I am new to RouterOS and MikroTik. But like the features it offers…
I have a static public IP with Linode /Amazon Linux server.
Now I have IP camera setup using Mikrotik (DHCP enabled) / inside the lab LAN behind the Firewall. . Mikrotik get internet from LAB Ethernet which has strong Pf sense firewall and static IP from ISP. Pls see attached picure
.
3.The question is : how to tunnel the traffic from amazon public IP to IP camera Mikrotik. What kind of tunnel to use with out do ANY configuration firewall. Lab manager do not want to expose much to internet..for security reason.
So, many static IP can access the IP cameras inside lab . Essentially, it is port forwarding but because of strong firewall i can not use P.forwarding… but try some innovative tunneling method.. . Will Mikrotik as L2TP client will work… ?? What software to install on Linode/Amazon machine ?
Any suggestion welcome… Thanks… It is urgent.. wasted lot of time already
Step 1 - get tunnel to establish. You’ll need a protocol like l2tp/pptp (as mentioned by others) so that the CRS can initiate the connection from behind the firewall. Once established and you’ve verified that the server can reach the CRS internally across the tunnel…
Step 2 - create static routes across the tunnel for your private IP range. The Linux server needs to have a route to the lab’s IP range via the tunnel, and the CRS should have one of two configurations: policy-based routing that forces next hop across the tunnel for the IP camera’s traffic, or else tunnel the entire LAN by having a static /32 route to the Linux box’s public IP via the normal default GW (firewall), and then a default GW pointing across the VPN.
Step 3 - configure NAT at both ends. CRS should perform no NAT translation for traffic going out the VPN tunnel, and the Linux box needs to masquerade the lab lan’s IP range when forwarding to the Internet. Finally, a dstnat rule at the Linux box forwarding whatever TCP/UDP ports the camera needs.
Of course, a tunnel to an outside host is more or less a breach of the firewall’s ability to control/secure traffic on the lab network, so there’s that to consider…
You wouldn’t need to talk to the firewall admin at all - if the Linux server creates an IP route to the lab’s IP range via the tunnel, then any host on the lab will be reachable via the tunnel.
All the firewall will ever see in each packet is:
IP:src=Linux Server
IP:dst=Mikrotik
Payload=
{{encrypted jibberish}}
EDIT: It’s unclear from your drawing whether the CRS is acting as a purely layer-2-only switch, or whether it’s also routing IP for the devices “behind” it. If the default GW IP on the lab network is the IP of the firewall itself, you can get around that by setting the default GW on the camera to be the CRS’s IP address.
I think default GW / Firewall is IP is same. For example, if query “What is my public ip” inside the lab (wired / wireless) it will always point firewall public STATIC IP. Am i missing anything ? Guess, i understand the question correctly. .
Another doubt: how using IPv6 solve this issue.
Thanks a lot.
The Gateway is what’s important there - if this IP is the Firewall’s IP, then the firewall must know about routes through the VPN in order for the VPN to get used. If it’s the IP of the CRS, then the CRS can choose to route traffic through the VPN, or out through the firewall. Try setting the default GW address to be the CRS’s address in the configuration of the IP camera.
I can see the CRS IP address only (as seen on the attached pic). I have another interesting question to ask on the VPN service. Let say, instead of Amazon/ Linode server, I buy a VPN service (ovpn.se) which they offer static IPv4 with VPN service. What configuration i need to set on CRS. Using the VPN service, i ask the VPN service provider to change the geo location of IP and still getting the traffic to lab. We designing a honeypot for IP camera.
My 3 steps posted earlier apply to pretty much any VPN solution where you use it to provide a public IP address other than your on-site public IP address.
Essentially, the idea is this: any connections using this ‘virtual’ public IP address must be forced through the tunnel by whatever is behind the tunnel.
The easiest way to do this is full tunnel (as opposed to split tunnel)
/32 route to the vpn server’s “outside” IP address
0.0.0.0/0 routes across the tunnel
These routes are necessary on whatever the local VPN endpoint device is (host, router, etc).
Any device “behind” the VPN endpoint can just forward all traffic to the VPN device, and the VPN device’s policy will take care of the rest.
The rules of routing still apply, though - if you forward a LAN’s traffic through the tunnel, then the remote VPN device needs to know that this LAN is reached via the tunnel.
(LAN)----(Router) {0.0.0.0/0}----> ]========== tunnel ===========[ <------{LAN}---- (VPN Server) ------{0.0.0.0/0}-------> INTERNET
If the VPN Server doesn’t have the {LAN} route pointed to the tunnel, then it will not properly forward traffic for that destination.
If the VPN server won’t route your LAN via the tunnel, then you can masquerade the LAN at the (Router) host so that the VPN just sees the (Router)'s IP for all traffic - basically, multi-layer NAT. The LAN route is by far the preferred solution here.
. Will Mikrotik as L2TP client will work… ?? What software to install on Linode/Amazon machine ?
. Not sure, it will solve the problem since my lab camera and other device in IPv4 address.
