Is this possible to do or will I need another static IP address?
I've made a mock network in GNS3 to simulate this.
London (Hub) and Berlin (Spoke) which is has a static IP address.
Rome (Spoke) and Paris (Spoke) are Natted behind the Internet-Nat Router.
Rome behind 100.100.100.200 and Paris behind 200.200.200.200
London Configuration
Code: Select all
London > export
# may/22/2023 14:26:33 by RouterOS 6.49.7
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=Profile-London nat-traversal=no
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=Profile-London-Nat
/ip ipsec peer
add address=2.2.2.1/32 exchange-mode=ike2 local-address=1.1.1.1 name=Peer-Berlin profile=Profile-London send-initial-contact=no
add exchange-mode=ike2 local-address=1.1.1.1 name=Peer-NAT passive=yes profile=Profile-London-Nat send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm name=Proposal-London pfs-group=ecp521
/ip address
add address=1.1.1.1/24 interface=ether1 network=1.1.1.0
add address=192.168.1.254/24 interface=ether2 network=192.168.1.0
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=digital-signature certificate=Berlin.crt match-by=certificate peer=Peer-Berlin remote-certificate=Berlin.crt
add auth-method=digital-signature certificate=Rome.crt match-by=certificate peer=Peer-NAT remote-certificate=Rome.crt
add auth-method=digital-signature certificate=Paris.crt match-by=certificate peer=Peer-NAT remote-certificate=Paris.crt
/ip ipsec policy
add dst-address=192.168.2.0/24 level=unique peer=Peer-Berlin proposal=Proposal-London src-address=192.168.1.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=Peer-Berlin proposal=Proposal-London src-address=192.168.3.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=Peer-Berlin proposal=Proposal-London src-address=192.168.4.0/24 tunnel=yes
add dst-address=192.168.3.0/24 level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.1.0/24 tunnel=yes
add dst-address=192.168.3.0/24 level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.2.0/24 tunnel=yes
add dst-address=192.168.3.0/24 level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.4.0/24 tunnel=yes
add dst-address=192.168.4.0/24 level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.1.0/24 tunnel=yes
add dst-address=192.168.4.0/24 level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.2.0/24 tunnel=yes
add dst-address=192.168.4.0/24 level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.3.0/24 tunnel=yes
/ip route
add distance=1 gateway=1.1.1.2
/system identity
set name=London
Berlin Configuration
Code: Select all
Berlin > export
# may/22/2023 14:36:51 by RouterOS 6.49.7
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=Profile-Berlin nat-traversal=no
/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 local-address=2.2.2.1 name=Peer-London profile=Profile-Berlin
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=4h name=Proposal-Berlin pfs-group=ecp521
/ip address
add address=2.2.2.1/24 interface=ether1 network=2.2.2.0
add address=192.168.2.254/24 interface=ether2 network=192.168.2.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat out-interface=ether1
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=digital-signature certificate=Berlin.crt match-by=certificate peer=Peer-London remote-certificate=Berlin.crt
/ip ipsec policy
add dst-address=192.168.1.0/24 level=unique peer=Peer-London proposal=Proposal-Berlin src-address=192.168.2.0/24 tunnel=yes
add dst-address=192.168.3.0/24 level=unique peer=Peer-London proposal=Proposal-Berlin src-address=192.168.2.0/24 tunnel=yes
add dst-address=192.168.4.0/24 level=unique peer=Peer-London proposal=Proposal-Berlin src-address=192.168.2.0/24 tunnel=yes
/ip route
add distance=1 gateway=2.2.2.2
/system identity
set name=Berlin
Rome Configuration
Code: Select all
Rome > export
# may/22/2023 14:37:06 by RouterOS 6.49.7
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=Profile-Rome
/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 name=Peer-London profile=Profile-Rome send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=4h name=Proposal-Rome pfs-group=ecp521
/ip address
add address=3.3.3.1/24 interface=ether1 network=3.3.3.0
add address=192.168.2.254/24 interface=ether2 network=192.168.2.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=digital-signature certificate=Rome.crt match-by=certificate peer=Peer-London remote-certificate=Rome.crt
/ip ipsec policy
add dst-address=192.168.1.0/24 level=unique peer=Peer-London proposal=Proposal-Rome src-address=192.168.3.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=Peer-London proposal=Proposal-Rome src-address=192.168.3.0/24 tunnel=yes
add dst-address=192.168.4.0/24 level=unique peer=Peer-London proposal=Proposal-Rome src-address=192.168.3.0/24 tunnel=yes
/ip route
add distance=1 gateway=3.3.3.2
/system identity
set name=Rome
Paris Configuration
Code: Select all
Paris > export
# may/22/2023 14:37:32 by RouterOS 6.49.7
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=Profile-Paris
/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 name=Peer-London profile=Profile-Paris send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=4h name=Proposal-Paris pfs-group=ecp521
/ip address
add address=4.4.4.1/24 interface=ether1 network=4.4.4.0
add address=192.168.3.254/24 interface=ether2 network=192.168.3.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=digital-signature certificate=Paris.crt match-by=certificate peer=Peer-London remote-certificate=Paris.crt
/ip ipsec policy
add dst-address=192.168.1.0/24 level=unique peer=Peer-London proposal=Proposal-Paris src-address=192.168.4.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=Peer-London proposal=Proposal-Paris src-address=192.168.4.0/24 tunnel=yes
add dst-address=192.168.3.0/24 level=unique peer=Peer-London proposal=Proposal-Paris src-address=192.168.4.0/24 tunnel=yes
/ip route
add distance=1 gateway=4.4.4.2
/system identity
set name=Paris
Internet Configuration
Code: Select all
Internet > export
# may/22/2023 14:31:22 by RouterOS 6.49.7
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=1.1.1.2/24 interface=ether1 network=1.1.1.0
add address=2.2.2.2/24 interface=ether2 network=2.2.2.0
add address=100.100.100.100/24 interface=ether8 network=100.100.100.0
add address=200.200.200.100/24 interface=ether7 network=200.200.200.0
/ip dhcp-client
add disabled=no interface=ether1
/system identity
set name=Internet
Interne-Nat Configuration
Code: Select all
Internet-Nat > export
# may/22/2023 14:30:43 by RouterOS 6.49.7
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=3.3.3.2/24 interface=ether3 network=3.3.3.0
add address=4.4.4.2/24 interface=ether4 network=4.4.4.0
add address=100.100.100.200/24 interface=ether8 network=100.100.100.0
add address=200.200.200.200/24 interface=ether7 network=200.200.200.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8
add action=masquerade chain=srcnat out-interface=ether7
/ip route
add distance=100 gateway=200.200.200.100 routing-mark=Phoebe-Routes
add distance=1 gateway=100.100.100.100
/ip route rule
add action=lookup-only-in-table src-address=4.4.4.1/32 table=Phoebe-Routes
/system identity
set name=Internet-Nat
Thanks in advance.