Community discussions

MikroTik App
 
jduthler
just joined
Topic Author
Posts: 6
Joined: Mon Nov 26, 2018 3:28 pm

Public NAT to the far side of a WireGuard tunnel

Sun Aug 07, 2022 12:55 am

Two routers with a perfectly functioning wireguard tunnel between. Router1 inside systems can reach Router2 inside systems and vice versa without difficulty. The internet service (Starlink) at Router 2 does not accept inbound connections so attempting to public NAT at Router1 and leverage the already in place FW and routing rules for the functioning WG tunnel.

Looking for approach recommendations.

Running ver 7.4 on both.

What I have tried:
1) Direct NAT and Router 1 to private address at Router 2. Issue with this is the source address in the packet captures at router2 is the public device initiating the connection. Return route does not use the WG tunnel.

2) NAT to an unused bridge address at router 1 and forwarding via a static route to the target address at router 2 and the inverse of this. I see the NAT in the log and packet capture. I don't see my translated traffic entering the wireguard interface.
SL to KC WG.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Public NAT to the far side of a WireGuard tunnel  [SOLVED]

Sun Aug 07, 2022 8:52 am

Can't you just work with some routing mark solution ??
Basically mangle/mark ANY traffic that arrives through the "wg0" interfaces at Router2 and make sure return traffic is routed out through the same wg0 and not "Starlink Internet". (even if the destination-IP is a public IP

That "Starlink Internet" at Router2 is only used for Wireguard-tunnel traffic then ? Or is there local traffic behind Router2 that should use that local breakout?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Public NAT to the far side of a WireGuard tunnel

Sun Aug 07, 2022 2:59 pm

Dont understand the issue,
You have a public IP at router 1 which allows the device to act as a Server for the initial handshake
You have starlink at router 2 that does not, but who cares, this will act at a client for initial handshake.

Whats the problem?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Public NAT to the far side of a WireGuard tunnel

Sun Aug 07, 2022 3:08 pm

As far I can understand, some form of "inbound connections" (DNAT) is required to hit some server behind Router2
Starlink does not support this, hence the construction to have the DNAT take place at Router1 , then route is across WG towards Router2, let it hit the server and make sure the return packets arrive back at Router1 ;-)

Alternative would be to have a DNAT done at Router1, and ALSO SOURCE-NAT (with some 10.1.2.0/24 IP) , then push it down the WG-tunnel and the return packet will automatically come back to Router1 for further processing?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Public NAT to the far side of a WireGuard tunnel

Sun Aug 07, 2022 3:55 pm

Alternative would be to have a DNAT done at Router1, and ALSO SOURCE-NAT (with some 10.1.2.0/24 IP) , then push it down the WG-tunnel and the return packet will automatically come back to Router1 for further processing?
Correct, but that would hide the actual addresses of the clients from the server, which is sometimes not what you want. Your initial suggestion with connection marking doesn't have this drawback, but yes, it is a bit more complex to configure.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: Public NAT to the far side of a WireGuard tunnel

Mon Aug 08, 2022 1:51 am

I allow an IP scope that I assigned to Wireguard, rather than interface.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Public NAT to the far side of a WireGuard tunnel

Mon Aug 08, 2022 2:20 am

@not OP,
Sorry but I dont care to speculate on what may be the case and what may be the Ops thinking.
Its up to the op to state the requirements clearly and to answer questions posed and then one can formulate constructive and withing context answers.

@OP The diagrams is helpful, the lack of full /export of both configs is missing and should be provided by the OP, less any public IP information of course.
Finally
in terms of user requirements
what are the users/devices on the networks
what do they need to do and what should they not be able to do (including the admin).

With such info, the design of the current config can be better understood on how its meeting or not meeting the requirements.
To tell use what you have tried config wise is mildly helpful in comparison to the above.
 
jduthler
just joined
Topic Author
Posts: 6
Joined: Mon Nov 26, 2018 3:28 pm

Re: Public NAT to the far side of a WireGuard tunnel

Mon Aug 08, 2022 4:12 am

Thanks for the feedback, couple of recommendations which I will fiddle with this week.

1) Implement policy-based routing (mangle route) for the specific device on Router2 which outside traffic is forwarded to. On initial review this seems to be the best solution to my default gateway problem at Router2. Most traffic will go to Starlink, and a very small amount will traverse the WG-tunnel and use Routers1 default gateway.and dstnat.

2)Also perform srcnat on inbound packets to put the packets into a directly connected network.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Public NAT to the far side of a WireGuard tunnel

Mon Aug 08, 2022 8:57 am

What's the end goal of this? You want to access some service that sits on some system behind router2 via the public IP of router1? If so, you seem to overcomplicate things.
Also provide anonymized config of both routers.
 
jduthler
just joined
Topic Author
Posts: 6
Joined: Mon Nov 26, 2018 3:28 pm

Re: Public NAT to the far side of a WireGuard tunnel

Wed Aug 10, 2022 2:40 am

As an update a simple mangle-route on Router2 for the return traffic for the inbound nat'd connection on Router1 did the trick, thank you for all the recommendations.

A new problem has surfaced, regardless of the sniffer interface or filter settings on Router2 when I stop the sniffer the return traffic up the WG-tunnel stops. Start the sniffer and the traffic is passed.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Public NAT to the far side of a WireGuard tunnel

Wed Aug 10, 2022 7:53 am

You seriously overcomplicated that setup.
[...] a simple mangle-route on Router2 for the return traffic for the inbound nat'd connection on Router1 did the trick[...]
What. For a fricking DST-NAT TO WORK?
I have a similar setup with wait for it NO MANGLE RULES!!
Also, mangle and fasttrack aren't friends.
Disable fasttrack if you want to keep the current overcomplicated config.
 
jduthler
just joined
Topic Author
Posts: 6
Joined: Mon Nov 26, 2018 3:28 pm

Re: Public NAT to the far side of a WireGuard tunnel

Wed Aug 10, 2022 6:15 pm

Seems quite simple to me a DSTNAT and a Mangle, what would you propose? Thanks for the fasttrack hint, I figured out after my note last night that the Sniffer if likely turning off fasttrack so the CPU is exposed to all of the traffic. Disabling fasttrack eliminated the need to run the sniffer.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Public NAT to the far side of a WireGuard tunnel

Wed Aug 10, 2022 6:20 pm

Seems like you dont need any assistance. Good luck!
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Public NAT to the far side of a WireGuard tunnel

Wed Aug 10, 2022 6:40 pm

You don't need to mangle anything if everything else is done right.
Only one dst-nat rule is enough.
 
jduthler
just joined
Topic Author
Posts: 6
Joined: Mon Nov 26, 2018 3:28 pm

Re: Public NAT to the far side of a WireGuard tunnel

Wed Aug 10, 2022 9:54 pm

Seems like you dont need any assistance. Good luck!
Thank you for your assistance ;)

Who is online

Users browsing this forum: fposavec, FranMercedesG, korg, mrz, Soleous75 and 82 guests