I’m attempting to set up a multi-site network, and I want to be able to manage/configure my devices remotely without exposing them to attacks from the entire Internet. The specific models I’m wanting to access are:
RB4011 - Current home office router
RB5009-PoE - Will be the new main home office router; the 4011 will be used elsewhere
L009 - Gateway router at Mom’s house
RB3011 - At my church (I’m the volunteer “IT guru”).
Licensed CHR on a Digital Ocean droplet (with static IP)
I can Winbox into the CHR from the Internet, but I haven’t been able to configure the firewalls on the others to allow remote management. To tell the truth, I’ve been extra cautious; I’d rather suffer some inconvenience than expose the network unnecessarily. But I’m sure there’s a way to accomplish this…I just haven’t found it, yet.
My first suggestion would be to draw a map of your entire network setup, with IP addresses etc.
That way it will be much easier to set up all these sites and their configurations.
Can be done with paper and pen, and also with some sites or a app. https://excalidraw.com https://asciiflow.com
And if you are a programmer you could use some code to write it https://www.nomnoml.com/
It is also said that a picture says more than 1000 words.
Working on it. Since The Internet Is Forever, I want to sanitize specific details. I know that it won’t do much more than slow down the various script kiddies out there…but it might slow them down. Give me a little time.
The question I have is whether or not, your home gets a public IP or the ISP modem/router gets a public IP and you can forward ports on it. This is the best situation. If not then BTH is your best next option.
Third is the CHR. I say this because it was brought to my attention that VSP or CHRs in the cloud are a potential security nightmare as they are vulnerable to hacking and not recommeded.
There is a way to use, the CHR as a conduit between two sites such as church to your home and mom to your home which will suit your needs and bypass using the CHR as the wireguard server. We still need the CHR to act as a conduit but the way this is setup, there is no chance to intercept your traffic if the CHR is hacked. So, if interested, two recommendations.
a. create a BTH instance so you always have a way to get to your Home router regardless.
b. setup a CHR conduit (not as wireguard server) to connect securely the two other sites with the home router.
Okay, that sounds like good advice. I’m not familiar with Back To Home; I’ve never used the feature before. And, yes, I know that the “cloud” is only as secure as whomever controls the hypervisor password…whom you don’t know and can’t possibly vet or control. So I want to keep the CHR (and its public, static IP) as my ingress/egress router for mail and such…but I want to keep the sensitive information on my own hardware on my own premises. And so I’d welcome advice along those lines.
I’m having the new fiber Internet installed next week. It’s AT&T, and I asked for “business class” service, but I’m not paying the extortionate charge which they want for static IPs again. I’m hoping to install HAProxy on a container, either in the CHR or else in the 4011 or 5009, to direct traffic as appropriate. But that’s another learning curve; while I know how HAProxy is supposed to work, I’ve never successfully configured it…yet.
You'll going to have to think about this and create the diagram. I'm going to try to give you some ideas about how this is usually done.
The whole point of having a cloud instance is that it's always on, has a static IP, and affords you some level of anonymity by indirection. (Just be aware that many websites and providers wholesale block the IP ranges of some VPN VPS providers, which include DO. Actually, DO in particular.)
What you usually do here is connect all of the "local" routers to your DO droplet with Wireguard. Here it doesn't really matter is the local routers have a public address or not, because they always initiate the connection.
Then, if you want remote access to any of the local networks, or you want to manage them, you securely connect to the droplet and then access all the other networks via their respective spoke wireguard links. This "securely connect" can be via wireguard or another protocol (openvpn, etc.) can also be used.
To restrict access to the individual local networks and to the management interfaces of local routers, you will have to devise a system of firewall rules. This access can be granted/removed per user.
What I described here is the "normal" way things work. You should also have a backup way of connecting to the local routers for if/when this hub/spoke topology is somehow down. For this, back-to-home is actually quite nice, but there are other possibilities. BTH is easy to configure and secure, and tolerates not having a public IP, so it's possibly the most straightforward.
EDIT: Correct typo describing DO as a VPN provider. Slip of the keyboard.
Dont know what the DO is your talking about, but what is simple is for admin control of his home router is BTH. In fact he can create a BTH at each device ( if all arm I think), and thus has a way to access all devices securely. For site to site traffic he can use the Cloud CHR as a conduit without making the traffic visible, if anyone managed to hack the VPS. Its a tad complex but works well. Not the case if you make the cloud CHR, a server for handshake.
@lurker888 : Yes, that’s exactly what I’m wanting to do. I’ve been very busy with getting ready for the fiber install and with Mom, not counting my full-time day job, but I want to get that diagram up this weekend.
I likely will need to find some kind of a “mail reflector” service, though, because of the DO IP blacklisting. The problem is that most of the ones I’ve searched for charge by the domain or even by the email address. My total volume is low, but I have multiple domains and quite a few addresses. I’d rather pay a flat fee for a certain number of emails per month, with no (practical) limit on the number of domains. Any suggestions?
