Routing to public IPs behind firewall with VPN

firewallroutingvpn

I have two sites. Site 1 has a router with a public IP A.B.C.D as well as a private range 192.168.13.0/24. The router also occupies the private IP 192.168.13.1. Site 2 is a single host with a public IP X.Y.Z.W.

The problem is that site 2 is behind a firewall not under my control. As a result, site 2 can access site 1 at A.B.C.D but site 1 cannot access site 2 directly.

To work around the limitation, I configured site 2 to connect to site 1's router over an OpenVPN tunnel, and using iproute2 source policy routing to redirect traffic from the private range (except the router itself) to X.Y.Z.W to go through the tunnel. For example, I have to use the following command on the router at site 1

ip rule add from 192.168.13.32/27 to X.Y.Z.W lookup vpn

to redirect traffic from the block 192.168.13.32/27 to X.Y.Z.W to consult the routing table vpn in which the default gate is the OpenVPN endpoint. I have to use source policy routing to exclude the router (which is at 192.168.13.1), otherwise the VPN traffic would not be routed back to X.Y.Z.W correctly.

So far everything is working fine, but I'm not very happy with the source policy routing because it requires me to change the ip rule every time private range 192.168.13.0/24 is changed, or more sub-blocks is added.

I'm wondering if there is any easier way to make X.Y.Z.W available to site 1's private range without using source policy routing?

Best Answer

After Site 2 opens the VPN tunnel it should be assigned an IP, e.g. 10.10.10.2, and a route should appear on the router (acting as VPN Server) pointing to this IP.

You can use Destination NAT instead of policy routing, by matching all traffic whose destination is the public IP X.Y.Z.W, and that are incoming only from the router LAN Interface, and NATTing the destination to 10.10.10.2.

This will route all traffic going to Site 2 through the VPN tunnel automatically, and it will hit the public host.

Related Solutions

Vlan – Site to Site VPN with no access to second vlan

The problem you are seeing is normal behavior. When you use object groups to define the tunnel traffic, the ACL gets expanded to a regular ACL with multiple entries. For example, this ACL

access-list outside_cryptomap extended permit ip 192.168.11.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

becomes

access-list outside_cryptomap extended permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.11.0 255.255.255.0 192.168.50.0 255.255.255.0

Each line in the ACL creates a Securty Association (SA) for the VPN.

Because you are using dynamic VPNs, the SA doesn’t get created until the remote router sees traffic that matches the ACL entry. You apparently have devices on the 192.168.0.0 network that are talking to the 192.168.11.0 network, and this creates the SA for that entry.

But you don’t have any devices on the 192.168.50.0 network talking to 192.168.11.0, so the SA never gets built. With no SA, you can’t send traffic from 192.168.11.0 to 192.168.50 0. Once you ping from 192.168.50.0 to 192.168.11.0, the SA is created and you can send traffic in either direction.

To make this work the way you want, you have three choices:

Go back to static VPNs. The SAs are always up.
Find some way to generate traffic on the 192.168.50.0 network. Anything will do.
Readdress your networks so that you have one ACL entry that covers both networks at the remote end. You will have only one SA, which will be created as soon as traffic flows.

VPN Tunnel Issues from Remote Location via ISP (PPTP) – Fixes

Why it works from our side when I use 1.1.1.10 and I get error using 1.1.1.9 in NAT table?

You have a problem with the 1.1.1.9 configuration as an external NAT IP on the Mikrotik. The outside interface of the Mikrotik is a /30; you're using 1.1.1.9/30 as the default gateway and an outside NAT IP on the Mikrotik. If you're going to use 1.1.1.9/30 on the Mikrotik, you need 1.1.1.10 as a default-gateway.

As it stands, you're currently using 1.1.1.9 as both default-gateway and external NAT IP.

Current Routing table:

Dst. address   | Gateway      | Distance | Pref. source   |
0.0.0.0/0      | 1.1.1.9      | 2        | -              |

Current NAT table:

Action     | Chain  | Source Addr    | Dst Address   | Proto    | Dst Port | Out Intf   |
masquerade | srcnat | -              | -             | -        | -        | ether1     |
dstnat     | dstnat | -              | 1.1.1.9       | 6 (TCP)  | 1723     | -          |
dstnat     | dstnat | -              | 1.1.1.9       | 47 (GRE) | -        | -          |
dstnat     | dstnat | -              | 1.1.1.9       | 6 (TCP)  | 5006     | -          |
masquerade | srcnat | 192.168.1.0/24 | 192.168.1.230 | -        | -        | -          |

What's a little confusing is the diagram, which says the ISP-A's router is in transparent "modem state". Please be sure that the IP addressing scheme you're using on the Mikrotik is consistent with ISP-A's expectations. If the router is transparent, I'm not entirely sure you should have an IP address on it.

Best Answer

Related Solutions

Vlan – Site to Site VPN with no access to second vlan

VPN Tunnel Issues from Remote Location via ISP (PPTP) – Fixes

Related Topic