New option

RouterOS General
1

Hello,

I would have liked to know if it is possible to see one day a feature like VPN Matcher from Draytek on RouterOS?

Daytek VPNmatcher
Some ISPs only assign the private IP addresses for the general user because the public IP address is not enough. Therefore, it brings the demand to have VPN tunnels under the circumstances. Besides this case, we also can imagine that most of 4G providers give the private IP too, and if we want the VPN tunnel somewhere only have 4G connection as a wired network is unable to be deployed. In Order to overcome the limitations, we make both VPN gateways behind the NAT register to the VPN Matcher server. The VPN Matcher server is capable of exchanging the connection information such as IP addresses and Port’s numbers for VPN gateways. After the VPN gateways obtain the connection information from the server, VPN tunnel can be started to be established between them.

https://www.draytek.com/support/knowledge-base/6124

Regards
Domodial

2

That’s not a “feature” or an “option”, that’s a service - the vendor must run these servers somewhere, which generates some expenses.

But there is a way you can use instantly: when IPsec is using IKEv2 mode and at least one NAT is present in the path between the peers, a single bi-directional UDP flow between the peers is used to carry all the traffic, the control session as well as the transport packets. As UDP has got no notion of an initial session negotiation (like TCP has), the firewalls and NATs cannot check the traffic too deeply, and thus they can be tricked into letting the connection through if both endpoints act in accord. The idea relies on the usual behaviour of most contemporary NATs which do not change the source port unless they need to do so because a connection from that source port to the same remote IP and port already exists; if one of the NATs on the path between your devices behaves different, this solution won’t work.

So what you need to do is the following:

  • activate some kind of Dynamic DNS service at both machines. The service must store the public IP from which the update requests are coming even if they are coming from a device behind a NAT. Mikrotik’s “ip cloud” is one example of such a service, with an fqdn generated from the unit’s serial number. To find the serial number, use
    :put [/system routerboard get serial-number]
  • on each router, add an address list item with the other router’s fqdn as the address item. RouterOS will keep resolving the fqdn to the current address based on the record lifetime reported by the DNS system:
    /ip firewall address-list add list=remote-peer address=serial-number-of-the-remote-machine.sn.mynetname.net
    Check that the address list shows also a dynamically created item with the current public IP of the remote device as address.
  • randomly choose two numbers between 16384 and 65534, to be used as local port numbers at each of the two peers. The thing is that normally, both peers use a local port 4500, so there is a small chance that someone else is running an IPsec connection through the same two NAT devices; by using randomly chosen ports instead, you reduce the chance that you’d collide with someone else doing the same. I’ll use LLLLL for the port on the local machine and RRRRR for the port on the remote machine (you create two symmetric configurations so the LLLLL value in one of them is used as RRRRR value on the other one).
  • as in RouterOS you cannot change the local port which the IPsec stack uses, you have to use both src-nat and dst-nat rules to translate 4500 to the chosen local port at the uplink interface:
    /ip firewall nat
    add chain=srcnat out-interface=your-wan dst-address-list=remote-peer protocol=udp src-port=4500 dst-port=RRRRR action=masquerade to-ports=LLLLL
    add chain=dstnat in-interface=your-wan src-address-list=remote-peer protocol=udp src-port=RRRRR dst-port=LLLLL action=dst-nat to-ports=4500
  • create a site-to-site IPsec VPN with exchange-mode=ike2. The /ip ipsec peer row at each machine must be configured with passive=no, address=serial-number-of-the-remote-machine.sn.mynetname.net, and port=RRRRR)
3

Thank you for this long and detailed answer !
Some points are obscure to me and / or may not work. I just need to explain my need more precisely, then you can tell me if your explanation can still be used?

I have 1 Mikrotik router on Wan1 and, a second Huawei LTE router which is in ether-3.
Here is the schematic: ether1-WAN, ether-2-LAN, ether-3-LTE

If my main ISP goes out, the LTE modem (which is in DMZ on Mikrotik) switches over to provide me with Internet. But this is only valid for my home.

When I was away from home this summer my ISP modem was down, but I could not reach the LTE modem because the SIM card IP is not private.
It is shared with hundreds of users and works on GNAT principle. All my services and especially the video surveillance were not reachable.

So I got interested in the subject and that’s when I understood that the ip of my SIM card was not a private ip.

I have read solutions which consists of mounting a remote VPS and a local Raspberry in reverse ssh to access the LTE modem from the outside.
However it is heavy in configuration for me. My knowledge is quite basic.

Can you confirm to me that your solution still works for me?
I admit that I don’t understand anything about IPsec and that little of what I read scares me :slight_smile:

PS : I will add to this that I want to attach the LTE modem from an android smartphone to check if everything is OK in the house.

Thank you

4

The desription I gave doesn’t depend on what particular kind of WAN connection you use at home. In your particular setup, the primary WAN seems to have a public IP, so you may want that the Dynamic DNS was only updated with the public IP of the LTE path, which makes sense if the primary WAN connection flaps between up and down for extended periods of time, so the VPN would keep re-establishing all the time. This can be achieved by means of mangle rules on the Mikrotik, making it access the Mikrotik’s cloud servers via the LTE WAN. Only one fqdn per serial number is available at Mikrotik cloud; other dynamic DNS providers have different options.

