Hi, I want install a 3/4G router into my second house far on seaside, this will allow me to reach videocamera and an ESP8266 for send by telegram alarms of local sensors. I would have access to router too, and to ESP for uploading new firmware, I have a Mikrotik router located at a client with public IP so I can create between them a VPN, but this should be used not for all traffic, just for Winbox, ESP webserver and camera webserver too. The main traffic/internet usage of all connected clients (also me by WiFi when I'm living there) shoud use the default route to internet. How can I do it?
I'm thinking about it, VPN may have a static IP, maybe one of the local network of the second router (the one with public IP), and by firewall I can source NAT that IP to the local address? For example:
192.168.88.1 is the local mikrotik
192.168.88.2 is videocamera
192.168.88.3 is ESP
192.168.1.1 is the second router with public IP
192.168.1.254 is the VPN address of the local Mikotik.
I may open from the local network of the second router (and from internet as well, with dstnat) 192.168.1.254:8291 for the local router, 192.168.1.254:80 for the webpage of camera, 192.168.1.254:81 for ESP. Does all this has sense? If yes, I'll buy it ))

EDIT: reading documentation, creating a tunnel, it's suggested to use a /30 subnet with different ip addresses, maybe this can help to avoid forwarding the local layer3 broadcasts, but this may be a problem for natting?
le'ts say I'm using as in the example 172.16.1.1/30 for tunnel, I'll add route on both routers to reach .88.x and .1.x from both sides, fine, but now I want from internet reach the local router from the second one.. on the second one there should be a source nat (if not, the local device will reply to public address using its gateway) but also a destination nat.. as usual, how to combine them?

Another question, the 3G network isn't unlimited, so how much and how often the keepalive packets of tunnel are transmitted? Is it relevant in a month?

Hi GG,

If you can setup a wireguard tunnel between your location and the remote location this will be the easiest approach I believe. As long as you have an MT device at either end (not necessarily as a router) it can work.
THe only issue is its only available on beta firmware but they are up to V7.1 rc4, so perhaps its fine for general use as you are doing.

Thanks for reply, I have to consider another thing, which was not present in the example, as the second router is available on internet due its public IP, the local one isn't, the providers give always a 10. class A private, so it should initiate the connection and the second one should listen about it. Does wireguard do that?
From your words I suppose on 6.48.3 there isn't any other way..
Thanks

Got a setup like that with SXTLTE in France using Wireguard.
Works perfect.
For the subnet, you can use a complete /24 in private range if you want.
Just make sure one end of the tunnel has a fixed ip.

Just to give you an example.
My wireguard Server is an RG450Gx4, sitting on a network as a router but behind the main MT router, a CCR1009.
My wireguard Peer consists of an RB4011 behind an ISP Fiber Modem/Router _ the only thing we can do on this ISP device is forward ports.

Now there really isnt a Server/Peer in the strict sense, just in the use case sense, of what you intend to do.
In other words, one does have to define a listening port on the Server side, so to speak.
If that server side is behind the ISPs router, then you have to forward the listening port to the WANIIP of the device acting as another router behind the ISP router.
In my case I forward a port on the CCR1009 to the LANIP of the RB450Gx4 (also the fixed WANIP of the RB450Gx4)
At the client location the same thing occurs.............

In each case the Wireguard device is not on a public IP.

as the second router is available on internet due its public IP, the local one isn't, the providers give always a 10. class A private, so it should initiate the connection and the second one should listen about it. Does wireguard do that?
From your words I suppose on 6.48.3 there isn't any other way..

First, there is no wireguard on 6.48.3, nor on any other 6.x - Wireguard is a 7.x thing in RouterOS and 7.x is in Release Candidate phase.

Second, yes, Wireguard, L2TP/IPsec or bare IPsec, as well as SSTP, are all capable to act as initiators running on a private IP behind a NAT, connecting to a responder on a public IP.

The volume of keepalive traffic is not negligible:

• SSTP exchanges a total of 731 bytes in 6 packets every minute, i.e. 32 MByte per month
• bare IPsec exchanges a total of 973 bytes in 10 packets every minute, i.e. 42 MByte per month
• L2TP/IPsec will send more than bare IPsec as there are the PPP keepalives in addition to the IPsec ones
• Wireguard sends 74-byte keepalive packets as frequently as you ask it to, in one direction only, and every two to three minutes there's an additional two packet exchange of 224 bytes, so it's by far the least verbose one.

That is amazing information Sindy, good pickup on the users 3G limitations.
In terms of SSTP, this sight provides a free service, with the hopes you will pay for more, but its easy and good enough for most non-critical situations.
https://www.remotewinbox.com/auth/blog/ ... he%20world.

(not affiliated with them in any way)

That is amazing information Sindy, good pickup on the users 3G limitations.

Indeed, very well spotted !
It's the reason why I changed from L2TP/IPSec to SSTP and ultimately to Wireguard for my SXT setup.