The backstory: I'm using a Mikrotik Router Cloud Switch to connect to a cable modem (not router) in which Mikrotik picks up the public IP.
The current topology thus far is:
ether-WAN: 71.X.X.X (picked up by DHCP)
gre-tunnel: 10.x.x.71 (Provider's side: gateway: 10.x.x.70; Public IP: 103.x.x.2)
So far, I have port forwarding and masquerading working like a charm, packets inside can transverse the nat and get outside and vice-versa on 71.x.x.x. Then, after a few days I started to get hit by a DNS Amplification DDOS attack. I forced a DHCP update by changing the MAC on ether-WAN -- the ip changes class C and I'm good for a few days. Then again, I'm hit.
After 8 attacks over 2 weeks, I decided to purchase DDOS protection for the network which uses a GRE or IPIP tunnel (by hiding the real public IP or not using it and tx/rx traffic over the new public IP from the provider which can take a 800Gbps attack and filter it before it hits my router).
I got the gre tunnel terminated on the Mikrotik router -- I can see packets going in and out, the problem is, how does one go about having the NAT (or portions thereof) use it?
My provider has assigned me a 10.x.x.x/30 network, which means I can assign a single IP to the GRE tunnel interface.
Here is what I've tried:
Marked Routing -- I setup a mangle rule to mark the route for source IP's (web server and such) and set the router mark on the GRE gateway in the IP > Routes table.
/ip firewall mangle add action=mark-routing chain=prerouting comment="Filtered Mangle Routing" disabled=no \ new-routing-mark=Filtered passthrough=no src-address-list=FilteredIPs
This did not work, even though I could see more traffic I think this method was trying to extend my 192.168.0.0/16 network into my provider's nat. In this scenario, I could ping the 10.x gateway, but not the router's assigned 10.x IP on the Gre interface.
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.x.x.70 routing-mark=Filtered scope=30 target-scope=10
Specified src-nat rules -- I setup a src-nat rule to direct the webserver 192.168.0.2 to 10.x.x.71 (ip assigned to gre interface) and a rule under that to direct 192.168.0.0/16 to 71.x.x.x (ISP's interface).
add chain=srcnat src-address-list=FilteredIPs action=src-nat to-addresses=10.x.x.71
This did not work, in fact when I tried this method all incoming traffic over Gre stopped. I could see my packets leaving but my provider never saw the packets. In this scenario, I could ping both the 10.x gateway and the 10x IP on the gre interface.
add chain=srcnat src-address=192.168.0.0/16 action=src-nat to-addresses=71.x.x.x
Does anyone happen to know what I may be doing wrong here, or if I'm missing something? During all of this, every other computer on the nat works perfectly, just getting traffic to route over the gre interface from the nat based on a single (or multiple) LAN IP's seems to be virtually impossible But then again, tunneling is something entirely new to me, I can do VLANs, Meshes, etc, but toss in a tunnel condition and I'm absolutely lost
Here is my optimistic setup (what I currently have combined with what we need)