagram.
Currently I can acces devices on the remote LAN no worries. Trying to get a port from the internet however, much tougher.
Here are the relevant parts of the firewall from the HAP ac
add action=dst-nat chain=dstnat comment="Port Translation for Work Cisco SSH" dst-port=50003 in-interface=ether1 protocol=tcp to-addresses=192.168.6.1 to-ports=22
add action=src-nat chain=srcnat dst-address=192.168.6.1 dst-port=23 protocol=tcp to-addresses=192.168.1.200 to-ports=22
The first line is getting hits when I try use it so I suspect that is working.
The second line is getting no hits so I suspect its munted somehow. The source address change address (underlined) I dont really know what to use here, do I use the bridge IP or what?
From the mAP lite the relevant firewall rules
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.6.0/24
add action=masquerade chain=srcnat out-interface=wlan1
Any help would be greatly appreciated.
You do not have the required permissions to view the files attached to this post.
Re: Port forward through IPSEC tunnel
As always, I recommend to use IPIP or GRE tunnel over IPsec (enter IPsec key in the interface definition)
instead of IPsec tunnel. It will all work just like a normal ethernet link and standard recipes can be used
for port forwarding.
instead of IPsec tunnel. It will all work just like a normal ethernet link and standard recipes can be used
for port forwarding.
Re: Port forward through IPSEC tunnel
t will all work just like a normal ethernet link and standard recipes can be used
for port forwarding.
When you say work like Ethernet link you genuinely mean layer 2?
I think example config or a picture would help if you have one handy
Most of my remote connections have dynamic WAN IP's can IPIP handle that?
I'll give it a crack at work today see what I can achieve
Re: Port forward through IPSEC tunnel
Well I got it working, simple error the dst-nat was receiving from the wrong destination port.
Here is the config well the relevant sections. (section) in brackets is a change for obvious reasons.
Remote site with dynamic IP.
/ip pool
add name=Cisco_Lab_DHCP_Pool ranges=192.168.6.100-192.168.6.200
/ip dhcp-server
add address-pool=Cisco_Lab_DHCP_Pool disabled=no interface=bridge-vlan60 name=Cisco_Lab_DHCP
/interface bridge port
add bridge=bridge-vlan60 interface=ether1
/ip address
add address=192.168.6.254/24 interface=bridge-vlan60 network=192.168.6.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=wlan1
/ip dhcp-server network
add address=192.168.6.0/24 gateway=192.168.6.254
/ip firewall filter
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=192.168.6.0/24
add action=accept chain=forward dst-address=192.168.6.0/24 src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.6.254 src-address=192.168.6.1
add action=accept chain=forward disabled=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.6.0/24
add action=masquerade chain=srcnat out-interface=wlan1
/ip ipsec peer
add address=(static IP target at home)/32 enc-algorithm=aes-256 hash-algorithm=sha512 nat-traversal=no secret="(password)"
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=(static IP target at home) sa-src-address=0.0.0.0 src-address=192.168.6.0/24 tunnel=yes
/system identity
set name=Cisco_Lab
/system scheduler
add interval=1m name="1min Ping" on-event=(name) policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/31/2016 start-time=07:58:13
/system script
add name=(name) owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":put [ping 192.168.1.254 src-address=192.168.6.254 count=2]
Home address with static IP
/ip address
add address=192.168.1.254/24 interface=bridge2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.254 netmask=24
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.6.0/24 src-address=192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.4.0/24 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Port Translation for Work Cisco SSH" dst-port=(an external port) in-interface=ether1 protocol=tcp to-addresses=192.168.6.1 to-ports=22
add action=src-nat chain=srcnat dst-address=192.168.6.1 dst-port=22 protocol=tcp to-addresses=192.168.1.254 to-ports=22
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256 generate-policy=port-strict hash-algorithm=sha512 local-address=(my local WAN IP static) nat-traversal=no secret="(password)"
Here is the config well the relevant sections. (section) in brackets is a change for obvious reasons.
Remote site with dynamic IP.
/ip pool
add name=Cisco_Lab_DHCP_Pool ranges=192.168.6.100-192.168.6.200
/ip dhcp-server
add address-pool=Cisco_Lab_DHCP_Pool disabled=no interface=bridge-vlan60 name=Cisco_Lab_DHCP
/interface bridge port
add bridge=bridge-vlan60 interface=ether1
/ip address
add address=192.168.6.254/24 interface=bridge-vlan60 network=192.168.6.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=wlan1
/ip dhcp-server network
add address=192.168.6.0/24 gateway=192.168.6.254
/ip firewall filter
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=192.168.6.0/24
add action=accept chain=forward dst-address=192.168.6.0/24 src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.6.254 src-address=192.168.6.1
add action=accept chain=forward disabled=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.6.0/24
add action=masquerade chain=srcnat out-interface=wlan1
/ip ipsec peer
add address=(static IP target at home)/32 enc-algorithm=aes-256 hash-algorithm=sha512 nat-traversal=no secret="(password)"
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=(static IP target at home) sa-src-address=0.0.0.0 src-address=192.168.6.0/24 tunnel=yes
/system identity
set name=Cisco_Lab
/system scheduler
add interval=1m name="1min Ping" on-event=(name) policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/31/2016 start-time=07:58:13
/system script
add name=(name) owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":put [ping 192.168.1.254 src-address=192.168.6.254 count=2]
Home address with static IP
/ip address
add address=192.168.1.254/24 interface=bridge2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.254 netmask=24
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.6.0/24 src-address=192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.4.0/24 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Port Translation for Work Cisco SSH" dst-port=(an external port) in-interface=ether1 protocol=tcp to-addresses=192.168.6.1 to-ports=22
add action=src-nat chain=srcnat dst-address=192.168.6.1 dst-port=22 protocol=tcp to-addresses=192.168.1.254 to-ports=22
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256 generate-policy=port-strict hash-algorithm=sha512 local-address=(my local WAN IP static) nat-traversal=no secret="(password)"
Re: Port forward through IPSEC tunnel
No it is not L2, that would be an EoIP tunnel. But it can be configured with IP like you would configure a normalt will all work just like a normal ethernet link and standard recipes can be used
for port forwarding.
When you say work like Ethernet link you genuinely mean layer 2?
I think example config or a picture would help if you have one handy
Most of my remote connections have dynamic WAN IP's can IPIP handle that?
I'll give it a crack at work today see what I can achieve
ethernet link, i.e. with IP addresses, and firewall rules.
Dynamic address would be no problem I think, I have no experience with that.