Hi Everyone.

I'm trying to set up something that's a somewhat over my head. I'm not sure what i'm trying to accomplish is even possible. Maybe my current approach is also just impractical or wrong.
I would appreciate it if somebody with more knowledge in networking could help me out or point me in the right direction or just tell me to forget it if it's not possible to do... :)

This is what I started out with:

I have a MikroTik HEX S Router which I use to connect to my work-vpn (IPSec). The network at work is 192.168.0.0/24 and the LAN network on my router is 10.0.1.0/24.
I did set up an IPSec policy and can reach every host in the 192.168.0.0/24 network from computers in my 10.0.1.0/24 network.

So far this works great and this was the initail reason for getting the router.

This is what I'd like to do:

However, often I have to take devices from work to my home to work on them. All these devices use static IPs and at the moment I always configure them to use a 10.0.1.0/24 address when I have to work on them from home and change it back to their original IP when I bring them back to work.

This is somewhat annoying and I would like achive the following things:
- Be able to connect the devices directly to my router and reach them from the computers in my 10.0.1.0/24 LAN.
- The devices should be able to reach relevant remote 192.168.0.0/24 devices that are only reachable via the IPSec link. That's what I'm struggling with.

Here is my current approach:

I got the first part working by dedicating the ether5-interface on my router to connecting work-devices and assigning the IP 192.168.0.3/24 to it. I also changed my IPSec policy, so only a set of choosen address will be routed via IPSec. Everything else for the 192.168.0.0/24 network will be routed via ether5. The addresses that are routed via IPSec are: 192.168.0.2 (our NAS) and 192.168.0.25 (my Development-Server). I'm doing this by adding a connection-mark using a prerouting mangle-rule to connections to these addresses.

Using this setup, I can now reach the devices from my LAN. And (because 192.168.0.3/24 is also the gateway we use at work) the devices themselves are even connected to the internet through my router. I can also still reach the remote NAS and my Dev-Server from the LAN, so that works as well.

Here's the problem with that approach:

The second part of my requirements doesn't work. The devices connected to ether5 can't reach the remote IPSec'd addresses (e.g. my Dev-Server) because they are in the same network so they don't even think about contacting the gateway...

This is what i tired to get around the problem and where I'm stuck:

I tried adding the 192.168.0.2 and 192.168.0.25 addresses to the ether5 Interface. Now at least packets for these addresses reach the router. But I'm stuck here. Can i somehow tell the router that stuff it receives via either of these addresses is not really an input for the router but rather should be sent through the IPSec tunnel?

Following the packet-flow diagram, I realize that the packets to e.g. 192.168.0.25 reach the PREROUTING step in the ROUTING Block. At this point, the mangle-rule also marks the connection as vpn-traffic which is visible in the firewall-connections. However i think, in the ROUTING-DECISION the packets are considered as an INPUT because 192.168.0.25 is a local address of the router?

Thanks for reading through.I would really appreciate any help or ideas.

Thanks,

Sebastian

Hi!

You are braking some networking rules:
1. the computer you take home wants to connect to a work computer that is in the same subnet so it will ask for the destination MAC address. It's irrelevant what you did on the router, no one will answer to the server's ARP request for MAC...the communication does not reach routing level
2. ipsec works with encryption domains (in Mikrotik's case) which is a fancy name for subnets meaning you have to declare what subnets will be on both ends of the tunnel and they cannot overlap. if you declared a /24 on the work end the ipsec will never encrypt a packet coming from your home end but with a work end IP...

What you need is a layer 2 tunnel service like vpls. that way you will extend your work's network into your home's router so any computer you take home will think it's in the same lan with work. But vpls is not encrypted...on cisco you could do VPLS over GRE over IPSEC, not sure about mikrotik, that's some heavy stuff. if the work router is also mikrotik you can try EOIP/IPSEC

you could also try to make your mikrotik an L2TP/IPSEC client for the firewall at work but it will take some engineering.

Don't know how much control you have over your IP space in the "work" 192.168.0.0/24 subnet.

One idea is you could "cheat" by having you devices living in smaller block of addresses, say /29 sized block, of the 192.168.0.0/24 network, like 192.168.0.208/29 (192.168.0.209-214) Routing prefers a smaller subnet range over a bigger one, so when you at home, the /29 go to your devices, not VPN. You'd still have to NAT that /29 range on the home Mikrotik so it they'd use the VPN address assigned to the MT going out/in. Since the L2 ARP stops at the VPN interface, you'd need to NAT them since they aren't part of the 192.168.0.0 broadcast scope living on your house on port without a VPN.

This is of course assuming these devices don't need L2/MAC stuff and only communicate at L3/IP. Another approach be get a small Mikrotik router for your office for that used EoIP to connect the two networks as that would solve the "roaming device problem" nicely, assuming company policy, available public IP, etc aligned.

I've not much network skill, but I suggest you investigate the use of proxy-ARP. When I was setting up my L2TP/IPSEC vpn my research was leading me down two paths - using proxy-ARP to use the same subnet on both sides and using different subnets to force use of the router (which I ended up using).
From https://wiki.mikrotik.com/wiki/Manual:IP/ARP
"A router with properly configured proxy ARP feature acts like a transparent ARP proxy between directly connected networks.
This behaviour can be usefull, for example, if you want to assign dial-in (ppp, pppoe, pptp) clients IP addresses from the same address space as used on the connected LAN."

and from https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
"At this point (when L2TP client is successfully connected) if you will try to ping any workstation from the laptop, ping will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up proxy-arp on local interface...After proxy-arp is enabled client can now successfully reach all workstations in local network behind the router."

Thanks for all your remarks and ideas.

The addresses and network structure at work is fixed but I may be able convince them to get a MikroTik Router for the VPN access if i can't get it working solely from my side. Right now it's on a Linux machine with StrongSwan.

But for now, thanks to you, I have some new keywords and technologies that I can look up.
I'll let you know if I can manage to get something to work using your ideas.

I finally had some time to experiment with this again.

I've not much network skill, but I suggest you investigate the use of proxy-ARP. When I was setting up my L2TP/IPSEC vpn my research was leading me down two paths - using proxy-ARP to use the same subnet on both sides and using different subnets to force use of the router (which I ended up using).

Thank you very much for the suggestion!
I am using local-proxy-arp on ether5 now, and it works perfectly. The router replies to all ARP-requests for 192.168.0.0/24 addresses on the ether5 interface and does the necessary routing to get the packets to the actual destination. No need to set up anything beyond that and the default source-nat to the ipsec ip.

I tried using proxy-arp (instead of local-proxy-arp) but that did not work. I guess that only works if the router is connected directly to the remote hosts, but in the case of ipsec it did not work for me. With local-proxy-arp, the router replies to all arp-requests for the 192.168.0.0/24 subnet on the ether5 interface, not just for addresses it knows on other interfaces. I guess this may be a problem if multiple devices in the 192.168.0.0/24 network connected to ether5 via a switch need to communicate among each other, but in my case that's not required so it's ok (and I did not try it, so maybe it works anyhow).

Spike101

Can u please provide some script or step by step guide to achieve same. I m very new to MikroTik and would like to use to get the same out come.

Thanks