Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
F
F
Ferroff2015-11-03 21:47:59
VPN
Ferroff, 2015-11-03 21:47:59

How to forward ports in Mikrotik from PPTP interface via 3G modem?

In a country house there is a Mikrotik router with an LTE modem connected, which is defined as the "lte1" interface, a DHCP client is configured for lte1, it receives an IP address from the modem 192.168.0.101, gateway: 192.168.0.1 (modem address).
To access the Internet from the local network 192.168.1.0-255, a masquerade has been added:


2;;; LTE Modem
chain=srcnat action=masquerade out-interface=lte1

To get access to a server connected to the local network with the address 192.168.1.2, I bought a VPN with a white dynamic address 8.8.8.96 (if I raise PPTP from the server, there is no problem, the server is accessible from the outside at this address), but for security I want to raise PPTP on Mikrotik and forward just some ports per server.
The connection is established, the "pptp-out1" interface appears with the following parameters: local addr: 8.8.8.96
remote addr: 8.8.8.10

# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.1.1/24 192.168.1.0 ether2-master-local
1 D 192.168.0.101/24 192.168.0.0 lte1
2 D 8.8.8.96/32 8.8.8.10 pptp-out1

I create a rule in for NAT:
3 chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=80 protocol=tcp in-interface=pptp-out1 dst-port=8080

or such
3 chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=80
protocol=tcp dst-address=8.8.8.96 dst-port=8080

Nothing works, I tried different variants of the masquerade through pptp-out1, tried to prescribe different routes, one might say at random - the knowledge of the theory was not enough.
Routes:
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.0.1 0
1 ADC 8.8.8.10/32 8.8.8.96 pptp-out1 0
2 ADC 192.168.0.0/24 192.168.0.101 lte1 0
3.16.192 1.0/24 192.168.1.1 bridge-local 0

Filters
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp
1 ;;; default configuration
chain=input action=accept connection-state=established
2 ;;; default configuration
chain=input action=accept connection-state=related
3 X ;;; default configuration
chain=input action=drop in-interface=ether1-gateway
4 X ;;; default configuration
chain=input action=drop in-interface=sfp1-gateway
5 ;;; default configuration
chain=forward action=accept connection-state=established
6 ;;; default configuration
chain=forward action=accept connection-state=related
7 X ;;; default configuration
chain=forward action=drop connection-state=invalid

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
R
Ruslan Fedoseev, 2015-11-03
@martin74ua

3 chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=80 protocol=tcp in-interface=pptp-out1 dst-port=8080
but besides that add another masquerade for packets outgoing through pptp-out1
you should have two masquerade
chain=srcnat action=masquerade out-interface=lte1
chain=srcnat action=masquerade out-interface=pptp-out1
if on fingers. Here dstnat worked, the packet went to the internal address. And the answer? That's right, it will take off through the summer. And you are waiting for it on the vpn interface..

Report
L
LESHIY_ODESSA, 2015-11-03
@LESHIY_ODESSA

You can also make it a little easier, create one rule - chain=srcnat action=masquerade , without specifying an interface. And then NAT will be on both.

Report
C
Cool Admin, 2015-11-04
@ifaustrue

Uniting and conquering
Total:
You need to add two rules (or change one, which is not very good) in NAT:
1.chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=80 protocol=tcp in- interface=pptp-out1 dst-port=8080
2.chain=srcnat action=masquerade out-interface=pptp-out1
You also need (optional in your case) to add an allow rule in the filter:
And last but not least, routes. In your case, you need to make sure that all traffic coming from the VPN goes to it, now the routes will send it to lte (as they say "mask don't mask you still get ..."), to fix this, you need to see this picture in the routes :
0 ADS 0.0.0.0/0 8.8.8.96 pptp-out1 0
1 ADS % ADDR_VPN_SERVER % 192.168.0.1 0
traffic to the VPN server goes through LTE, and everything else goes through the VPN tunnel. If your situation is more tricky, and you need only a certain type of traffic to work through the tunnel, then you need to mark connections, mark routes and route tables (although maybe I'm complicating it and colleagues know the way better).

Similar questions
H
hofix2018-07-23 20:03:38
Why can VPN traffic stop? 1Reply
S
Slurping2020-07-16 14:35:37
Server Tuning? 1Reply
D
Dos2020-07-17 15:48:54
What are the alternatives to OpenVPN? 1Reply
H
heavyman2013-12-07 19:09:36
Is there a similarity to PBR based on the DNS resource name? 1Reply
A
Arthur Arthur2016-03-14 21:36:05
RDP over a forwarded port or VPN, which is more dangerous? 9Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question