How to forward port on Mikrotik for L2TP+IPSEC VPN users?

T

Talyan2021-09-25 01:40:22

Computer networks

Talyan, 2021-09-25 01:40:22

Hello.

I can't forward the port to the internal services of the working LAN for VPN users.

Scheme:

Working network 192.168.0.0/24
Mikrotik (Internet gateway).

L2TP IPSEC VPN is up on Mikrotik.
IP Mikrotika in VPN - 10.10.100.1/24
VPN user address pool: 10.10.100.2-254

Let's say I want to make sure that a VPN user with IP address 10.10.100.101 can open service 192.168.0.3:80 at 10.10.100.1:180 from working locale.

I make a rule:
input src-addr=10.10.100.0/24 dst-addr=10.10.100.1 accept
In the NAT section I add a rule:
dstnat src-addr=10.10.100.0/24 dst-addr=10.10.100.1 dst-port=180 action=dst-nat to address 192.168.0.3 port 80

The rules are at the top of the firewall list.
But the service page does not open - packets leave the client, but in response, silence.

Added also
Accept forward from 10.10.100.0/24 to 192.168.0.0/24
But it didn't work.

In the firewall, you can see by the number of packets that all three rules are affected to some extent, because the number of processed bytes opposite the rules grows when you try to open pages.

Tell me what I missed in the chain?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Diman89, 2021-09-25
@flapflapjack

Add routes

R

Rezorf, 2021-09-27
@Rezorf

You can't do without adding routes "manually" (or in some clumsy way like RIP). Well, or let all traffic through the router (use it as the default gateway).
All this hemorrhoids could have been avoided if the address space was planned correctly from the outset, in particular, for the local network and VPN clients, use networks from the 10.0.0.0/8 range, for example, a working network 10.10.10.1/24, VPN 10.10. .P. That is, in your case, just reconfigure the "locale" and all VPN clients will be able to connect without adding a route and with the "use the default gateway for the remote network" unchecked.