Community discussions

MikroTik App
 
stikkx
just joined
Topic Author
Posts: 15
Joined: Wed Mar 11, 2020 9:40 am

forward public ip via wireguard to homeserver

Tue Feb 01, 2022 10:28 am

Hi!
i try to forward the second public ip from my online server to my homeserver. In fact i think i miss only little things. Maybe someone could route me the right way ;)

Here is a sketch of what i have in mind:
Image

The online server run Ubuntu 21.04 as wireguard server. Wireguard runs perfekt. I could access every device via vpn in my home.

I ordered a second ip for my server but did not attached it to it. I route it over wireguard to my mikrotik router at home:
ip route add 8.3.2.1/32 via 10.1.1.2 dev wg0main
The homeserver got as second ip on eth0 the public ip (8.3.2.1/32)

Now the additional mikrotik configuration where i think i made a mistake:
/routing table
add fib name=""
add disabled=no fib name=vpn
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    new-connection-mark=vpn-conn passthrough=no src-address=10.1.1.1
add action=mark-routing chain=prerouting connection-mark=vpn-lima-conn \
    new-routing-mark=vpn passthrough=yes
add action=mark-routing chain=output connection-mark=vpn-conn \
    new-routing-mark=vpn passthrough=yes
    
/ip route
add disabled=no distance=1 dst-address=8.3.2.1/32 gateway=192.168.123.10 \
    pref-src=0.0.0.0 routing-table=vpn scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0main pref-src=\
    0.0.0.0 routing-table=vpn scope=30 suppress-hw-offload=no \
    target-scope=10
For testing i disabled the default firewall rules. i hope i write down everything you need.
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: forward public ip via wireguard to homeserver

Tue Feb 01, 2022 11:03 am

The online server run Ubuntu 21.04 as wireguard server. Wireguard runs perfekt. I could access every device via vpn in my home.

I ordered a second ip for my server but did not attached it to it. I route it over wireguard to my mikrotik router at home:
ip route add 8.3.2.1/32 via 10.1.1.2 dev wg0main
The homeserver got as second ip on eth0 the public ip (8.3.2.1/32)
I actually don't think that is going to work the way you described.
IMHO you need to attach the second IP to your online server, then in your MT router use this as a default gateway for clients, if need be.
In your MT create a routing mark/table and set the default GW via the existing wg-link to your online-server and force all desired clients / destination addresses via that marked default route.
 
stikkx
just joined
Topic Author
Posts: 15
Joined: Wed Mar 11, 2020 9:40 am

Re: forward public ip via wireguard to homeserver

Tue Feb 01, 2022 11:26 am

i think i forgot to tell that i can connect to my MT by using the online IP. And i could see the ping on MT as incoming packets with the vpn-conn mark. But at this point i don´t know how to debug and solve the rest.
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: forward public ip via wireguard to homeserver

Tue Feb 01, 2022 11:58 am

...well, OK...but then you DID attach the IP to the online server ... the provider of that server will not allow/route that IP to a location outside of its infrastructure segment the online server sits in,
Maybe I misinterpreted the way you described it.

Seems like you are missing the route back to your online server (which physically holds the new IP).
I am still not convinced that your home MT should be allocated with that public IP.

This is the way I am using a similar setup (my online server is a MT CHR, but the basics still apply)

Home-MT (LAN 192.168.0.1 / wg0 10.255.1.2) - local ISP (public IP Y.Y.Y.Y) - online CHR (public IP X.X.X.X / local 192.168.255.254/32, wg0 10.255.1.1)

In Home-MT I have a simple route to the internal IP of the CHR: route add 192.168.255.254/32 gw 10.255.1.1 -> reachable via wg0
In CHR I have a default route to its public IP (I only have one public IP, but you could use a dedicated, second route to the second IP)
On the Home MT I force all clients in a dedicated address list that are not communicating internally in LANs to use the CHR IP as gateway:

/ip/firewall/mangle: chain=prerouting action=route passthrough=yes route-dst=192.168.255.254 src-address-list=IPsviaCHR dst-address-list=!VLANs

...works like a charm
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: forward public ip via wireguard to homeserver

Tue Feb 01, 2022 2:45 pm

It seems too complicated, you can you static config:
/routing table
add name=vpn fib
/ip route
add dst-address=8.3.2.1/32 gateway=192.168.123.10
add dst-address=0.0.0.0/0 gateway=wg0main routing-table=vpn
/routing rule
add src-address=8.3.2.1/32 action=lookup-only-in-table table=vpn
 
stikkx
just joined
Topic Author
Posts: 15
Joined: Wed Mar 11, 2020 9:40 am

Re: forward public ip via wireguard to homeserver

Tue Feb 01, 2022 7:05 pm

Thx man! That solved my problem. Have you some firewall rules to secure my lan but let everything to the home server ?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: forward public ip via wireguard to homeserver

