Answer the question
In order to leave comments, you need to log in
S
S
S10LI2020-03-23 11:13:56
S10LI, 2020-03-23 11:13:56
How to forward a port through a VPN tunnel between two Mikrotik?
There are two Mikrotiks.
Mikrotik 1: Static white WAN IP (1.1.1.1), L2TP/IPSec server, LAN (10.10.10.0/24)
Mikrotik 2: Dynamic gray WAN IP (33.33.33.33), L2TP/IPSec client, LAN (20.20.20.0/ 24)
Web server: IP 20.20.20.100
VPN connection is established, routes to networks are registered, local networks interact with each other.
When creating a rule on Mikrotik 1
add action=netmap chain=dstnat dst-port=80 protocol=tcp in-interface=ppoe-out to-address=20.20.20.100
The port is forwarded only if I add the rule
add action=masquerade chain=srcnat dst-address=20.20.20.100 dst-port=80 protocol=tcp
That is, you can connect to the web server either by clients of one of the local networks, or by an external client disguised as Mikrotik 1.
How to configure without a masquerade, so that an external client connects to the web server directly through the tunnel?
It is advisable not to use Mikrotik 1 as the main gateway, because the speed allocated to it by the provider is 10Mbps, and Mikrotik 2 - 50Mbps.
3 answer(s)
@S10LI
@res2001
If so, then the local address of the web server must be accessible from the second network. You don't need to throw anything. Everything is working.
If the web server is not available, then what do you mean by this phrase? Some kind of contradiction here.
Check the packet routing from the web server to the client on the second network and vice versa.
Usually, when using VPN, people misunderstand that VPN is only 1 channel from 1 client to 1 server, so that the networks behind the client and the server would work together, you just need to configure the routing correctly. In some cases, VPN client or server settings can help with this, but not in all cases and not for all VPN implementations. IPSec VPN is clearly not one of the implementations that will do something for you.
@keldar
K
korsar182, 2020-03-23 @S10LI
Mikrotik2 does not know that the client's request to the web server came through Mikrotik1, so it sends a response through its default gateway. The solution is to either use a masquerade as you are doing, or tag traffic to Mikrotik2 via mangle and send it back via a separate routing table.
R
res2001, 2020-03-23 @res2001
routes to networks are registered, local networks interact with each other
If so, then the local address of the web server must be accessible from the second network. You don't need to throw anything. Everything is working.
If the web server is not available, then what do you mean by this phrase? Some kind of contradiction here.
Check the packet routing from the web server to the client on the second network and vice versa.
Usually, when using VPN, people misunderstand that VPN is only 1 channel from 1 client to 1 server, so that the networks behind the client and the server would work together, you just need to configure the routing correctly. In some cases, VPN client or server settings can help with this, but not in all cases and not for all VPN implementations. IPSec VPN is clearly not one of the implementations that will do something for you.
K
keldar, 2020-03-24 @keldar
This is the simplest connection, but comments kill. what the hell is a masquerade? just register the routing, you can static, you can speaker. At me in office dynamic as it is a lot of subnets.
The routing table in studio on pieces of iron. And throw out the masquerade. and on computers routes. You can also run
tracert
Similar questions
A
A
A
M
I
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question