Other than that, both peers need to be Mikrotiks or other routers with similar depth of configuration available to the administrator (such as OpenWRT-based devices); there is no way how an embedded VPN client in a mobile client or a laptop computer for non-IT user could be used directly. On Windows, you can activate Hyper-V and run a virtual Mikrotik; I carry around a mAP as it is the smallest footprint device with two Ethernet connectors and a wide choice of powering options from a barrel jack through USB to both passive and standard PoE. There is also the mAP lite which is even smaller, but for my purposes the single Ethernet port is too limiting.

Regarding IPsec - yes, whatever is flexible is inevitably complex to set up, and whatever is complex to set up is scary at first sight. But in order that the principle of “beating the NAT” worked, you need that both peers actively initiate the connection, because both must open the pinholes in the NAT(s) at their end from the private side of the NAT. And to date, this is only possible with IPsec and Wireguard, and Wireguard is only available in RouterOS 7 which is still beta at the time of writing this. On the other hand, so far Wireguard supports only a single application mode - a site to site tunnel, hence it is extremely simple to set up. Its another advantage is that it can accommodate to the change of the public IP and port of one of the peers at a time with a loss of just a few packets; its disadvantage is that the current Mikrotik implementation doesn’t support configuration using fqdn so you’d have to use some scripting to overcome this.

The good news for you is that you can implement all that step by step on your table, first the plain IPsec connection using the LAN of your home router using IP numbers as peers’ address items; once you grasp that, you can add the port translation rules, and if it still works (you have to disable the peers at both devices after adding these rules for more than 3 minutes so that the pinholes in Mikrotik’s own firewall could expire), you can try the full setup with DNS names using your mobile phone’s connection sharing for the mAP (so that you would get to the home router via WAN).

This application example should be clear enough; just change the exchange-mode to ike2, you can stick with auth-method=pre-shared-key. If you use the default profiles and proposals at both machines, you will not drown in those flexibility settings.

If you get stuck, you can always post the existing configurations of both machines for a review here.

5

One more point, the description of the Draytek service doesn’t reveal whether it acts as a packet forwarder (so both VPN peers send the packets to the Draytek server and it delivers them to the other peer) or whether it just informs each peer about the IP address and port the other one uses, but either variant requires use of a proprietary extension of the standard VPN protocols, allowing to deliver the information to each peer. So a direct connection from an Android phone requires an application, and a short search on Google Play reveals that Draytek does provide one.

So you can ask Mikrotik to provide a similar solution, or buy a Draytek device (which can be placed behind or instead of your current Mikrotik), or buy a Mikrotik device to implement my suggestion above (which in your application scenario requires one mobile phone as the provider of the LTE connection to the Mikrotik and another one to be connected to the WiFi provided by that Mikrotik to actually watch your home’s data, or a LTE-capable Mikrotik with its own SIM). Or you can agree with a friend anywhere in the world who has a public IP to run the packet forwarding service for you, where your Mikrotik would create a VPN tunnel to that friend’s device, and the friend’s device would port-forward VPN packets incoming from outside to a particular port at his public IP to the tunnel, so you’d have a VPN in VPN. It also works. With this solution, you could use the embedded L2TP VPN of your Android mobile phone.

6

Hello,

I admit that I did not understand the Mikrotik device to buy in addition to my router.
I will reread your suggestion.
I had thought of buying a Draytek device because the configuration is simple to implement, but if I had been able to have a solution without buying it I would gladly do without knowing that it is still 1 device more.

Only I find it difficult to understand in practice what you are explaining.
I am a Basic user who sets up configurations from tutorial.
For the moment I never knew how to make SNMP work with the Dude whether it is SNMPv1 or v2.
But I have advanced on a lot of configuration to replace my Ubiquiti router.

The only disabling blockage is really the connection from the outside with my LTE connection.
I’ll read you again but I would have liked a youtube tutorial, nobody ever thought of it, maybe nobody ever needed it :slight_smile:

I hadn’t read the whole thing yesterday, so I can better understand your suggestion. I had not read the link also that you indicated. I must have been tired. Now I’m going to tackle ike2 and see if I get through it without too much trauma :smiley:

but what I don’t understand is that I don’t have 2 routers, but 1 router and 1 smartphone.

7

That’s the key point I’ve missed initially. I haven’t installed the Draytek application to check all the possible settings, but I assume that since they took both the effort to create an Android application and the effort to create the rendez-vous server for VPN peers behind a NAT, they’ve also made these two pieces work together, which makes it a perfect offer for the home user like you, with no public IP address, which currently has no equivalent in the Mikrotik offer.

So as said already, you can wait until Mikrotik comes with a similar offer, which may take forever (even if Mikrotik would like the idea and start implementing it, it would take months at the best before it could be put to a stable release), or you can buy a Draytek box and have the solution up and running tomorrow. And chances are good that the Draytek box may be just added to, not necessarily replace, you current home router. All the other solutions available right now would be more complicated.

Regarding videos, that’s a cultural or probably rather an age difference - for me, a written manual is always better than any video as I can use text search and I even if reading it sequentially, it takes me much less time to receive the same amount of information than when watching a video. Another problem I personally have with Youtube videos related to IT is that too often they are posted by people who don’t understand things deep enough, so they recommend things like “disable the firewall so that what you need would work” etc. So then there are those other people who first follow these videos and then shout at the vendor that their product is crap and has been infected by malware.