Wed Feb 02, 2022 12:02 am

You can get some ideas here:

viewtopic.php?t=180838

Basically allow established & related & untracked, drop invalid, allow everything else that should work, unconditionally block the rest. Simple, clean, manageable. In case you don't want RB touching server's traffic at all (if you have good firewall there), you can use raw table and mark all traffic to and from 8.3.2.1 as untracked.
 
stikkx
just joined
Topic Author
Posts: 15
Joined: Wed Mar 11, 2020 9:40 am

Re: forward public ip via wireguard to homeserver

Wed Feb 02, 2022 8:53 am

Okay... I made a mistake yesterday when testing and did not test from outside. The error happened logically so the DNS returned the Public IP and was routed directly internally to the server. Are you sure that the Public IP has to patch to the Interface on the public server ? Because when I ping or traceroute on that server it stays on itself.
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: forward public ip via wireguard to homeserver

Wed Feb 02, 2022 10:00 am

Are you sure that the Public IP has to patch to the Interface on the public server ?
Yes, I am sure. IPs are not a floating element, that you can take with you across the globe. The IP is manged by the Hosting Provider of your online server and only allocated, as a single IP to you/your online server, but it is part of a network segment which is routed exclusively to that provider (because it is registered with that provider).
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: forward public ip via wireguard to homeserver

Wed Feb 02, 2022 11:46 am

In case you want some response from me, try different wording, because I'm not sure if I understood the question. If it's about where 8.3.2.1 should be, then answer is only on your internal server. The public one (from where you forward it) must not have it assigned, but it must know about it, if it wasn't routed to you, but you got at as another address that you're supposed to assign to that server. If that's the case, you need to use proxy ARP, so that to ISP it appears reachable.
 
stikkx
just joined
Topic Author
Posts: 15
Joined: Wed Mar 11, 2020 9:40 am

Re: forward public ip via wireguard to homeserver

Wed Feb 02, 2022 12:08 pm

...well, OK...but then you DID attach the IP to the online server ... the provider of that server will not allow/route that IP to a location outside of its infrastructure segment the online server sits in,
Maybe I misinterpreted the way you described it.

Seems like you are missing the route back to your online server (which physically holds the new IP).
I am still not convinced that your home MT should be allocated with that public IP.

This is the way I am using a similar setup (my online server is a MT CHR, but the basics still apply)

Home-MT (LAN 192.168.0.1 / wg0 10.255.1.2) - local ISP (public IP Y.Y.Y.Y) - online CHR (public IP X.X.X.X / local 192.168.255.254/32, wg0 10.255.1.1)

In Home-MT I have a simple route to the internal IP of the CHR: route add 192.168.255.254/32 gw 10.255.1.1 -> reachable via wg0
In CHR I have a default route to its public IP (I only have one public IP, but you could use a dedicated, second route to the second IP)
On the Home MT I force all clients in a dedicated address list that are not communicating internally in LANs to use the CHR IP as gateway:

/ip/firewall/mangle: chain=prerouting action=route passthrough=yes route-dst=192.168.255.254 src-address-list=IPsviaCHR dst-address-list=!VLANs

...works like a charm
okay, i try this method. For my understanding.

You have one static route from the second external ip via WG to your MT
- in MT a static route with SrcIP(local ip from OnlineServer) to LocalServer
- define a addresslist with all intern addresses from your LAN
- set the mangle ( this i not really understand, because route-dst and src-adress-lst are the same server?)
- on Onlineserver route from internal IP to Second External IP

Do i understand you right ? Thanks for your Help!
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: forward public ip via wireguard to homeserver

Wed Feb 02, 2022 4:59 pm

Do i understand you right ? Thanks for your Help!
...here is a picture of how my setup looks like:

Image

...basically,
I do have my home-MT (RB4011) and my Cloud-MT (CHR) connected via wireguard link (actually I have dual link/dual WAN with switchover between cable and LTE, but I deleted that part for simplicity in my pic)
The cloud-CHR has a public IP and a non-public IP.
I enabled a route from my home MT to the non-public IP of the CHR.
Now, when I use this non-public IP (192.168.255.254) as gateway, the CHR will choose its own public IP (via its own. local default route) to reach out to the internet..
With a mangle rule, I force traffic with destination NOT-equal-to-internal networks to use the CHR-non-public-IP as gateway.
The reason I exclude internal destination-IPs in the mangle rule is, of course that my local communications need to stay local.
In the same rule I limit the src-ip to the IP of my local VOIP server (but it can be a list of clients-IPs/networks).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: forward public ip via wireguard to homeserver

Wed Feb 02, 2022 10:14 pm

Hominidae, thats awesome. The part I dont get, besides all the explanation after the picture is the cloud and CHR?
Do you mean that you have rented server space on the cloud and put CHR on it?? The mechanics of this escape me and does it have a public IP??
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: forward public ip via wireguard to homeserver

Wed Feb 02, 2022 10:58 pm

I don't see how it routes second public address to internal server, as OP wanted, it looks just like NAT.
 
stikkx
just joined
Topic Author
Posts: 15
Joined: Wed Mar 11, 2020 9:40 am

Re: forward public ip via wireguard to homeserver

Wed Feb 02, 2022 11:07 pm

Hi Hominidae, thanks for the graphic! Like Sob, unfortunately I do not see how the IP gets to the home server.

