Community discussions

MikroTik App
 
acmax
just joined
Topic Author
Posts: 1
Joined: Mon Jan 17, 2022 4:21 pm

Route incoming VPN traffic back via VPN

Mon Jan 17, 2022 4:53 pm

Hey guys,

one of our customers asked for a double-nat port forwarding to reach a specific device over a VPN. Please don't ask questions about why using a double-nat, I don't like the whole idea either, but he would like it that way.

Network diagram should look like this:
Client (public) ---> OPNsense OpenVPN server ---> Mikrotik OpenVPN client ---> Server that needs to be accessed
xxx.yyy.zzz.aaa (dynamic v4) ---> static public ip:3200 ---> vpn ip:8000 ---> local ip:8000

I just setup both port forwarding rules in OPNsense VPN server and the Mikrotik, when enabling logging for the NAT roule on the MikroTik I can see incoming packages from the client is well:
dstnat in:ovpn1 out:(unknown 0), proto TCP (SYN). xxx.yyy.zzz.aaa:dynport->local ip:8000, len 52.

My issue is that unless I setup a manual route:
xxx.yyy.zzz.aaa/32 via VPNserver gateway
i am unable to access the webui behind 8000. This makes sense, since the default route is 0.0.0.0/0 over its local eth1 gateway.
Even ticking "Add Default Route" in the OpenVPN interface settings won't help, which creates a 0.0.0.0/0 route via the VPNserver gateway.

So I just need a default route with everything that came in via VPN has to be routed back via VPN. I think marking packets is the right way here, but so far I haven't had any luck with it.

Thanks!
 
Sob
Forum Guru
Forum Guru
Posts: 8214
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route incoming VPN traffic back via VPN

Tue Jan 18, 2022 7:12 pm

Marking connections is the right way. First create new routing table with default route in it pointing to VPN, then mark new connections coming from VPN, and finally mark routing for responses belonging to marked connections, to make them use the new routing table.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route incoming VPN traffic back via VPN

Tue Jan 18, 2022 7:46 pm

Something like this + Connection mark and packet Mark

/ip route add disabled=no dst-address=0.0.0.0/0 gateway=WG pref-src="" routing-table=via-wg suppress-hw-offload=no
/routing rule add action=lookup-only-in-table disabled=no dst-address=10.10.12.0/24 src-address=10.10.12.0/24 table=main
/routing rule add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 src-address=10.10.12.0/24 table=via-wg

You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
Sob
Forum Guru
Forum Guru
Posts: 8214
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route incoming VPN traffic back via VPN

Tue Jan 18, 2022 8:04 pm

That's static config when selected devices always use VPN as gateway. If that's the case, it's good solution.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route incoming VPN traffic back via VPN

Tue Jan 18, 2022 8:26 pm

So when the MT is the OVPN client and these rules are for routing inside the MT itself then.it should be Static. The client using the VPN Route can be defined in the marking with "!IP-list", My assumption is correct?
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
Sob
Forum Guru
Forum Guru
Posts: 8214
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route incoming VPN traffic back via VPN

Tue Jan 18, 2022 8:31 pm

It depends. If server should be accessed only using VPN, and its own outgoing connections should also use VPN, then yes. Otherwise no.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route incoming VPN traffic back via VPN

Tue Jan 18, 2022 8:35 pm

It depends. If server should be accessed only using VPN, and its own outgoing connections should also use VPN, then yes. Otherwise no.
What do you mean by the server? MT or the service on the other side of DST NAT.
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
Sob
Forum Guru
Forum Guru
Posts: 8214
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route incoming VPN traffic back via VPN

Tue Jan 18, 2022 8:47 pm

The device behind MT VPN client, OP's "Server that needs to be accessed".
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route incoming VPN traffic back via VPN

Tue Jan 18, 2022 8:55 pm

I see, Thank you for explaining.
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb

Who is online

Users browsing this forum: Railander and 3 guests