- This topic is empty.
-
Posts
-
Hello,
I’ve got a problem configuring our lan to lan VPNs.I have a server in a lan with subnet 10.0.0.0/24
I have some clients in a lan with subnet 10.0.2.0/24
these two lans are connected via VPN with two zeroshell with IP 10.0.0.1 and 10.0.2.1Well, all connections that the server receives from the other lan have the IP masqueraded with IP 10.0.0.1
I tried every combination of settings in the NAT section of the web interface, am I maybe missing anything?
thank you very much!Simple setup
SiteA
lan 10.0.0.0/24
VPN00 10.0.3.1/30
static route 10.0.2.0/24 via 10.0.3.2
no nat on VPN00SiteB
lan 10.0.2.0/24
VPN00 10.0.3.2/30
static route 10.0.0.0/24 via 10.0.3.1
no nat on VPN00Those hosts that have ZS as default gateway (then, at leat, the hosts which belong to 10.0.0.0/24 as well as 10.0.2.0/24 networks), should be able to communicate to each other via the VPN transparently (L3) without needing any NAT.
If instead, you are trying to ‘bridging’ the lan with the VPN, then some more info on your goals are needed…
RegardsFirst of all, thank you for answering
Site A
subnet 10.0.0.0/24
Zeroshell IP: 10.0.0.1
Default Gateway for clients 10.0.0.1
NO Nat on VPN01
Site B
subnet 10.0.2.0/24
Zeroshell IP: 10.0.2.1
Default Gateway for clients 10.0.2.1
No NAT on VPN00
as you can see is a very simple configuration
First of all, thank you for answering
Site A
subnet 10.0.0.0/24
Zeroshell IP: 10.0.0.1
Default Gateway for clients 10.0.0.1
NO Nat on VPN01
VPN:
Routing:
Site B
subnet 10.0.2.0/24
Zeroshell IP: 10.0.2.1
Default Gateway for clients 10.0.2.1
No NAT on VPN00
VPN:
Routing:
as you can see is a very simple configuration
Could you post the output of route -n (or via gui, Network, Router, Routing table) and iptables -t nat -L (or via gui, Network, Router, Nat, view) …maybe, after having hidden your public ip addresses.
RegardsThank you again
Site A
Routing Table
Chain PREROUTING (policy ACCEPT 32606 packets, 2691K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4125 to:10.0.0.2:4125
11 899 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.0.2:80
696 43472 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.0.2:443
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12489 to:10.0.0.2:12489
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:12489 to:10.0.0.2:12489
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:161 to:10.0.0.2:161
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 to:10.0.0.2:161
124 7132 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:10.0.0.2:25
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:38667 to:10.0.0.45:38667
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:38667 to:10.0.0.45:38667
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3391 to:10.0.0.18:3389
98 4684 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 to:10.0.0.45:3306
2 100 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:10.0.0.45:21
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 to:10.0.0.45:8081
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81 to:10.0.0.45:80
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3393 to:10.0.0.27:3389
0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4125 to:10.0.0.2:4125
2 100 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.0.2:80
1 48 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.0.2:443
0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12489 to:10.0.0.2:12489
0 0 DNAT udp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 udp dpt:12489 to:10.0.0.2:12489
0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:161 to:10.0.0.2:161
0 0 DNAT udp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 to:10.0.0.2:161
0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:10.0.0.2:25
0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:38667 to:10.0.0.45:38667
0 0 DNAT udp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 udp dpt:38667 to:10.0.0.45:38667
0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3391 to:10.0.0.18:3389
1 40 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 to:10.0.0.45:3306
0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:10.0.0.45:21
0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 to:10.0.0.45:8081
0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81 to:10.0.0.45:80
0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3393 to:10.0.0.27:3389
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:34711 to:10.0.0.39:34711
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:34711 to:10.0.0.39:34711
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3394 to:10.0.0.75:3389
0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3394 to:10.0.0.75:3389
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3392 to:10.0.0.76:3389
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:60885 to:10.0.0.23:60885
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:60885 to:10.0.0.23:60885
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3399 to:10.0.0.2:3389
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3395 to:10.0.0.47:3389
