Hi everyone!
I have RB2011UiAS-2HnD-IN. The question is how to set up the proper port forwarding to access the L2TP/IPSEC server behind the router for remote users?
The common 1701, 500, 4500 udp portforwarding is not working. But it worked well in old dlink dfl-800 router. Can any one help?
Proper port forwarding for L2TP/IPSEC server behind Mikrotik router
You do not have the required permissions to view the files attached to this post.
Re: Proper port forwarding for L2TP/IPSEC server behind Mikrotik router
Last time i checked VPN services on the ROUTER are accessed via the INPUT chain not the dst-nat chain.
Or do you mean you are not using the router for VPN but you have VPN servers lets say running on PCs that you want to be able to reach??
Or do you mean you are not using the router for VPN but you have VPN servers lets say running on PCs that you want to be able to reach??
Re: Proper port forwarding for L2TP/IPSEC server behind Mikrotik router
Quote from Anav: "either have something useful to assist the OP or bug off"
Re: Proper port forwarding for L2TP/IPSEC server behind Mikrotik router
Please ignore the drunken dutchman zheka79. I think his wife cheated on him so he is bitter.
Re: Proper port forwarding for L2TP/IPSEC server behind Mikrotik router
Yes, that is correct. We have a standalone L2TP/IPSEC server running on Windows Server. Common port forwarding doesnt work with mikrotik, but it worked well with old dlink dfl-800 router which we used before that.Or do you mean you are not using the router for VPN but you have VPN servers lets say running on PCs that you want to be able to reach??
Re: Proper port forwarding for L2TP/IPSEC server behind Mikrotik router
I dont look at pictures unless there is a specific part of a config output that needs viewing that is not visible on the config.
/export hide-sensitive file=anynameyouwish
For port forwarding on the MT router, one needs only one firewall rule, that covers all port forwardings, and then correctly detailed and formatted dst-nat rules.
Some other factors come into play, but its important to note if the ISP provides a public IP, or is a router/modem and provides a private IP.
Also important to know if the WANIP provides is static/fixed (never changes) or is dynamic.
Assuming this is ONLY for external users, and no internal access is required??
/export hide-sensitive file=anynameyouwish
For port forwarding on the MT router, one needs only one firewall rule, that covers all port forwardings, and then correctly detailed and formatted dst-nat rules.
Some other factors come into play, but its important to note if the ISP provides a public IP, or is a router/modem and provides a private IP.
Also important to know if the WANIP provides is static/fixed (never changes) or is dynamic.
Assuming this is ONLY for external users, and no internal access is required??
Re: Proper port forwarding for L2TP/IPSEC server behind Mikrotik router
it's some kind of magic i dont understand. i just deleted all previous dstnat rules and made a new one rule for all ports need to be opened ant it works now!! thanks for help!!!
Re: Proper port forwarding for L2TP/IPSEC server behind Mikrotik router
Please post config to ensure you have not done something that is dangerous as well LOL
/export hide-sensitive file=anynameyouwish
/export hide-sensitive file=anynameyouwish
Re: Proper port forwarding for L2TP/IPSEC server behind Mikrotik router
here is firewall rules:
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-mark="" connection-state=established,related packet-mark=""
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,ipsec out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp \
to-addresses=192.168.5.200 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 port="" \
protocol=tcp to-addresses=192.168.5.200 to-ports=443
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether1 protocol=tcp \
to-addresses=192.168.5.200 to-ports=25
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=tcp \
to-addresses=192.168.5.200 to-ports=22
add action=dst-nat chain=dstnat dst-port=20-21 in-interface=ether1 protocol=\
tcp to-addresses=192.168.5.200 to-ports=20-21
add action=dst-nat chain=dstnat dst-port=19791 in-interface=ether1 protocol=\
tcp to-addresses=192.168.5.21 to-ports=4899
add action=dst-nat chain=dstnat dst-port=995 in-interface=ether1 protocol=tcp \
to-addresses=192.168.5.200 to-ports=995
add action=dst-nat chain=dstnat dst-port=1701,500,4500 in-interface=ether1 \
protocol=udp to-addresses=192.168.5.21
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-mark="" connection-state=established,related packet-mark=""
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,ipsec out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp \
to-addresses=192.168.5.200 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 port="" \
protocol=tcp to-addresses=192.168.5.200 to-ports=443
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether1 protocol=tcp \
to-addresses=192.168.5.200 to-ports=25
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=tcp \
to-addresses=192.168.5.200 to-ports=22
add action=dst-nat chain=dstnat dst-port=20-21 in-interface=ether1 protocol=\
tcp to-addresses=192.168.5.200 to-ports=20-21
add action=dst-nat chain=dstnat dst-port=19791 in-interface=ether1 protocol=\
tcp to-addresses=192.168.5.21 to-ports=4899
add action=dst-nat chain=dstnat dst-port=995 in-interface=ether1 protocol=tcp \
to-addresses=192.168.5.200 to-ports=995
add action=dst-nat chain=dstnat dst-port=1701,500,4500 in-interface=ether1 \
protocol=udp to-addresses=192.168.5.21
add action=masquerade chain=srcnat out-interface=ether1
Re: Proper port forwarding for L2TP/IPSEC server behind Mikrotik router
Nothing untoward there, if its all working great, super!
Re: Proper port forwarding for L2TP/IPSEC server behind Mikrotik router
One small detail, you don't need to forward L2TP's port 1701, those packets will come encrypted in IPSec packets.