Hello the community !
A have some mikrotik devices connected with L2TP/IPsec on a hEX (v6.48.4).
I search to connect with winbox to each mikrotik devices. This L2TP is ONLY for admin the router, not sharing any data through the VPN.
So, i want try to connect on my hEX who manage all L2TP client with winbox on a specific public port, like 10012 and NAT this connection to the mikrotik device to admin (8291) through the VPN.
- L2TP IP device : 10.0.0.14
- Local IP L2TP on hEX : 10.0.0.15
- Public IP for exemple : 54.0.0.2
- Public port on hEX redirected : 10012
I have tried to add a NAT rule with dsnat // tcp // dst port : 10012 // to address : 10.0.0.14 // to port 8291
I see the packet on hEX but nothing go to 10.0.0.14
What is the problem ? Any idea ?
Re: L2TP - Port forwarding from WAN to L2TP device
Hi,
have you tried using Source NAT together with Destination NAT?
Once you open communication with your hEX on specific dst port, you are using your public IP as a source. hEX forwards the traffic to the L2TP tunnel, but the source IP remains the same.
I’d say when you connect to “54.0.0.2:10012”, the device you’re trying to manage receives the traffic, but tries to reply to your public IP, instead of replying back to source-NATted address via L2TP tunnel.
have you tried using Source NAT together with Destination NAT?
Once you open communication with your hEX on specific dst port, you are using your public IP as a source. hEX forwards the traffic to the L2TP tunnel, but the source IP remains the same.
I’d say when you connect to “54.0.0.2:10012”, the device you’re trying to manage receives the traffic, but tries to reply to your public IP, instead of replying back to source-NATted address via L2TP tunnel.
Last edited by wormik on Sun Oct 31, 2021 2:58 pm, edited 1 time in total.
Re: L2TP - Port forwarding from WAN to L2TP device
Thanks you for your reply.Hi,
have you tried using Source NAT together with Destination NAT?
Once you open communication with your hEX on specific dst port, you are using your public IP as a source. hEX forwards the traffic to the L2TP tunnel, but the source IP remains the same.
I’d say when you connect to “54.0.0.2:10012”, the device you’re trying to manage receives the traffic, but tries to reply to your public IP, instead of replying back to source-NATted address via L2TP tunnel.
I don't understand how can i use chain = srcnat + dst address and action = dst-nat?
For information, i have missed a detail. My router before my hEX is not in bridged mode. So i have "Router public adress" -> "192.168.0.240" (Wan IP for the hEX)
Re: L2TP - Port forwarding from WAN to L2TP device
I do not understand the request.
Draw a network diagram and then speak to the diagram.
In general, If you have established a VPN to a router, you are basically connected to the router at the VPN interface.
Its not really a WAN interface and its not really a LAN interface.
I think of it as a fake LAN interface, in that its at the LAN level but you need to
a. tell the router that you want upward access to the router (to configure the router via the admin remotely using winbox for example)
b. tell the router that you want sideways access to the other LAN entities. (to access entities or to configure Lan devices via the admin remotely using winbox)
In general, you will need a route on the ROUTER to ensure remote incoming traffic is routed back through the tunnel and not out the internet for example.
Draw a network diagram and then speak to the diagram.
In general, If you have established a VPN to a router, you are basically connected to the router at the VPN interface.
Its not really a WAN interface and its not really a LAN interface.
I think of it as a fake LAN interface, in that its at the LAN level but you need to
a. tell the router that you want upward access to the router (to configure the router via the admin remotely using winbox for example)
b. tell the router that you want sideways access to the other LAN entities. (to access entities or to configure Lan devices via the admin remotely using winbox)
In general, you will need a route on the ROUTER to ensure remote incoming traffic is routed back through the tunnel and not out the internet for example.
Re: L2TP - Port forwarding from WAN to L2TP device
Hey again Rafale,Thanks you for your reply.
I don't understand how can i use chain = srcnat + dst address and action = dst-nat?
For information, i have missed a detail. My router before my hEX is not in bridged mode. So i have "Router public adress" -> "192.168.0.240" (Wan IP for the hEX)
you can check following thread, I believe it is very similar scenario to what you need to achieve: viewtopic.php?t=51476
You'll need two separate NAT rules, however I advise you to try following config instead.
Code: Select all
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.0.0.14 to-ports=8291 protocol=tcp dst-address=192.168.0.240 dst-port=10012
add chain=srcnat action=masquerade out-interface=L2TP-VPN
I'd say you don't need to worry about the NAT happening on your ISP router, just act as "192.168.0.240" would be your "public IP".
As mentioned by anav, if you provide us with a labeled diagram, we can try to come up with a better solution.
-
-
petershawn1221
just joined
- Posts: 1
- Joined:
Re: L2TP - Port forwarding from WAN to L2TP device
Meta descriptions can be any length, but Google generally truncates snippets to ~155–160 characters. It's best to keep meta descriptions long enough that they're sufficiently descriptive, so we recommend descriptions between 50–160 characters. Keep in mind that the "optimal" length will vary depending on the situation, and your primary goal should be to provide value and drive clicks.
Re: L2TP - Port forwarding from WAN to L2TP device
Yes, a diagram is better that a long speech !
Re: L2TP - Port forwarding from WAN to L2TP device
Okay your ISP modem is NOT a modem.
Its a modem router and your hex is getting a private IP from the ISP device and not a public IP.
Hence do you have access to the ISP modem router? Normally one can at least do something called port forwarding.
Also do you have any other subnets on the HEX besides L2TP>
I dont understand your hex subnet structure so a diagram detailing that would be helpful.
I am not aware that the MT L2TP includes a subnet either, typically you get a single IP address and that is your interface into the router, separate but like at the LAN lever.
You need input chain rule to allow L2TP interface config the router and also need Forward chain rules to allow L2TP access to LAN segments, and
finally you need an IP route to point traffic coming from home back to home through the tunnel.
Also besides diagram please post your config.
/export hide-sensitive file=anynameyouwish
Its a modem router and your hex is getting a private IP from the ISP device and not a public IP.
Hence do you have access to the ISP modem router? Normally one can at least do something called port forwarding.
Also do you have any other subnets on the HEX besides L2TP>
I dont understand your hex subnet structure so a diagram detailing that would be helpful.
I am not aware that the MT L2TP includes a subnet either, typically you get a single IP address and that is your interface into the router, separate but like at the LAN lever.
You need input chain rule to allow L2TP interface config the router and also need Forward chain rules to allow L2TP access to LAN segments, and
finally you need an IP route to point traffic coming from home back to home through the tunnel.
Also besides diagram please post your config.
/export hide-sensitive file=anynameyouwish
Re: L2TP - Port forwarding from WAN to L2TP device
Yes, it's a router with nated rules. I have access to the router, the curent config is : NAT to 192.168.0.240 // TCP // Ports : 10000-10100
Only the ETH1 and 2 are used (Ether3 is down).
I used the L2TP config only to access on client behind a CGNAT, on LTE operators. The goal is only to access of each mikrotik with winbox.
Only the ETH1 and 2 are used (Ether3 is down).
I used the L2TP config only to access on client behind a CGNAT, on LTE operators. The goal is only to access of each mikrotik with winbox.
You do not have the required permissions to view the files attached to this post.
Re: L2TP - Port forwarding from WAN to L2TP device
Any idea @anav ?
Re: L2TP - Port forwarding from WAN to L2TP device
It's already in last post from @wormik, only if you don't have static interfaces for VPN clients, you can use address instead:
Code: Select all
/ip firewall nat
add chain=srcnat dst-address=10.0.0.14 action=masquerade