Community discussions

MikroTik App
 
HermanS
just joined
Topic Author
Posts: 4
Joined: Thu Oct 31, 2024 7:37 pm

Configured remote access via VPS does not work for some things

Thu Oct 31, 2024 7:47 pm

Hi.
I have a rather non-standard question that I can't find an answer to, so I decided to write it here.
I will describe the connection scheme that I have and describe the problem that I cannot solve, I do not have enough experience.
All IP addresses used in this example are fictitious.

1.VPS
160.50.40.150 - public ip
↓↓↓
2.Docker Engine
172.10.0.1 - local ip
↓↓↓
3.Container VPN
172.10.0.2 - container local ip
12.10.0.2 - tunnel ip from VPN
↓↓↓
GLOBAL NETWORK
↓↓↓
4.Connected devices to VPN network:
SSH server(pc) 12.10.0.3
MikroTik 12.10.0.4

How I implement access to the end device(example to SSH server).
FIRST: On 1.VPS i write iptables rule: iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 172.10.0.2:22
SECOND: On 3.Container VPN i write iptables rule: iptables -t nat -A PREROUTING -p tcp -m tcp --dport 22 -j DNAT --to-destination 12.10.0.3:22

This way I can connect to the public 160.50.40.150:22 VPS address and get directly to the SSH server 12.10.0.3:22

These rules work flawlessly and I can access any device in the VPN network every time by accessing the public address of the VPS.
This is convenient because I can't install a VPN client everywhere, but I need access.

and my unsolved problem: I can't access mikrotik in the same way.
These are the rules I write:
1.VPS i write iptables rule: iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 172.10.0.2:80
3.Container VPN i write iptables rule: iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 12.10.0.4:80
and I still can't access the router via the public VPS address via 160.50.40.150:8080
I performed a series of checks and realized that there is no access yet at the stage from 172.10.0.1 to 12.10.0.4, but I can't understand why, because all the rules are allowed and there are no blocks anywhere, I can change the final address to the ssh server address and everything works, again I change the final address to Mikrotik and there is no access.
+ to check, I connected to the VPN network myself and was able to open web Mikrotik router at address 12.10.0.4:80 directly from the browser without any problems.
There is no access via the public VPS address.
Wireguard VPN works fine on Mikrotik itself, here is an example of the configuration that I imported into it:
[Interface]
Address = 12.10.0.4/32
PrivateKey = privkey

[Peer]
PublicKey = pubkey
AllowedIPs = 0.0.0.0/0
Endpoint = 160.50.40.150:51820
PersistentKeepalive = 15


I use this method of accessing any home and other resources for many things and it is always successful.

but I feel that there is still something I don't know about Mikrotik...
I hope I managed to explain the situation.
 
HermanS
just joined
Topic Author
Posts: 4
Joined: Thu Oct 31, 2024 7:37 pm

Re: Configured remote access via VPS does not work for some things

Thu Nov 07, 2024 9:43 am

Does anyone have any ideas on how to solve this situation ?
At the moment I still haven't managed to solve this problem.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11048
Joined: Mon Dec 04, 2017 9:19 pm

Re: Configured remote access via VPS does not work for some things

Thu Nov 07, 2024 8:51 pm

but I feel that there is still something I don't know about Mikrotik...
You're not alone - we also do not know enough about your Mikrotik as you forgot to post an anonymized export of its configuration. Also, if the iptables rules you have shown are the only ones, the initial packet from x.x.x.x:X to 160.50.40.150:8080 gets dst-nated all the way to 12.10.0.4:80, but it source address remains x.x.x.x:X, so the Mikrotik sends its response to x.x.x.x:X using its routing table main, so rather via its regular WAN than via the Wireguard tunnel. So x.x.x.x:X receives the response from wan.ip.of.mikrotik:80 and therefore ignores it as it expects it to come from 160.50.40.150:8080.
 
HermanS
just joined
Topic Author
Posts: 4
Joined: Thu Oct 31, 2024 7:37 pm

Re: Configured remote access via VPS does not work for some things

Thu Nov 07, 2024 9:33 pm

we also do not know enough about your Mikrotik...
Hi.
Sorry, I'm just starting to figure this out.
This is what the /export command gave me
conf.txt
Some data has been hidden for the sake of anonymity.
You do not have the required permissions to view the files attached to this post.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11048
Joined: Mon Dec 04, 2017 9:19 pm

Re: Configured remote access via VPS does not work for some things  [SOLVED]

Thu Nov 07, 2024 10:45 pm

As I have assumed, there is no policy routing on your Mikrotik, so what I've described before is the most likely reason why it doesn't work. If it is the case, you can fix that multiple ways:
  • using a -j SNAT --to-source=12.10.0.2 rule at the right place on the Linux box. This way is the simplest one if you don't mind that the Mikrotik will see all clients as connecting from 12.10.0.2.
  • using the following commands to augment your Mikrotik configuration to implement the bare minimum of policy routing that is sufficient to resolve your issue:
    /routing/table/add name=via-wg fib
    /ip/route/add routing-table=via-wg gateway=wg1
    /routing/rule/add src-address=12.10.0.0/24 action=lookup-only-in-table table=via-wg
  • by implementing an advanced policy routing setup that covers "all the cases in life" as described in this post (start reading it from the last paragraph which links it to your context).
 
HermanS
just joined
Topic Author
Posts: 4
Joined: Thu Oct 31, 2024 7:37 pm

Re: Configured remote access via VPS does not work for some things

Sat Nov 09, 2024 12:38 pm

As I have assumed, there is no policy routing on your Mikrotik, so what I've described before is the most likely reason why it doesn't work. If it is the case, you can fix that multiple ways:
  • using the following commands to augment your Mikrotik configuration to implement the bare minimum of policy routing that is sufficient to resolve your issue:
    /routing/table/add name=via-wg fib
    /ip/route/add routing-table=via-wg gateway=wg1
    /routing/rule/add src-address=12.10.0.0/24 action=lookup-only-in-table table=via-wg
Thank you!
I used the method for Mikrotik.
Now I understand why it didn't work before, using your example I was able to understand it better, now I know more)

Who is online

Users browsing this forum: soniclukeds, xh116 and 48 guests