So I’m setting up a site-to-site VPN for someone. I previously had them on a Hex S as their VPN box AND main router, but now their main router is a Unifi Dream Machine Pro (which has been dumbed down so much that for the life of me I can’t figure out how to setup the vpn on, but I digress)
Anyway. I want to setup the mikrotik behind his router, neuter the firewall, have it connect to the VPN and NAT out the other subnet.
So just one ethernet cable to the mikrotik which will connect to the VPN and act as a gateway to the other subnet on the same cable with a static route setup on the UDMP to send over all pertinent traffic.
I’ve never done this but it seems like it should be possible or am I crazy?
There are two points which make this more complicated than the usual setup where the VPN gateway is colocated with the edge router:
At least the native VPN client of Windows doesn’t like NAT at responder (server) side. To overcome this, you can either change settings in registry on every single client PC, or you can put up the public IP on the Mikrotik as a /32 one, and dst-nat the incoming connections to it (so the UDMP dst-nats them to the Mikrotik’s private WAN address and the Mikrotik “reverts” this change). This will hide the existence of NAT at responder side from the initiator. But unless the UDMP can be configured to forward also ESP, the clients will be unable to send/receive any data if they are not NATed themselves. See this for more details.
If the default gateway for the LAN devices is the UDMP, they will need a dedicated route to the subnet used for the remote clients with the Mikrotik as a gateway. See this similar topic for details on possible ways to configure these exceptional routes.