Answer the question
In order to leave comments, you need to log in
Mikrotik, port forwarding through VPN PPTP Client?
Good day. For a day now I can not configure port forwarding from a VPN connection to the local address of the DVR.
What we have is the Mikrotik RB951UI, a Megaphone modem is inserted (in Hikink mode) and a VPN PPTP Hidme connection with a dedicated IP is connected over the Internet.
/ip route
0 AS 0.0.0.0/0 hidme 1
1 ADS 0.0.0.0/0 10.121.192.1 0
2 ADC 10.121.192.1/32 10.123.9.119 hidme 0
3 ADS 91.105.238.11/32 192.168.199.1 0
4 100.0/24 192.168.100.1 bridge1 0
5 ADC 192.168.199.0/24 192.168.199.2 ether1 0
/ip firewall nat
0 chain=dstnat action=netmap to-addresses=192.168.100.253 to-ports=8085 protocol=tcp in-interface=hidme dst-port=8085 log=no log-prefix=""
1 chain=srcnat action=masquerade out- interface=hidme log=no log-prefix=""
/ip firewall mangle
0 D chain=forward action=change-mss new-mss=1410 passthrough=yes tcp-flags=syn protocol=tcp out-interface=all-ppp tcp -mss=1411-65535 log=no log-prefix=""
1 D chain=forward action=change-mss new-mss=1360 passthrough=yes tcp-flags=syn protocol=tcp in-interface=all-ppp tcp- mss=1361-65535 log=no log-prefix=""
2 chain=prerouting action=mark-routing new-routing-mark=hidme_vpn passthrough=yes protocol=tcp dst-address=192.168.100.253 dst-port=8085 log= no log-prefix=""
3 chain=output action=mark-routing new-routing-mark=hidme_vpn passthrough=yes protocol=tcp src-address=192.168.100.0/24 src-port=8085 log=no log-prefix=""
The firewall filter is empty. I'm trying to forward TCP port 8085. When I go to IP - Service - WWW and change the port to 8085, then I get to the router's admin panel through VPN Hidme, which means everything works fine on the Hidme side.
The Internet works through VPN sites, everything opens OK, but it’s impossible to log in from this external IP to a computer with the address 192.168.100.253. I read the whole google.
Answer the question
In order to leave comments, you need to log in
In dnat, use not the dst address, but in the interface name, and that's it.
chain=dstnat action=netmap to-addresses=192.168.100.253 to-ports=8085 protocol=tcp in-interface=hidme dst port=8085
chain=prerouting action=mark-routing new-routing-mark=hidme_vpn passthrough=yes protocol=tcp dst-address=192.168.100.253 dst-port=8085
chain=output action=mark-routing new-routing-mark=hidme_vpn passthrough=yes protocol=tcp src-address=192.168.100.0/24 src-port=8085
Agree with the previous answerer. Mangle is useless. Replace netmap with dst-nat and clean the mangle. If the port is mapped to the same one, then it can be omitted in to-ports. Thus:
should work great. Just in case, keep in mind that in the firewall this traffic will fall into the forward chain, and not into the input, do not cut it. And you need to know the Packet flow diagram.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question