Please i honestly help.
We have our web application hosted on a VPServer with a public ip of 216.xx.xx.yy and a Natted private network (192.168.10.0/24) behind a CRS-125-24G Mikrotik router with a public ip of 41.xx.xx.xx.
What i want to achieve is to make the mikrotik router a gateway in such a way that when our web application is being accessed both from the local network (192.168.10.0/24) and the internet via (41.xx.xx.xx on port 29000) we should be able to reach the VPServer on port 29000.
So, i setup up the OpenVPN server on the Mikrotik and assigned 192.168.100.254 to the vpn client (VPServer) which is connecting fine.
I also, port forwarded 41.xx.xx.xx. on 29000 to the 192.168.100.254 on 29000.
Achievement:
1. From the Natted private network (192.168.10.0/24) we can access both the web application using both Mikrotik public Ip (41.xx.xx.xx. on 29000) and the vpn client ip (192.168.100.254:29000)
2. The VPServer can access the web page on it's vpn ip (192.168.100.254:29000)
But my challenges now are:
1. we can't access the web application on the VPServer from the internet via 41.xx.xx.xx on 29000
2. the VPServer can't access the web application using 41.xx.xx.xx on 29000
My Configuration file:
# jun/09/2022 12:06:29 by RouterOS 6.49.6
# software id = RG1P-CSDJ
#
# model = CRS125-24G-1S
# serial number = 944F07442FC9
/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN rx-flow-control=auto \
tx-flow-control=auto
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.10.10-192.168.10.100
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge1 lease-time=23h \
name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1_WAN list=WAN
add interface=ether11 list=LAN
add list=LAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
require-client-certificate=yes
/ip address
add address=192.168.10.200/24 interface=bridge1 network=192.168.10.0
add address=41.xx.xx.xx interface=ether1_WAN network=41.xx.xx.xx
/ip arp
add address=192.168.10.254 disabled=yes published=yes
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.21,8.8.8.8 gateway=\
192.168.10.200 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop all not coming from LAN" disabled=\
yes in-interface-list=!LAN
add action=accept chain=input dst-port=1194 in-interface=all-ppp log=yes \
log-prefix=ovpn protocol=tcp
add action=drop chain=input comment="Drop invalid connection" \
connection-state=invalid disabled=yes
add action=accept chain=input comment="Allow IPSec UDP" protocol=udp \
src-port=1701,500,4500
add action=accept chain=input comment="Allow IPSec" protocol=ipsec-esp
add action=accept chain=input log-prefix=WAN_icmp protocol=tcp
add action=accept chain=input comment=\
"Accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="Accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"Accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
disabled=yes
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
disabled=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port for Connection" \
dst-address=41.xx.xx.xx dst-port=29000 log=yes log-prefix=29000 \
protocol=tcp to-addresses=192.168.100.254 to-ports=29000
add action=masquerade chain=srcnat dst-address=192.168.10.0/24 src-address=\
192.168.10.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add distance=1 gateway=41.xx.xx.xx
/ppp secret
add local-address=192.168.100.1 name=VPServer remote-address=192.168.100.254 \
service=ovpn
Thanks in advance