S
S
Sergey2019-08-28 19:36:03
VPN
Sergey, 2019-08-28 19:36:03

How to forward ports for RDP through an external L2TP/IPsec VPN server or directly?

Good afternoon comrades, I ask for help.
At the moment there is the following Mikrotik configuration:

spoiler

# aug/28/2019 19:04:05 by RouterOS 6.43.13
#
# model = RB4011iGS+

/interface l2tp-client
add add-default-route=yes connect-to=XX.XX.XX.XX disabled=no ipsec-secret=XXXXXXXXXX name=l2tp-vpn password=XXXXXXX use-ipsec=yes user=XXXX

/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=1.1.1.10/24 interface=wan1 network=1.1.1.0

/ip firewall filter
add action=drop chain=forward comment="Deny access to internet without VPN" out-interface=wan1 src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow access to internet over VPN" out-interface=l2tp-vpn src-address=192.168.1.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Send packets through VPN to internet" out-interface=l2tp-vpn

/ip route
add distance=2 gateway=194.183.171.1


The network looks like this:
Internet with a static (white) IP address from the provider: 1.1.1.10 (gateway 1.1.1.1)
Mikrotik IP address: 192.168.1.1;
Local network: 192.168.1.0/24;
L2TP / IPsec-VPN is up, Mikrotik connects as a client and receives the address: 192.168.12.10, gateway 192.168.12.1;
The VPN settings say Add Default Route.
It is configured in such a way that users from the local network access the Internet only through VPN. If the VPN connection is broken for some reason, then users do not go online at all. The following rules are responsible for this implementation:
add action=drop chain=forward comment="Deny access to internet without VPN" out-interface=wan1 src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow access to internet over VPN" out-interface=l2tp-vpn src-address=192.168.1.0/24

add action=masquerade chain=srcnat comment="Send packets through VPN to internet" out-interface=l2tp-vpn

There is a need to forward ports for external access to several PCs from the local network to connect via RDP. I fought for 4 hours, nothing happens, I'm weak in the networks, sorry.
At first I wanted to make it so that all users from the local network accessed the Internet ONLY through VPN, but at the same time it was possible to connect via RDP through the provider's static address (1.1.1.10). It didn’t work, I don’t know if it’s possible to do this at all in such a situation. Went the other way.
I decided to forward traffic from the server where the VPN is installed to computers from the local network. That is, by specifying the static IP address of the VPN server in the connection settings, you can get to the machine via RDP. Did not work out.
Of course, I would like to forward directly through IP from the provider, but I have no idea how to organize the rules of the firewall / nat'a / mangle.
If you connect through a VPN server, then the packet path looks like this:
| vpn server external ip (ens16 interface, 2.2.2.2) | --> | l2tp gateway (ppp0, 192.168.12.1) | --> | ip mikrotik from vpn (192.168.12.10) | --> and then further either through the Mikrotik itself (192.168.1.1), or directly to the machine with RDP (192.168.1.43).
Also, on the VPN server I tried to add a route to see machines directly from the local network:
ip route add 192.168.1.0/24 via 192.168.12.1 dev ppp0

and another rule for setting up NAT on Mikrotik for icmp masquerading (for testing) - pings went, tried to forward ports in a different/similar way - it didn't work.
As a young specialist, I beg your help, what rules should be specified and how to organize?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
I
Internet, 2019-08-29
@Sviteneg

1) Does the computer on which you need to configure RDP have an external WHITE address? The fact is that the so-called static address can also be gray!
2) Do you have access to the VPN server?
3) If the question does not tolerate time, write to [email protected]

S
Sergey, 2019-09-05
@Sviteneg

In the end, everything was decided by writing a few rules in the mangle and adding routes, surprisingly. I wouldn't have thought of it myself. Many thanks to Vsevolod for the help in setting it up! The question is closed.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question