Hi Everyone.
I'm trying to set up something that's a somewhat over my head. I'm not sure what i'm trying to accomplish is even possible. Maybe my current approach is also just impractical or wrong.
I would appreciate it if somebody with more knowledge in networking could help me out or point me in the right direction or just tell me to forget it if it's not possible to do... :)
This is what I started out with:
I have a MikroTik HEX S Router which I use to connect to my work-vpn (IPSec). The network at work is 192.168.0.0/24 and the LAN network on my router is 10.0.1.0/24.
I did set up an IPSec policy and can reach every host in the 192.168.0.0/24 network from computers in my 10.0.1.0/24 network.
So far this works great and this was the initail reason for getting the router.
This is what I'd like to do:
However, often I have to take devices from work to my home to work on them. All these devices use static IPs and at the moment I always configure them to use a 10.0.1.0/24 address when I have to work on them from home and change it back to their original IP when I bring them back to work.
This is somewhat annoying and I would like achive the following things:
- Be able to connect the devices directly to my router and reach them from the computers in my 10.0.1.0/24 LAN.
- The devices should be able to reach relevant remote 192.168.0.0/24 devices that are only reachable via the IPSec link. That's what I'm struggling with.
Here is my current approach:
I got the first part working by dedicating the ether5-interface on my router to connecting work-devices and assigning the IP 192.168.0.3/24 to it. I also changed my IPSec policy, so only a set of choosen address will be routed via IPSec. Everything else for the 192.168.0.0/24 network will be routed via ether5. The addresses that are routed via IPSec are: 192.168.0.2 (our NAS) and 192.168.0.25 (my Development-Server). I'm doing this by adding a connection-mark using a prerouting mangle-rule to connections to these addresses.
Using this setup, I can now reach the devices from my LAN. And (because 192.168.0.3/24 is also the gateway we use at work) the devices themselves are even connected to the internet through my router. I can also still reach the remote NAS and my Dev-Server from the LAN, so that works as well.
Here's the problem with that approach:
The second part of my requirements doesn't work. The devices connected to ether5 can't reach the remote IPSec'd addresses (e.g. my Dev-Server) because they are in the same network so they don't even think about contacting the gateway...
This is what i tired to get around the problem and where I'm stuck:
I tried adding the 192.168.0.2 and 192.168.0.25 addresses to the ether5 Interface. Now at least packets for these addresses reach the router. But I'm stuck here. Can i somehow tell the router that stuff it receives via either of these addresses is not really an input for the router but rather should be sent through the IPSec tunnel?
Following the packet-flow diagram, I realize that the packets to e.g. 192.168.0.25 reach the PREROUTING step in the ROUTING Block. At this point, the mangle-rule also marks the connection as vpn-traffic which is visible in the firewall-connections. However i think, in the ROUTING-DECISION the packets are considered as an INPUT because 192.168.0.25 is a local address of the router?
Thanks for reading through.I would really appreciate any help or ideas.
Thanks,
Sebastian