Please i honestly help.
We have our web application hosted on a VPServer with a public ip of 216.xx.xx.yy and a Natted private network (192.168.10.0/24) behind a CRS-125-24G Mikrotik router with a public ip of 41.xx.xx.xx.
What i want to achieve is to make the mikrotik router a gateway in such a way that when our web application is being accessed both from the local network (192.168.10.0/24) and the internet via (41.xx.xx.xx on port 29000) we should be able to reach the VPServer on port 29000.
So, i setup up the OpenVPN server on the Mikrotik and assigned 192.168.100.254 to the vpn client (VPServer) which is connecting fine.
I also, port forwarded 41.xx.xx.xx. on 29000 to the 192.168.100.254 on 29000.
Achievement:
1. From the Natted private network (192.168.10.0/24) we can access both the web application using both Mikrotik public Ip (41.xx.xx.xx. on 29000) and the vpn client ip (192.168.100.254:29000)
2. The VPServer can access the web page on it's vpn ip (192.168.100.254:29000)
But my challenges now are:
1. we can't access the web application on the VPServer from the internet via 41.xx.xx.xx on 29000
2. the VPServer can't access the web application using 41.xx.xx.xx on 29000
My Configuration file:
# jun/09/2022 12:06:29 by RouterOS 6.49.6
# software id = RG1P-CSDJ
#
# model = CRS125-24G-1S
# serial number = 944F07442FC9
/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN rx-flow-control=auto \
tx-flow-control=auto
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.10.10-192.168.10.100
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge1 lease-time=23h \
name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1_WAN list=WAN
add interface=ether11 list=LAN
add list=LAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
require-client-certificate=yes
/ip address
add address=192.168.10.200/24 interface=bridge1 network=192.168.10.0
add address=41.xx.xx.xx interface=ether1_WAN network=41.xx.xx.xx
/ip arp
add address=192.168.10.254 disabled=yes published=yes
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.21,8.8.8.8 gateway=\
192.168.10.200 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop all not coming from LAN" disabled=\
yes in-interface-list=!LAN
add action=accept chain=input dst-port=1194 in-interface=all-ppp log=yes \
log-prefix=ovpn protocol=tcp
add action=drop chain=input comment="Drop invalid connection" \
connection-state=invalid disabled=yes
add action=accept chain=input comment="Allow IPSec UDP" protocol=udp \
src-port=1701,500,4500
add action=accept chain=input comment="Allow IPSec" protocol=ipsec-esp
add action=accept chain=input log-prefix=WAN_icmp protocol=tcp
add action=accept chain=input comment=\
"Accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="Accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"Accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
disabled=yes
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
disabled=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port for Connection" \
dst-address=41.xx.xx.xx dst-port=29000 log=yes log-prefix=29000 \
protocol=tcp to-addresses=192.168.100.254 to-ports=29000
add action=masquerade chain=srcnat dst-address=192.168.10.0/24 src-address=\
192.168.10.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add distance=1 gateway=41.xx.xx.xx
/ppp secret
add local-address=192.168.100.1 name=VPServer remote-address=192.168.100.254 \
service=ovpn
Thanks in advance
Re: Port forwarding to Mirkotik VPN Client not working
Pls can someone try to help me out on the above question0
Re: Port forwarding to Mirkotik VPN Client not working [SOLVED]
1) If the application doesn't care about original source addresses, simple fix is:
Now the problem is that dstnat works, but if client is e.g. 1.2.3.4 connecting to 41.xx.xx.xx, server sees source 1.2.3.4, so it tries to respons to it directly using its main connection, but it doesn't work, because client expects response from 41.xx.xx.xx. With this rule, application will see 192.168.100.1 as source, will send response back to VPN server, and connetion tracking will take care of the rest.
If the application does need to see original source addresses, this router can't help you, it would have to be handled on VPServer.
2) VPN server is this router and 41.xx.xx.xx is its own address, right? It won't work with RouterOS v6, unless you'd use really ugly config (in fact, even worse when it's local address). But do you really need router itself connecting to the application?
Edit: Scratch 2), I misread it. If it's from VPServer, then 1) fixes that too.
Code: Select all
/ip firewall nat
add chain=srcnat dst-address=192.168.100.254 protocol=tcp dst-port=29000 action=masqueradeIf the application does need to see original source addresses, this router can't help you, it would have to be handled on VPServer.
2) VPN server is this router and 41.xx.xx.xx is its own address, right? It won't work with RouterOS v6, unless you'd use really ugly config (in fact, even worse when it's local address). But do you really need router itself connecting to the application?
Edit: Scratch 2), I misread it. If it's from VPServer, then 1) fixes that too.
Re: Port forwarding to Mirkotik VPN Client not working
Thanks Sob for your solution 1.
That solution 1 was what i used and it solved the problem.
Thanks so much
That solution 1 was what i used and it solved the problem.
Thanks so much
Who is online
Users browsing this forum: No registered users and 67 guests