Or is the solution not good in terms of performace ? Is NAT transferring all traffic from online to offline in your solution?
 
stikkx
just joined
Topic Author
Posts: 15
Joined: Wed Mar 11, 2020 9:40 am

Re: forward public ip via wireguard to homeserver

Wed Feb 02, 2022 11:14 pm

In case you want some response from me, try different wording, because I'm not sure if I understood the question. If it's about where 8.3.2.1 should be, then answer is only on your internal server. The public one (from where you forward it) must not have it assigned, but it must know about it, if it wasn't routed to you, but you got at as another address that you're supposed to assign to that server. If that's the case, you need to use proxy ARP, so that to ISP it appears reachable.
oh sorry, I read over your reply. Okay if I understand correctly I have to use proxy ARP then. Because the server provider from which I get the IP, gave me the instruction to create the IP on the server to use it with the server.


Maybe you can tell me which solution is best.

I thought until now it was the best solution to have the IP on my HomeServer directly. But in principle, I just want to direct all the traffic that arrives on the 8.3.2.1 to my HomeServer. If you know a better solution, I will gladly accept it.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: forward public ip via wireguard to homeserver

Wed Feb 02, 2022 11:37 pm

It depends. If you want it for something like webserver, then it shouldn't matter, both will make incoming connections work, you can see original source adresses of clients, no problem at all. If you want to play with something like IPSec, which sees the difference, then forwarded address may be better. As for configuration, difference between the two is minimal.

On local router, common for both (in addition to WG tunnel):
/routing table
add name=vpn fib
/ip route
add dst-address=0.0.0.0/0 gateway=wg0main routing-table=vpn
/routing rule
add dst-address=192.168.123.0/24 action=lookup-only-in-table table=main
a) for forwarded address:
/ip route
add dst-address=8.3.2.1/32 gateway=192.168.123.10
/routing rule
add src-address=8.3.2.1/32 action=lookup-only-in-table table=vpn
b) for dstnat:
/routing rule
add src-address=192.168.123.10/32 action=lookup-only-in-table table=vpn
And on remote server (as RouterOS commands, but Linux can do it too, only I don't remember it from top of my head):

a) for forwarded address:
/ip arp
add interface=<WAN> address=8.3.2.1 published=yes
/ip route
add dst-address=8.3.2.1 gateway=10.1.1.X # whatever is at local router
b) for dstnat:
/ip address
add interface=<WAN> address=8.3.2.1
/ip firewall nat
add chain=dstnat dst-address=8.3.2.1 action=dst-nat to-addresses=192.168.123.10
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: forward public ip via wireguard to homeserver

Thu Feb 03, 2022 12:52 am

Do you mean that you have rented server space on the cloud and put CHR on it?? The mechanics of this escape me and does it have a public IP??
Yes, I have a CHR on a VPS Server....of course it has a public IP space.
My use-case is a bit different than that of the OP.
Both my local WANs have a dynamic IP, the IP space on the CHR is fixed.
I am forcing my voip-server to use the CHR as internet gateway, hence keeping the connection to my voip-provider with a fixed IP, regardless of which local WAN (and dynamic IP) is active.
Last edited by Hominidae on Thu Feb 03, 2022 1:00 am, edited 1 time in total.
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: forward public ip via wireguard to homeserver

Thu Feb 03, 2022 12:56 am

I don't see how it routes second public address to internal server, as OP wanted, it looks just like NAT.
Yes, basically that's true in my case. However, OP stated, that the inbound route had been solved but still missing the outbound path.
Maybe I misunderstood the term of forwarding a public IP in that sense?
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: forward public ip via wireguard to homeserver

Thu Feb 03, 2022 1:10 am

Hi Hominidae, thanks for the graphic! Like Sob, unfortunately I do not see how the IP gets to the home server.

