Community discussions

MikroTik App
 
ehbowen
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Tue Sep 05, 2017 6:13 am
Location: Houston, Texas
Contact:

Using a CHR as a Multisite Ingress Router?

Mon Jan 20, 2025 9:16 am

Okay. After more effort than a competent geek should have ever needed, I finally got this setup working. Pretty much. Now, I want to improve upon it.

I'd like to make the licensed CHR in the Digital Ocean droplet my master ingress point for any WAN traffic not directly related to an outgoing request. Mainly incoming email for the mail servers. I'll need to have some kind of a proxy server set up to direct the data traffic, either nginx or (preferred) HAProxy. Looking for ideas as to where and how to do so; I haven't had much success so far (although I've got limited functionality with an nginx-based proxy server built in to one of my NAS boxes at the home office). Here's a diagram showing what I'd like to get to:
WireguardNet-2.drawio.png
Briefly, classes of traffic include email, WebDAV/CalDAV, http/https, surveillance video, DNS (I use ClouDNS as my offsite server, but I'm wanting to keep a local hidden primary), PleX media streaming, and of course WinBox. There may be others but it's one in the morning here and it's been a rather frantic month so far (Dad's funeral was Wednesday. Yes, we were very close.). I also have some now-obsolete hardware for working with now-obsolete video standards (NTSC/PAL VHS) which cannot be upgraded, anything Vista or later will break the drivers. Right now those are air-gapped, but I'd like to have some limited networking functionality, at the very least LAN intranet.

I'd like to make the CHR my master ingress point, as stated above, and distribute traffic to the various local subnets over the WireGuard links. I'd prefer to co-locate the proxy server and the email server in a Raspberry Pi 5 (8 GB RAM) located in my home office networking cabinet, but the advantages of paying for a second DO droplet and hosting it there might be preferable. Or perhaps I should look into doing both, for reliability. I'll also want suggestions as to where to place intranet DNS servers and how to configure them. Using the script I saw elsewhere here to dynamically update local DNS is a possibility; It would be a real advantage to be able to remotely update Mom's computer and/or the computers at the church using Ansible or similar.

I'm wanting to drop the /29 static subnet from the church and make it a fiber Dynamic IP; that will save a fair amount of the monthly cost. I plan to keep the /32 static IPs at my home office and possibly at Mom's house. The data link between my home office and her house is stil down, eight months later...thanks, T-Mobile. I'd have no connectivity there at all without the WireGuard links and the droplet in New York City. So, three thousand miles round trip instead of five miles one-way...again, thanks T-Mobile.

Anyhow, I ask your indulgence for my venting and want to solicit advice from those who have done a similar setup. Right now I'm using an offsite email provider for my domains (four of them), but I very much want to get back to self-hosting that on my own hardware as I'm not happy with Titan's free service and I can't afford to buy their premium service for all of the domains/addresses. Thanks in advance for your advice and help.
You do not have the required permissions to view the files attached to this post.