Well... I've had my morning coffee, and I've actually done many of the things you have set out to do. So I'm going to write down some things I've learned along the way.
What you're actually describing is called self-hosted email. This is well off topic for this forum, but I'm going to (very briefly) run you through what you'll probably want to do. These are all just suggestions, so take them as you will. This will also answer your question of where you'll find these "mail reflector" services.
The sort-of standard for self-hosting e-mail is mailcow. This is a collection of other open source programs that are configured to work together. It includes:
hosting mailboxes for your users
giving them access to them via POP3/IMAP
provides an authenticated SMTP endpoint for sending e-mail
a webmail interface, which is actually pretty good
accepting mail on their behalf
spam filtering for the above
sending mail on their behalf (more on this later)
I think actually DO has a pretty good tutorial about installing it. In their installation instructions, mailcow includes some minimal system requirements. There's no reason to take those seriously, 4 GB of RAM and a swap file is perfectly adequate to get you started; of course you may need more resources later on.
The last of my bullet points is the kicker, all the others will work out of the box. The problem with sending e-mail is that other mail servers may not trust you enough to receive mail from you. A part of this is IP reputation. But note that everything else should be taken care of by your server, it's only sending mail that's the problem. (*)
This is where SMTP relays (the name for your "mail reflectors") come in. Your mailcow instance, after preparing everything there is to do around sending the email, submits the email to them (via authenticated SMTP) and sends it from their own servers. Issues, such as regarding IP reputation are thus bypassed.
Some more reputable services are smtp2go and postmarkapp. Both of them offer a given number of e-mails per month for free, I think 1000. After that, as you said, you have to pay for some sort of package. (A few years ago these free tiers included 10 000 e-mails, and this was perfectly fine for a lot of uses. The providers have sort of collectively decided that this was too good of a deal.)
Both of these companies are well regarded, and they will allow you to live in their free allowance without asking for your credit card.
If one's talking about SMTP relays, one must mention AWS SES, which is probably the most useful amongst them. They are strictly pay-as-yo-go, at roughly USD 0.1 / 1000 e-mails. Setting it up is not the most user friendly, but they're probably the most no-fuss "just get out of your way" service to deal with. Whether setting things up on AWS is something you're up for is for you to decide, but consider yourself forewarned.
(*) This sentiment is all over the Internet: you must be crazy to even think about sending mail from your own server; you'll tear your hair out, etc. This is grossly exaggerated.
Interesting discussion, thanks! Now is it preferred to set this up and not to use gmail or ones own ISP provider?? Or perhaps for incoming keep gmail and forward to your cow address??
To be clear, my post was about mailcow: dockerized, that you can use to host e-mail on your own (rented) server. (There are many platforms that will host an instance for you for payment. I'm sure they're fine, but this is not about these.)
If you host your own mail system, the hosted e-mail addresses will reside on your own domain, or a domain you control. In OP's case, many domains.
It is not possible to send e-mail originating from a domain you don't control (to be a bit more exact: from one that is not co-operating and explicitly allowing you to do so.)
So, if I understand your question correctly, there are two cases:
(A) You have a free anav (at) gmail.com address. If you want to receive mail on this address, then yes, forwarding it is your only option. You won't be able to send from this address with your mailcow (not without much effort, anyway)
(B) You have your e-mail on your own domain as anav (at) anavworld.com, which you used gmail to host for you. In this case, mailcow replaces this service transparently. Again, receiving mail is straightforward, it's only sending that requires some attention.
I think your unspoken question is sort of: is it worth it? For personal use, no. For a small company, no.
Basically there are only a few situations where self-hosting makes sense. One is that you want to conduct some business that the usual providers don't support (and there are many of them). Another one is that you despise big tech and want ultimate independence (i.e. out of principle.) Yet another one is where you want to host mailboxes for many people on the cheap (*) (all the usual commercial suspect charge you per-person.)
(*) Okay, "on the cheap" is a bad way to describe it. All the commercial providers seem to insist that you pay them at least USD 10 per person. In lots of situations this can add up really quickly. Let's assume you're a publicly funded school that wants to give each of their students an e-mail address. Assuming you're not in a wealthy part of the world, it's really unclear whether you want to bundle up that money and send it a usual provider.
Back To Home just pings Mikrotik with your IP so they can update their DNS record to point to your IP or act as a connection relay if your public IP is behind NAT. They don't intercept any traffic, they just give your client VPN endpoint the directions to get there. Once you are there, you will transfer information between your client and your ROS instance.
You will need to be patient and document each of Router’s configuration to make sure that no conflicts exists (fix) and if you follow the Bergs’ direction you will succeed … the way to approach this is to get 2 sites working, add each additional site one at a time , TEST and procced to the next site untill all works to your satisfaction.
I’m getting better but miss my wife – its been 2 years … The Berg did a great job on that link I provided Eric … Many can learn from it … plus your critical contribution, especially the Firewalls, can help Eric as well … he is a very good student …
