Community discussions

MikroTik App
 
nevolex
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Mon Apr 20, 2020 1:09 pm

Port forwarding to External OpneVPN Server

Thu May 28, 2020 7:06 am

Hi all.

I have an Open Vpn server (on a raspberry pi in my lan)

It has an ip of 10.0.0.6 and port 33445

Can somebody please advise how to do port forwarding to that port 33445 (UDP only)

External port is also 33445 (I have a static public IP)


These are my current rules:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Can somebody please advise

Thanks a lot
Last edited by nevolex on Thu May 28, 2020 9:25 am, edited 1 time in total.
 
nevolex
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Mon Apr 20, 2020 1:09 pm

Re: Port forwarding to External OpneVPN Server

Thu May 28, 2020 8:31 am

Would that rule work?

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6 to-ports=33445
 
sindy
Forum Guru
Forum Guru
Posts: 5550
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding to External OpneVPN Server

Thu May 28, 2020 11:02 am

Would that rule work?

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6 to-ports=33445
Add it just before or just after any already existing rules in chain=dstnat - it is for a particular port, so it is unlikely to get shadowed by another one in the same chain, and it is unable to shadow another one itself.

Just a remark, you only need to use to-addresses and/or to-ports if the address or port needs to be changed. So here, translation to the value found in to-ports will eat several CPU cycles in vain.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
nevolex
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Mon Apr 20, 2020 1:09 pm

Re: Port forwarding to External OpneVPN Server

Thu May 28, 2020 11:34 am

Would that rule work?

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6 to-ports=33445
Add it just before or just after any already existing rules in chain=dstnat - it is for a particular port, so it is unlikely to get shadowed by another one in the same chain, and it is unable to shadow another one itself.

Just a remark, you only need to use to-addresses and/or to-ports if the address or port needs to be changed. So here, translation to the value found in to-ports will eat several CPU cycles in vain.
Ah I see, what would be the most efficient rule for nat in this case, my ports will never change ?
Thank you
 
User avatar
jvanhambelgium
Member
Member
Posts: 313
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port forwarding to External OpneVPN Server  [SOLVED]

Thu May 28, 2020 11:41 am

Would that rule work?

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6 to-ports=33445
Add it just before or just after any already existing rules in chain=dstnat - it is for a particular port, so it is unlikely to get shadowed by another one in the same chain, and it is unable to shadow another one itself.

Just a remark, you only need to use to-addresses and/or to-ports if the address or port needs to be changed. So here, translation to the value found in to-ports will eat several CPU cycles in vain.
Ah I see, what would be the most efficient rule for nat in this case, my ports will never change ?
Thank you
Then simply omit/remove the last "port" part I guess.

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6
[/quote]

Who is online

Users browsing this forum: sindy and 145 guests