Community discussions

MikroTik App
 
viniciusstucki
just joined
Topic Author
Posts: 8
Joined: Thu Nov 29, 2018 2:31 pm

Routing HTTP over L2TP Tunnels

Thu Jun 01, 2023 10:48 pm

Hello everyone,

I have a RB4011 making NAT for a remote client, connected through a L2TP/IPSec tunnel.

Like this:

FROM INTERNET -> PORT 19980 -> RB4011 -> L2TP VPN -> HEX -> DEVICE WEB PAGE 80

Inside LAN, even in another VPN access like my office, i can access the device HTTP server. But, using the NATed port from outside, without VPN connection with the RB4011, it doesnt load.

In my HEX, i have the following rules, to send back through the VPN Tunnel the connections originated from my RB4011, it works for simple connections, like tcp syn/ack.
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=l2tp-central new-connection-mark=\
    nat-conn-central passthrough=yes src-address-list=!local_address
add action=mark-routing chain=prerouting connection-mark=nat-conn-central dst-address-list=!local_address new-routing-mark=\
    nat-central passthrough=yes
add action=change-mss chain=forward connection-mark=nat-conn-central disabled=yes new-mss=500 passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=501-65535
The address-list:
ip firewall address-list/print
Columns: LIST, ADDRESS, CREATION-TIME
# LIST           ADDRESS        CREATION-TIME       
0 local_address  172.16.0.0/12  jun/01/2023 15:42:07
The routing table:
ip route print where routing-table=nat-central 
Flags: A - ACTIVE; s, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#    DST-ADDRESS  GATEWAY       DISTANCE
3 As 0.0.0.0/0    172.25.1.254         1
Last thing i tested, is to reduce MSS, default is 1310, tested with 1300, 1290, 1250 and finally with 500, in connections, but it also dont make differences.

Wireshark output Retransmissions and RST flags

There anything missing in the above rules?
 
viniciusstucki
just joined
Topic Author
Posts: 8
Joined: Thu Nov 29, 2018 2:31 pm

Re: Routing HTTP over L2TP Tunnels  [SOLVED]

Fri Jun 02, 2023 1:53 am

Solved this problem using a srcnat rule:
All my VPN connections are inside a group, L2TP-VPN, then all comming from non local-address are srcnatted when go to VPN links:
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=VPN src-address-list=!local_address

Who is online

Users browsing this forum: Bing [Bot], blejzu, Uqbar and 58 guests