Or is the solution not good in terms of performace ? Is NAT transferring all traffic from online to offline in your solution?
...don't understand what you mean by online/offline.
The forwarding part from CHR to home-server is not in the pic, as you stated earlier that this is already done/working. I'd gathered that the route back wasn't working for you.
You could easily forward all inbound traffic arriving at the CHR public IP to your local server with a dst-nat rule (in my example to my voip server 192.168.50.5)
But as @sob also stated, this way the public IP used will stay / originate from the CHR which is maybe not good enough in your use case?
 
stikkx
just joined
Topic Author
Posts: 15
Joined: Wed Mar 11, 2020 9:40 am

Re: forward public ip via wireguard to homeserver

Fri Feb 04, 2022 12:23 am

Hey Guys!
I choose the way to forward the address.
...don't understand what you mean by online/offline.
Sorry for that confussing wording. With online the VPN server was meant and with offline the homeserver, only as short clarification.

I think the most is now on the right track, but i think something is wrong and i want to understand what is the problem.
And on remote server (as RouterOS commands, but Linux can do it too, only I don't remember it from top of my head):

a) for forwarded address:
Code: Select all

/ip arp
add interface=<WAN> address=8.3.2.1 published=yes
/ip route
add dst-address=8.3.2.1 gateway=10.1.1.X # whatever is at local router
For ARP Proxy and the route i use the following linus commands:
arp -i eth0 -sD 8.3.2.1 eth0 pub
ip route add 8.3.2.1/32 via 10.1.1.2 dev wg0main

To check the proxy arp i run the following command:
sudo tcpdump -n -i eth0 -e arp
As answer i got the same MAC Address for both public IPs. The Second IPs is only assign to the homeserver.

So whats going on in my opinion:
If i ping from my VPN Server my domain is attachend to 8.3.2.1 or direct that ip i got an answer.
If i to the same on my LAN i got an answer.
But if i do this from the public internet i got no answer and i do not see the ping or request on my router.
But if i traceroute the public ip from a public place the last hop is the first ip from my VPN-Server. So i think the way is the right but my VPN does not route the request over wireguard.

So i rechecked if the ip route from 8.3.2.1 to wg0main and it is there... have you any ideas how i can troubleshoot this ?

Thank you for helping me!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: forward public ip via wireguard to homeserver

Fri Feb 04, 2022 1:27 pm

Step by step, you know how packets should pass through server, router, etc, so watch how far they get and you'll find where the problem is. Packet sniffer if your friend. Does VPN server have forwading enabled?
cat /proc/sys/net/ipv4/conf/all/forwarding
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: forward public ip via wireguard to homeserver

Fri Feb 04, 2022 1:33 pm

I could access every device via vpn in my home.
But if i traceroute the public ip from a public place the last hop is the first ip from my VPN-Server. So i think the way is the right but my VPN does not route the request over wireguard.

So i rechecked if the ip route from 8.3.2.1 to wg0main and it is there... have you any ideas how i can troubleshoot this ?
so if your first statement is true, my first guess is, that your access-list (Allowed Address) on the wg-interfaces is to blame?
 
stikkx
just joined
Topic Author
Posts: 15
Joined: Wed Mar 11, 2020 9:40 am

Re: forward public ip via wireguard to homeserver

Tue Feb 08, 2022 12:08 am

Step by step, you know how packets should pass through server, router, etc, so watch how far they get and you'll find where the problem is. Packet sniffer if your friend. Does VPN server have forwading enabled?
cat /proc/sys/net/ipv4/conf/all/forwarding
i got 1 back. so it is enabled.

so if your first statement is true, my first guess is, that your access-list (Allowed Address) on the wg-interfaces is to blame?
on the VPN Server under access-list is the home subnet(192.168.123.0/24) and the public ip (8.3.2.1/32) is is enough i think?

I test few things and everything seems to work, from the VPN-Server. But from public ip the route seems to end at the first public ip from the VPN-Server.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: forward public ip via wireguard to homeserver

Tue Feb 08, 2022 1:34 am

Another thing is firewall on server, check "iptables -L" and chain FORWARD.
 
stikkx
just joined
Topic Author
Posts: 15
Joined: Wed Mar 11, 2020 9:40 am

Re: forward public ip via wireguard to homeserver

Tue Feb 08, 2022 9:12 am

I do the firewall last so that can't be a source of error. Until then, I turn off the VPN as long as I do not test.
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: forward public ip via wireguard to homeserver

Tue Feb 08, 2022 1:44 pm

Probably unlikely (you'd know if you added something), but NAT could also affect it (iptables -t nat -L). Otherwise you've already shown that you know tcpdump, so try that again, keep e.g. ping running and watch for its icmp packets, first on WAN, then on WG interface. If they come and don't leave, something on the router must be eating them, and there aren't too many things that can do that.
 
stikkx
just joined
Topic Author
Posts: 15
Joined: Wed Mar 11, 2020 9:40 am

Re: forward public ip via wireguard to homeserver

Wed Feb 09, 2022 11:15 am

Thanks a lot to both of you for the effort to help me. I will configure it again from scratch and try to debug

Who is online

Users browsing this forum: No registered users and 15 guests