one of our customers asked for a double-nat port forwarding to reach a specific device over a VPN. Please don't ask questions about why using a double-nat, I don't like the whole idea either, but he would like it that way.
Network diagram should look like this:
Client (public) ---> OPNsense OpenVPN server ---> Mikrotik OpenVPN client ---> Server that needs to be accessed xxx.yyy.zzz.aaa (dynamic v4) ---> static public ip:3200 ---> vpn ip:8000 ---> local ip:8000
I just setup both port forwarding rules in OPNsense VPN server and the Mikrotik, when enabling logging for the NAT roule on the MikroTik I can see incoming packages from the client is well:
dstnat in:ovpn1 out:(unknown 0), proto TCP (SYN). xxx.yyy.zzz.aaa:dynport->local ip:8000, len 52.
My issue is that unless I setup a manual route:
i am unable to access the webui behind 8000. This makes sense, since the default route is 0.0.0.0/0 over its local eth1 gateway.
xxx.yyy.zzz.aaa/32 via VPNserver gateway
Even ticking "Add Default Route" in the OpenVPN interface settings won't help, which creates a 0.0.0.0/0 route via the VPNserver gateway.
So I just need a default route with everything that came in via VPN has to be routed back via VPN. I think marking packets is the right way here, but so far I haven't had any luck with it.