Hello,
I have the need to implement solution where there is client device on location A which needs to access Internet as it were physically on location B - that is use location B’s Internet gateway.
There are ISP routers on both locations A and B. The requirement is that there is no configuration on both ISP routers (like port forwards), and assumption is that both of those routers have unrestricted outbound traffic. So this is how I think this could be solved:
- put one Mikrotik (M1) router on location B, connect it to ISP router on location B, Mikrotik (M1) router is DHCP client to ISP router
- Mikrotik (M1) on location B has VPN tunnel configured to connect to middlepoint, cloud based Mikrotik (M3, CHR)
- put another MIkrotik (M2) router on location A, connect it to ISP router on location A as DHCP client
- similiary as M1 it has VPN tunnel configured to conenct to middlepoint (M3)
- connect client device to M2
- client device at location A connects to Internet through both VPN tunnels and exits to Internet from location B
To all the experts out there, please comment on this solution, is there anything missing, how would you do it?
Regards,
Drazen
Caveat valid for only wireguard as this I know.
Well, you need a reachable endpoint. It certainly can be a friends house with a public IP or chr in a cloud server situation etc.
So yes two routers can be linked as clients to the same Server Router and both router can reach the internet at the cloud location.
ALso the two LAN subnets ore more behind the two mikrotiks can reach each other.
Also the two LAN subnets or more behind the two mikrotiks can reach the subnets of the other ISPs subnets ( wireguard needs to be sourcenatted )
That was the long answer. The quick answer is no using a single wireguard interface, in this case, the best you can is use the internet of the intermediary connection for www.
If you create two wireguard interfaces on the CHR see the next post.
After more thought, you may be able to accomplish the goal if you use two wireguard interfaces on the CHR, one for each Router.
THat is because on one wireguard interface there can only be one peer with 0.0.0.0/0 and it has to be last in the order otherwise all traffic will go to this peer.
SO,
the allowed IPs for each RouterPeer aka on separate wireguard interfaces on the CHR should be 0.0.0.0/0 and then you setup the access to client Router Internet from the other Router. Be advised you will need to ensure the firewall rules especially on the CHR are carefully set up (forward chain).