Hi, how can I deal with this:
I have 3 routers on different locations, only one of them (main router 192.168.2.1) has a public IP and I’m using it as OVPN server, I’ve created an extra bridge on each router for this small network, the other routers are connected to the server and everyone can ping everyone. Now I want that .2.3 (one of two with private WAN) can use as gateway .2.2 (the other private WAN router), how can I do?
Considering they are connected now by a tunnel I don’t want to add an extra tunnel, instead I would manage it with IP protocolm if possible
Now the 192.168.2.3 which is connected by OVPN to 192.168.2.1 (main with public IP) get from this (.2.1) all the 0.0.0.0/0 because it sends by layer2 directly to .2.1, and .2.1 has its own exit to internet, so it serves the queue and give access, in my case I would that 2.1 redirects somehow the packets to .2.2, and access internet from there. Any ideas without tunnel? thank you
I=ve created a filter on the .2.1, forward source .2.3 to the OVPN interface of the .2.2, and viceversa all packets with source .2.2 to the OVPN of .2.3, but i’t not working. For both I’ve added exception that the roule should ignore if destionation is .2.1 (so the OVPN tunnel can run keepalives).
Not quite sure what you mean.
BUt I think lets say using wireguard.
Connect Routers B, and C to main Router A via wireguard ( as Router A has public IP).
Via Wireguard and normal firewall rules, I can achieve any subnet to subnet traffic between all routers, and can use Router A’s internet for users on Routers B, C.
What you describe is too complex for me to understand.
Hi, thanks for reply! I can’t use wireguard because on main router I’m on 6.49 and I can’t upgrade.
I’m using OVPN, the main has .2.1, it gives .2.2 to one and .2.3 to another, I want that 2.3 uses 2.2 as gateway, because it’s in another country and I need that IP. I hope it’s clear )
Both 2.2 and 2.3 use 2.1 as default gateway, presumably via the “add-default-route=yes” parameter of /ip/ovpn-client. Now you want 2.3 to use 2.2 as a default gateway instead.
All routers have their own access to internet, and by them they access internet and provide it to all clients.
I’m using internet for connect them by OVPN.
My goal is to give to a specific LAN client on the router .2.3 internet connection using the connection of .2.2, I can do it easly with .2.1, I just mark packets with mangle and then I NAT them (without UDP, DNS I send to the normal connection) into the tunnel.
Now how I can manage these pakets on the .2.1? I’ve tried to create a filter, forward source address .2.3 to the OVPN interface of .2.2 and viceversa to ensure the answer, but .2.1 still use its gateway
2.3 needs to select packets of the client (/32 source address) and send them via the 2.1 gateway
2.1 needs to select packets of the client (/32 source address) and send them via the 2.2 gateway
2.2, presumably, needs to NAT the packets and send them out via default gateway
Routing tables of 2.1 and 2.2 needs to be updated so the reply can be routed back from 2.2 to the client:
2.2 needs to be aware that the route to the client (/32 destination address) is over 2.1
2.1 needs to be aware that the router to the client (/32 destination address) is over 2.3
I suggest to employ a sniffer (RouterOS’s built-in will do) and implement the config step by step: 2.3 → 2.1, 2.1 → 2.2, 2.2 → NAT → WAN, 2.2 → 2.1, 2.1 → 2.3
The problem here is layer2, on an ethernet there is arp, I can indicate to .2.3 to use gateway .2.2, it can address it packets, but with OVPN this is not possible.
WHat you say is not possible to implement, it needs source nat, but after it won’t work, I’m looking for a solution, the gateway it’s something of layer2, not IP protocol.
The obvious solution is to create a tunnel between .2.3 and .2.2, but it will be a tunnel inside a tunnel, with much overhead and packet fragmentation.
I don’t know if it’s possible to create tunnel by a redirect, the .2.1 keep the tunnel between 2 hosts without interrupting it.
I got an idea, create a new subnet on .2.2 and declare the static route on other routers, then the .2.3 will use as gateway that IP, maybe it’s working
I did it, on .2.1 I market with prerouting the packets ccoming from 2.3, then I I created a default route to 2.2 with marked packets, that’s all
I’m not really satisfied of result, cause it’s slow, probably I have fragmentation to overcome
I think I was pretty clear that with OpenVPN you have to go through the server. There is no way around it as you’re essentially dealing with two separate links, as you have noticed.
I suggested doing this by modifying routing tables on 2.1 and 2.2 so that the packet from 2.3’s client can be forwarded appropriately. With current problem statement you only need to do NAT when the packet leaves 2.2’s WAN interface.
I think the only way is to use mangle on .2.1, mark packets and force them route a second (less weight) default route on .2.2, in this way the packet is outputted on the .2.2 ovpn link. On .2.3 the same, mark & route to .2.2, here also src NAT to .2.3 is necessary. On 2.2 nothing is necessary.