Bring Public IP from CHR VPS to Home

NevREnding · January 5, 2025, 12:09pm

Hi there,

Currently from my ISP, I have a public IP (180.x.x.3) that is going away soon and I’ll be back behind CGNAT.
I’m using an RB5009 running ROS 7 as the home router and have a number of port forwarding set up to multiple VMs.

I set up CHR on a VPS that has a couple of public IPs:
67.y.y.4/23 (primary IP, gateway 67.y.y.1)
67.x.x.7/32

How can I “bring” the 67.x.x.7 over to the RB5009?
Making it like 67.x.x.7 is actually on the RB5009, so I can forward 67.x.x.7:80 → 192.168.4.100:80, for example.

I already have a couple of things set up.
CHR:

/ip arp
add address=67.x.x.7 interface=ether1 published=yes
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/ppp secret
add local-address=10.0.0.1 name=rb5009 remote-address=67.x.x.7

RB5009:

/interface l2tp-client
add connect-to=67.y.y.4 disabled=no keepalive-timeout=30 name=l2tp-out1 use-ipsec=yes user=rb5009
/routing table
add disabled=no fib name=via-chr
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=67.x.x.7 in-interface=l2tp-out1 new-connection-mark=chr-conn passthrough=no
add action=mark-connection chain=prerouting new-connection-mark=chr-conn passthrough=yes src-address=67.x.x.7
add action=mark-routing chain=prerouting connection-mark=chr-conn new-routing-mark=via-chr passthrough=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=l2tp-out1 routing-table=via-chr suppress-hw-offload=no

L2TP connected, RB5009 got 67.x.x.7. However, 67.x.x.7 still cannot be pinged from the world.
Checking using packet sniffer, resulted in the following:

Interface  Direction  Src.Addr   Dst.Addr
l2tp-out1  rx         165.x.x.x  67.x.x.7 
l2tp-out1  tx         165.x.x.x  67.x.x.7 
l2tp-out1  rx         165.x.x.x  67.x.x.7 
l2tp-out1  tx         165.x.x.x  67.x.x.7

If the “/ip firewall mangle action=mark-routing” rule is disabled, packet is not returned back via l2tp-out1:

Interface  Direction  Src.Addr   Dst.Addr
l2tp-out1  rx         165.x.x.x  67.x.x.7 
ether1-wan tx         67.x.x.7  165.x.x.x
l2tp-out1  rx         165.x.x.x  67.x.x.7 
ether1-wan tx         67.x.x.7  165.x.x.x

What am I doing wrong?
Is it actually possible to do this or am I approaching this from a wrong direction?

Thank you very much for any help!

Note: have been struggling with this for the past week, have a read around the forum, tried different configs, tunnels, and ideas.

itimo01 · January 5, 2025, 2:20pm

So 67.X.X.7 is supposed to be ur RB5009?
Then why does ur RB5009 connect to itself?

NevREnding · January 5, 2025, 10:25pm

Hey, thanks for your reply.
Oops, just a typo. RB5009 is connecting to 67.y.y.4, L2TP tunnel is running.