Community discussions

MikroTik App
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Port forwarding for VPN client does not work

Thu Jul 07, 2022 12:59 am

Hi guys

I want to access ip cameras behind LTE modem which can't have a static IP. So I made a VPDN client connection from it to my home router which has a static IP in hope I could port forward from my home to this LTE router.

Source IP and Destination IP can ping each other, but the forwarding process ends up with this error at my home router:

dstnat: in:WAN out:(unknown 0), src-mac <MAC>, proto TCP (SYN), 198.199.98.246:54060-><my home router ip>:9998, len 60

LTE network is 192.168.10.10
HOME network is 192.168.20.10

I have not connected any ip cameras at 192.168.10.10 yet, but anyway, can I reach LTE service port like 8080 from the Home WAN?

Home WAN -> 192.168.10.10:8080?

thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding for VPN client does not work

Thu Jul 07, 2022 1:24 am

Not to difficult to create a wireguard vpn tunnel so as to be able to access IP cameras at the other end.......
Is that what you are attempting to do?
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Re: Port forwarding for VPN client does not work

Thu Jul 07, 2022 1:48 am

thanks for input!

I'm trying to achieve something like this:

Image

https://www.draytek.com/support/knowledge-base/5966
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Re: Port forwarding for VPN client does not work

Thu Jul 07, 2022 1:49 am

have no idea what they meant in NOTE section by the way :/
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Re: Port forwarding for VPN client does not work

Thu Jul 07, 2022 1:52 am

so far, seems like to me that the packets are reaching the destination but this destination host has no idea where to return its response packets back :/
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding for VPN client does not work

Thu Jul 07, 2022 4:05 am

What I would do is create a WG tunnel from LTE (MT device-'client') to whatever router is your public IP ISP assuming it is wg capable.
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Re: Port forwarding for VPN client does not work

Fri Jul 08, 2022 12:28 am

Does it require to specify a public ip address of the LTE side? I can't do that, my IPS gives me a private address.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding for VPN client does not work

Fri Jul 08, 2022 2:03 am

Nope!
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding for VPN client does not work

Sat Jul 09, 2022 12:00 pm

so far, seems like to me that the packets are reaching the destination but this destination host has no idea where to return its response packets back :/
This is most likely correct, or, more precisely, the destination host (the camera) knows well that it has to send the response to the LTE router, but the LTE router sends it using the direct route via the LTE's gateway, which confuses the client because the response comes from a different public address than the one to which it has sent the request. So what you need is to use "policy routing", which takes other information than just the destination address into account when choosing a route. That other information may be the source address of the packet (whatever the camera sends will be routed via the VPN tunnel rather than directly via WAN), or a connection mark (responses to whatever came in via the tunnel will be sent via the tunnel). See this for the detailed description of the latter.

The above doesn't depend on whether you use Wireguard or some other VPN type to create the tunnel.
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Re: Port forwarding for VPN client does not work

Sat Jul 09, 2022 12:10 pm

thanks

do I have to mark routing for incoming traffic to ip camera and then point it to vpn tunnel, or mark/intercept outgoing traffic of the camera and then point it to right direction?
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Re: Port forwarding for VPN client does not work

Sat Jul 09, 2022 12:44 pm

strange is that I can ping the camera but can't port forward to it

I have configured wireguard, both endpoints can ping each other
I have added routing to the router which has a static WAN ip address to point to camera and it's perfectly pinging it, but I the forwarding does not work

LTE - 192.168.50.1
WAN - 192.168.50.2

IP Camera on LTE side - 192.168.1.101
Routing is set at WAN to access 192.168.1.101 through 192.168.50.1

why port forwarding does not work if I can ping the camera from another router?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding for VPN client does not work

Sat Jul 09, 2022 12:45 pm

thanks

do I have to mark routing for incoming traffic to ip camera and then point it to vpn tunnel, or mark/intercept outgoing traffic of the camera and then point it to right direction?
You only have to use exceptional routing for the outgoing traffic of the camera. You can use routing rules for that (using routing table main for the three private destination ranges and the other table for the rest), or you can use mangle rules for the same purpose, or you can use the connection-marks to only route cameras' responses to requests that came through the VPN using the other table.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding for VPN client does not work

Sat Jul 09, 2022 1:24 pm

why port forwarding does not work if I can ping the camera from another router?
Impossible to say without seeing the export of the configuration, too many things may be wrong.
 
zx128k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Wed Oct 16, 2013 12:24 pm

Re: Port forwarding for VPN client does not work

Sat Jul 09, 2022 10:48 pm

Sorted out!

Added static route in WAN router to use VPN gateway to access ip camera, and then in LTE router I was able to choose only traffic designated for this camera, sending back traffic to right source, using firewall mangle, adding connection and route marks!

Thanks to all for your help!

Who is online

Users browsing this forum: GoogleOther [Bot] and 40 guests