@viragomann said in Cannot access webservers through vpn that are on a different gateway: @silvered-dragon said in Cannot access webservers through vpn that are on a different gateway: if I masquerade the remote networks on the central mikrotik behind the lan interface, things works. So the only two reasons for failing without that I can think off are the route doesn't work the destination server itself blocks the access Blocking access from outside its own subnet is the default behavior of system firewalls, however, a webserver should be configured to accept access from anywhere. I assume, the server is accessible from the internet. @silvered-dragon said in Cannot access webservers through vpn that are on a different gateway: But honestly I'm not sure that masquerading the remote lan is a good practice. The only one drawback is that you cannot identify the real source address on the destination device, as long as you do the masquerading only for the remote lan. I'm 100% sure that there is no issue related on the servers side cause I created new vms with basic configuration, and I cannot access nothing in tcp even a simple debian+ssh

@viragomann super helpful thank you!

@Rico said in Meaning of the Globe Icon: The Icon shows your default Gateway. -Rico Oh I didn't know this either. Thank you!

Omg i had the same issue, and struggled to find a solution. I just saw ur post (it would have been more helpful if i would have had this information while struggling haha) but very helpful! this worked for me too

@netblues thank you this was very helpful!

@techsalot Didn't work

@Peter-Nunn Well, this is a high level description. You need to understand how multiwan works and adapt it to your specific needs. Questions are welcome

@serbus Yeah, I thought about something involving different src IPs. I wouldn't even need something with RDP, could just set up a proxy and bounce the traffic off of that... but that's still a work-around. It's a better work-around than fiddling with the firewall rules though, and I already have a Raspberry Pi running my Unifi controller that would be perfectly fine to run nginx as a reverse proxy in front of one of the modems. IMO, this should be something that's possible on a competent router/firewall, without involving any other equipment.

Utter waste of time, the 2nd pfsense is pointless... It provides you nothing but causing your vm host to run resources for nothing and complexes up the setup..

As the new gateway is now at its final destination and doesn't need this kind of hack anymore, I guess I can close this post.

@pfuzer pfsense with pfblockergng-dev and suricata

If your trying to get forwarded back in from your wan IP, you would have to setup nat reflection for that to function. But if the server is local, why would you not locally resolve the fqdn to the local IP and just access it without going through the nat reflection nonsense.

Well, the part with 2 LANs and 2 WANs is quite easy. You configure the transit network interface as defined by your second ISP. You configure e.g. 129.x.?.1/24 as a static IP on your "Public LAN". You either set the NAT mode to "Manual Outbound NAT rule generation." and set all NAT rules manually, or you set it to "Hybrid Outbound NAT rule generation" and manually add a "Do not NAT" rule for the traffic between your new LAN and WAN. This should already create the appropriate routing table entries so that incoming traffics finds your 129.x.?.1/24. What's missing to tell the outgoing traffic which gateway to use. This can e.g. be done by specifying the gateway of the second WAN interface in the "allow to any" (or whatever firewall rule you use to allow internet access) firewall rule on your "Public LAN" interface. Regarding the public IPs for your 192.168.x.1/22: From my perspective, the clean solution would be to give them a second network interface (e.g. using VLANs) in the "Public LAN" network. This also makes it easier to separate the administrative from the public traffic, e.g. only enable SSH on the interface in 192.168.x.0/22 network.

I finally got this sorted out. Here's how I have done, in case anybody in that situation happens to find this thread. This method does not require creating NAT outbound rules. Assign the WAN2 interface with DHCP or static. This is the WAN of my additionnal public IP Create a VLAN and assign it (I'll call it LAN2 for clarity). VMs using the additionnal IP will be connected to this VLAN. Go to LAN firewall rules, edit the default IPv4 allow rule, and set the gateway to your WAN gateway. Go to LAN2 firewall rules, edit the default IPv4 allow rule, and set the gateway to your WAN2 gateway.