Hello everybody! I have got a Mikrotik CHR with 2 public IP addresses. I would like to assign one of the IP address to my server.
My server is at home, so i would need a tunnel that capable of this thing. So is there any solution for this ?
Thank you very much for any help!
There are different ways, it depends on exact details what’s best for you.
One example, lets say you got x.x.x.10/24 and x.x.x.11/24, with x.x.x.1 being ISP’s gateway (i.e. ISP expects both addresses connected to their network, not routed somewhere else). You want to route .11 to your server. Simple example:
/ppp secret
add local-address=<some random address not used anywhere else> name=<username> password=<password> remote-address=x.x.x.11
/interface l2tp-server server
set ipsec-secret=<secret> use-ipsec=yes
From home server, connect using VPN to x.x.x.10 and let it use VPN as default gateway. This is enough for home server to get public address and use it as default. To make it visible for ISP where router is connected, use proxy ARP:
/ip arp
add address=x.x.x.11 interface=<WAN> published=yes
Then adjust firewall to allow traffic to/from this address and that’s all.
Or you can make a tunnel between CHR and home router, instead of directly to server. It would require a little bit advanced config, but nothing too complicated either.
I would rather make a tunnel between them, and i would like to assign the IP to the server statically.
Maybe EoIP tunnel would be good for this ?
If your server is at home, and you really want to use a public IP configured at the CHR, then I suggest an EoIP or GRE tunnel between your CHR and a home router, if not, then the L2TP VPN may works with private addressing, and then you’ll need to do some dst-nat / src-nat rules at the CHR.
It’s possible too, same principle, make a tunnel, route the IP to server and make it visible on CHR’s side with proxy ARP.
Only difference for tunnel terminated on home router will be traffic from server to internet, you’ll need to make sure that it goes back via tunnnel and won’t use home router’s default gateway. It can be done e.g. like this:
/ip route
add dst-address=0.0.0.0/0 gateway=<IP on CHR's end of tunnel> routing-mark=vpn
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn src-address=<server's public IP>
Thank you very much for the help, i will give it a try : )
I made a GRE tunnel between the 951G and CHR. The tunnel is working. I added routing mark too.
I added public IP to my server statically. But does not work. I can not find proxy arp feature in the GRE interface.
You don’t need it there, only on CHR, on interface connected to ISP. Try to describe in more detail what you did.
I made an encrypted GRE tunnel with the IPsec secret feature. 172.16.1.0/30 is the GRE tunnel ip range.
On CHR added 10.10.100.0/24 route, this is behind the 951G. That’s it.
Check again my first reply. Do you get addresses from ISP as described? If so, then do not assign the other address (the one you want for server) to CHR. Add the route and arp entry and the address should be routed towards your server via tunnel. You can check with Tools->Torch on tunnel interface. If it doesn’t go there, check firewall on CHR. If it does, check on home RB that packets arrive, pass through router and go to server. Then check what happens with replies, if server sends anything and if it goes back correctly via tunnel.
So i have got a GRE tunnel that is working fine between the CHR and home Mikrotik.
On the CHR there is only one ether1 interface with 2 public IP addresses: 217.144.X.X/24, of course they are from the same range.
I added only 217.144.X.119/24 to ether1.
Mikrotik GRE interface IP address: 172.16.1.1/30
CHR GRE interface IP address: 172.16.1.2/30
You mentioned one thing, proxy ARP on CHR side. I set up ether1 interface to proxy-arp.
I added statically public IP on the target server but i can not ping anything.
The static IP configuration on server side:
IP address: 217.144.X.108/24
GW: 217.144.X.254
DNS: 8.8.8.8,8.8.4.4
I am not an expert btw, so please be patient : )
You have different options.
One way is pretty straightforward, make server really part of CHR’s network, by bridging CHR’s WAN with tunnel and on home side tunnel with interface dedicated for server. Then everything would behave as if the server was connected in same place as CHR. But you’d also get all unneeded broadcasts and stuff, so you probably don’t want that.
What I meant was slighly “lighter” approach, only route a single address to your server. You don’t need to enable proxy ARP on CHR’s WAN interface, just the manual entry in /ip arp with published=yes is enough. And then on server side, don’t configure /24, only use /32 address. You can either route it from home router to server’s LAN address, assign it to some loopback interface on server and specifically tell network services to use it. Or you can use it as point-to-point address and then it will be used as default.
I can’t test it right now and I don’t want to forget anything, so I’ll give you exact config later.
Ok, I tested it and this works:
CHR:
/interface ipip
add allow-fast-path=no ipsec-secret=<secret> local-address=217.144.x.119 name=ipip-tunnel remote-address=<home router>
/ip address
add address=217.144.x.119/24 interface=<WAN>
add address=172.16.1.2/30 interface=ipip-tunnel
/ip arp
add address=217.144.x.108 interface=<WAN> published=yes
/ip route
add dst-address=217.144.x.108/32 gateway=172.16.1.1
Home router:
/interface ipip
add allow-fast-path=no ipsec-secret=<secret> local-address=<home router> name=ipip-tunnel remote-address=217.144.x.119
/ip address
add address=172.16.1.1/30 interface=ipip-tunnel
add address=192.168.x.x/32 interface=<LAN> network=217.144.x.108
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=217.144.x.108 in-interface=ipip-tunnel new-connection-mark=server-public passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=server-public passthrough=yes src-address=217.144.x.108
add action=mark-routing chain=prerouting connection-mark=server-public in-interface=<LAN> new-routing-mark=to-chr passthrough=no
/ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.2 routing-mark=to-chr
Server config:
IP address: 217.144.X.108/32 (mask 255.255.255.255)
GW: 192.168.x.x
The 192.168.x.x can be either same address as assigned to router’s LAN interface (if server is connected there), or some other address, it doesn’t really matter (only that the same address is used on router and as gateway on server).
Server configuration depends on used OS. In Windows, it would be as written above. For Linux it depends on used distribution (they all seem to have different ways how to configure network), but manual config can be done using:
ip addr add 217.144.x.108 peer 192.168.x.x dev <interface>
ip route add default via 192.168.x.x
It should work with GRE too ?
Yes.
I tried with IPIP tunnel, working very well. Thank you very much for your help and your patient : ) This is really helpful and valuable for me.
One more question. I have got a PPPoE connection with dynamic IP. I tried the tunnel with this connection. The speed was around 2-3 Mbit/sec. The ping is perfect and i do not have packet loss.
Maybe i have got MTU issue, and i would need to change with the mangle. I have got another connection with static IP, that is working perfectly.
Both IPIP and GRE tunnels have MTU option and “Clamp TCP MSS” enabled by default. If you lower MTU on both ends, it should work even without manual mangle rules.
My PPPoE connection shows now 1480 MTU and MRU. I set this value on the both side in the IPIP configuration. But the problem is the same.
I don’t know exact sizes from top of my head, but I’ve seen some online calculators, or you can start lower and use trial & error. If main connection has 1480, the tunnel will need a little less.