Community discussions

MikroTik App
 
Agustafson
just joined
Topic Author
Posts: 1
Joined: Thu Nov 24, 2022 7:40 am

Port forward from a CHR to a second Router

Thu Nov 24, 2022 7:44 am

Have a somewhat niche case scenario where I'm assisting an amateur radio club deploy nodes across a geographic region. Some nodes are with traditional ISP and have public ISPs, others are with Cellular Hotspots and are really only manageable via SSTP or ZeroTier network. Currently have a hub and spoke design with a CHR in Vultr, and trying to port forward from CHR to remote locations. All devices routers and networks have successfully been able to talk to each other. I can ping from Subnet A to Subnet C over VPN etc. However when I place a DSTNAT rule for port 81, and forward to Subnet C IP Port 81, the traffic goes but the web page doesn't load.

To test this, I built the rules to watch the traffic, CHR is port forwarding to Router B's Internal IP, Router B is Port Forwarding to Node. I can see the traffic go up, but no response.

I have a similar network topology at my home, and thinking maybe my friend's node was just busted, I tried this with the NVR and it still didn't work. Traffic and counter increment up, but web page won't load.

The prevailing theory is I need a SRCNAT because the traffic is entering CHR and returning Cellular, but figured I'd ask here to see if anyone else had done something similar to this?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forward from a CHR to a second Router

Thu Nov 24, 2022 7:14 pm

That's it, client router uses its default route, so responses don't go to CHR. You can either use srcnat on CHR, to make all connections appear as if they are from CHR, and responses will go to CHR. But you won't be able to see real source IP addresses. Or you can tell client router to send responses to CHR like this:
/routing table
add name=CHR fib
/ip route
add dst-address=0.0.0.0/0 gateway=<VPN interface> routing-table=CHR
/ip firewall mangle
add chain=prerouting in-interface=<VPN interface> connection-state=new action=mark-connection new-connection-mark=CHR_conn
add chain=prerouting in-interface=!<VPN interface> connection-mark=CHR_conn action=mark-routing new-routing-mark=CHR
So create another routing table with default route pointing to CHR, mark new connections from CHR, and mark routing for responses, to make them use the new routing table.

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], BoraHorza, GoogleOther [Bot], NxtGen [Bot], sinisa, tuiespacecorp and 89 guests