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082 to:10.0.0.8:80
4 240 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:10.0.0.5:80
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3397 to:10.0.2.100:3389
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3398 to:10.0.0.96:3389
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3398 to:10.0.0.96:3389
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:9025:9040 to:10.0.0.10:9025-9040
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5002:5004 to:10.0.0.10:5002-5004
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001 to:10.0.0.10:5001
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5000 to:10.0.0.10:5000
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5000 to:10.0.0.10:5000
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4569 to:10.0.0.3:4569
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4569 to:10.0.0.3:4569
19 1008 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:16881 to:10.0.0.10:16881
11 705 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:16881 to:10.0.0.10:16881
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6881 to:10.0.0.10:6881
1536 202K DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:6881 to:10.0.0.10:6881
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3396 to:10.0.0.77:3389
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3396 to:10.0.0.77:3389
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3400 to:10.0.0.64:3389
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3400 to:10.0.0.64:3389
Chain POSTROUTING (policy ACCEPT 8291 packets, 570K bytes)
pkts bytes target prot opt in out source destination
32055 2479K SNATVS all -- * * 0.0.0.0/0 0.0.0.0/0
9167 821K MASQUERADE all -- * ETH00 0.0.0.0/0 0.0.0.0/0
11190 854K MASQUERADE all -- * ETH01 0.0.0.0/0 0.0.0.0/0
173 9268 MASQUERADE all -- * ETH02 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ETH03 0.0.0.0/0 0.0.0.0/0
525 33405 MASQUERADE all -- * VPN00 0.0.0.0/0 0.0.0.0/0
173 8298 MASQUERADE all -- * VPN03 0.0.0.0/0 0.0.0.0/0
2549 185K MASQUERADE all -- * VPN04 0.0.0.0/0 0.0.0.0/0
1 42 MASQUERADE all -- * VPN05 0.0.0.0/0 0.0.0.0/0
1 42 MASQUERADE all -- * VPN06 0.0.0.0/0 0.0.0.0/0
8232 565K OpenVPN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain SNATVS (1 references)
pkts bytes target prot opt in out source destinationSite B
Chain PREROUTING (policy ACCEPT 6166K packets, 492M bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- ETH00 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4569 to:10.0.2.2:4569
0 0 DNAT udp -- ETH00 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4569 to:10.0.2.2:4569
1275K 64M DNAT tcp -- ETH00 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to:10.0.2.3:3389
0 0 DNAT udp -- ETH00 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3389 to:10.0.2.3:3389
6450 330K DNAT tcp -- ETH00 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3390 to:10.0.2.100:3389
0 0 DNAT udp -- ETH00 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3390 to:10.0.2.100:3389
174K 8438K Proxy tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain POSTROUTING (policy ACCEPT 4509K packets, 289M bytes)
pkts bytes target prot opt in out source destination
12M 790M SNATVS all -- * * 0.0.0.0/0 0.0.0.0/0
3514K 235M MASQUERADE all -- * ETH00 0.0.0.0/0 0.0.0.0/0
4079K 266M MASQUERADE all -- * ETH01 0.0.0.0/0 0.0.0.0/0
Chain SNATVS (1 references)
pkts bytes target prot opt in out source destinationOn both sites, unless you need some kind of ‘hairpin nat’, remove from nat your internal interface (ETH00), inSiteA the 2nd entry visible in postrouting
9167 821K MASQUERADE all -- * ETH00 0.0.0.0/0 0.0.0.0/02nd entry in SiteB as well
3514K 235M MASQUERADE all -- * ETH00 0.0.0.0/0 0.0.0.0/0These entries translate the source ip addresses of outgoing packets with the ip addresses of these interfaces.
Also, if you need that your link be Layer 3 transparent, remove also, in SiteA, from NAT enabled interfaces, the VPN00.
RegardsIf for “hairpin NAT” you mean this:
http://wiki.mikrotik.com/wiki/Hairpin_NAT
it’s exactly our configuration, our servers have only private address and only certains ports are forwarded to the servers inside the lan.in the SiteA the VPN we are talking about is VPN01, and there is no NAT for that 🙁
Ok , I wrote about remove the nat just for keep the L3 transparency across the vpn link, anyway… assuming that your internal servers are on the same broadcast domain of your internal lan (the 10.0.0.0/24 network, and not on a dedicated DMZ), try this..remove the ETH00 from NAT enabled interfaces, and in SYSTEM,Setup, Scripts/Cron, Nat and Virtual Servers, add this line and then enable the script
iptables -t nat -I POSTROUTING -o ETH00 -s 10.0.0.0/24 -d 10.0.0.0/24 -j MASQUERADEThis will do NAT only for packets coming from the lan and destinated to the lan as well (when you try to reach one of your server via FQDN from a pc which is in the same lan)…..
If it will work ( and it should) then you can play with a ‘fine tuning’ of your rules…
Regards
- You must be logged in to reply to this topic.