Community discussions

MikroTik App
 
range
just joined
Topic Author
Posts: 10
Joined: Thu Feb 23, 2023 1:27 pm

Question about ip - address redirection

Sun Mar 05, 2023 11:44 pm

Good day to everyone!
I have a net structure:
1.png
Here is wi-fi router (mikrotik hAP ac^2 arm, OS 7.7 Stable, with static IP from internet provider -x.x.x.x). Then the web server connected to wi-fi router (on 7012 port) and OpenVPN Server (on 9026 port, by tcp protocol) located on one PC. Static ip in local network is y.y.y.y. OpenVPN Server has virtual network - z.z.z.z/24. I'd like to costomize Internet traffic redirection from x.x.x.x:7012 to y.y.y.y:7012.
I performed this rule inside the local net:
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=7012 in-interface=bridge protocol=tcp to-addresses=y.y.y.y to-ports=7012
But this rule doesn't work with external net. Now I want redirection to work for OpenVPN clients.
How to make it?
Thanks in advance.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Question about ip - address redirection

Mon Mar 06, 2023 1:10 am

It's not exactly clear. If you want to make webserver publicly accessible, then drop in-interface=bridge. If it should be accessible only to VPN clients, it's probably best if they connect directly to y.y.y.y. But if you insist that they must connect to x.x.x.x, in-interface=all-ppp should work.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Question about ip - address redirection

Mon Mar 06, 2023 1:29 am

A nice diagram in search of a set of complete and clear user requirements.
 
range
just joined
Topic Author
Posts: 10
Joined: Thu Feb 23, 2023 1:27 pm

Re: Question about ip - address redirection

Mon Mar 06, 2023 2:19 am

But if you insist that they must connect to x.x.x.x, in-interface=all-ppp should work.
Yes, I need exactly this script .
It didn't help. Now I can get access to web server without VPN-connection.
A nice diagram in search of a set of complete and clear user requirements.
I don't really understand your answer . Do you want to say, that I should show at the diagram what I want to achieve? I showed the current state of affairs.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Question about ip - address redirection

Mon Mar 06, 2023 4:37 am

Anyone can connect if you use only dst-address without any in-interface. If you use dst-address with in-interface=all-ppp, it should be only VPN clients. Unless your internet connection uses PPPoE, I'm not sure about that and I can't test it right now, but it's possible/likely that all-ppp includes it too. In that case, you'd need something different. PPP profile has option to add interfaces of connected clients to interface list, so you could use that.
 
range
just joined
Topic Author
Posts: 10
Joined: Thu Feb 23, 2023 1:27 pm

Re: Question about ip - address redirection

Mon Mar 06, 2023 12:57 pm

Anyone can connect if you use only dst-address without any in-interface. If you use dst-address with in-interface=all-ppp, it should be only VPN clients. Unless your internet connection uses PPPoE, I'm not sure about that and I can't test it right now, but it's possible/likely that all-ppp includes it too. In that case, you'd need something different. PPP profile has option to add interfaces of connected clients to interface list, so you could use that.
My internet connection uses PPPoE.
I can get access to y.y.y.y:7012 through x.x.x.x:7012 from external net without VPN-connection with following rules:
add action=dst-nat chain=dstnat dst-address=\
    x.x.x.x dst-port=7012 in-interface=bridge protocol=tcp to-addresses=\
    y.y.y.y to-ports=7012
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=7012 in-interface=all-ppp protocol=\
    tcp to-addresses=y.y.y.y to-ports=7012
But the thing is I want to avoid such situation (it shouldn't be)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Question about ip - address redirection

Mon Mar 06, 2023 8:43 pm

Then as I wrote, interface list is your friend:
/interface list
add name=vpn-clients
/ppp profile
add <other options you have> interface-list=vpn-clients
/ip firewall nat
add chain=dstnat dst-address=x.x.x.x protocol=tcp dst-port=7012 in-interface-list=vpn-clients action=dst-nat to-addresses=y.y.y.y
 
range
just joined
Topic Author
Posts: 10
Joined: Thu Feb 23, 2023 1:27 pm

Re: Question about ip - address redirection

Tue Mar 07, 2023 12:05 am

Then as I wrote, interface list is your friend:
/interface list
add name=vpn-clients
/ppp profile
add <other options you have> interface-list=vpn-clients
/ip firewall nat
add chain=dstnat dst-address=x.x.x.x protocol=tcp dst-port=7012 in-interface-list=vpn-clients action=dst-nat to-addresses=y.y.y.y
I've made settings, but it doesn't help. Maybe I customize something wrong ?
Congratulation:
/interface list
add name=vpn-clients

/ppp profile
add local-address=z.z.z.1 name=vpn-clients \
    remote-address=vpn-clients-pool

/ip pool
add name=vpn-clients-pool ranges=\
    z.z.z.2-z.z.z.254

/ip firewall nat
add action=dst-nat chain=dstnat  \
    dst-address=x.x.x.x dst-port=7012 in-interface-list=vpn-clients \
    protocol=tcp to-addresses=y.y.y.y
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Question about ip - address redirection

Tue Mar 07, 2023 12:21 am

Do you see interfaces appearing in vpn-clients list (clients need to reconnect if they were already connected)? It's in Interfaces->Interface List, or "/interface list member print where list=vpn-clients" in CLI.
 
range
just joined
Topic Author
Posts: 10
Joined: Thu Feb 23, 2023 1:27 pm

Re: Question about ip - address redirection

Tue Mar 07, 2023 1:15 am

Do you see interfaces appearing in vpn-clients list (clients need to reconnect if they were already connected)? It's in Interfaces->Interface List, or "/interface list member print where list=vpn-clients" in CLI.
I reenabled clients.
Command:
/interface list member print where list=vpn-clients
,returns empty, that is, I do not see clients.
P.S.: to clarify again - my OpenVPN server is behind microtik on a physical PC (Ubuntu 20.04)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Question about ip - address redirection

Tue Mar 07, 2023 4:08 am

Oops, sorry, my bad. In that case, it's different problem. You'd need clients to access x.x.x.x via tunnel, but they need to access the same x.x.x.x without tunnel, because it's the VPN server they are connecting to. I'm not sure what exactly OpenVPN client does, but it probably routes whole x.x.x.x (all ports) via local ISP. So right now I don't see how you could do what you want. But if you'd tell clients to connect directly to y.y.y.y, that would work.
 
range
just joined
Topic Author
Posts: 10
Joined: Thu Feb 23, 2023 1:27 pm

Re: Question about ip - address redirection  [SOLVED]

Tue Mar 07, 2023 10:45 am

Oops, sorry, my bad. In that case, it's different problem. You'd need clients to access x.x.x.x via tunnel, but they need to access the same x.x.x.x without tunnel, because it's the VPN server they are connecting to. I'm not sure what exactly OpenVPN client does, but it probably routes whole x.x.x.x (all ports) via local ISP. So right now I don't see how you could do what you want. But if you'd tell clients to connect directly to y.y.y.y, that would work.
I came up with idea and I've just tried it.
Firstly, I made the rule:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=7012 in-interface=bridge protocol=tcp to-addresses=y.y.y.y to-ports=7012
Secondly, I configured route x.x.x.0/24 for OpenVPN. Now redirection from x.x.x.x:7012 to y.y.y.y:7012 works as for OpenVPN clients, so and for local network.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Question about ip - address redirection

Tue Mar 07, 2023 8:16 pm

Well, it makes sense. I just wonder what exactly the client does, it seems that is must use some kind of policy routing.

Who is online

Users browsing this forum: CGGXANNX, hubi, menyarito, okw and 80 guests