Community discussions

MikroTik App
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 215
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Public IP over a tunnel ( SOLVED )

Tue May 08, 2018 1:57 pm

Hello everybody! I have got a Mikrotik CHR with 2 public IP addresses. I would like to assign one of the IP address to my server.
My server is at home, so i would need a tunnel that capable of this thing. So is there any solution for this ?

Thank you very much for any help!
Last edited by Trackboy on Wed May 16, 2018 1:32 pm, edited 2 times in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Public IP over a tunnel

Wed May 09, 2018 1:03 am

There are different ways, it depends on exact details what's best for you.

One example, lets say you got x.x.x.10/24 and x.x.x.11/24, with x.x.x.1 being ISP's gateway (i.e. ISP expects both addresses connected to their network, not routed somewhere else). You want to route .11 to your server. Simple example:
/ppp secret
add local-address=<some random address not used anywhere else> name=<username> password=<password> remote-address=x.x.x.11
/interface l2tp-server server
set ipsec-secret=<secret> use-ipsec=yes
From home server, connect using VPN to x.x.x.10 and let it use VPN as default gateway. This is enough for home server to get public address and use it as default. To make it visible for ISP where router is connected, use proxy ARP:
/ip arp
add address=x.x.x.11 interface=<WAN> published=yes
Then adjust firewall to allow traffic to/from this address and that's all.

Or you can make a tunnel between CHR and home router, instead of directly to server. It would require a little bit advanced config, but nothing too complicated either.
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 215
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Public IP over a tunnel

Wed May 09, 2018 7:46 am

I would rather make a tunnel between them, and i would like to assign the IP to the server statically.
Maybe EoIP tunnel would be good for this ?
 
User avatar
sri2007
Member Candidate
Member Candidate
Posts: 205
Joined: Wed May 20, 2015 10:14 pm
Location: Lake Grove, NY

Re: Public IP over a tunnel

Wed May 09, 2018 5:50 pm

If your server is at home, and you really want to use a public IP configured at the CHR, then I suggest an EoIP or GRE tunnel between your CHR and a home router, if not, then the L2TP VPN may works with private addressing, and then you'll need to do some dst-nat / src-nat rules at the CHR.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Public IP over a tunnel

Wed May 09, 2018 6:06 pm

It's possible too, same principle, make a tunnel, route the IP to server and make it visible on CHR's side with proxy ARP.

Only difference for tunnel terminated on home router will be traffic from server to internet, you'll need to make sure that it goes back via tunnnel and won't use home router's default gateway. It can be done e.g. like this:
/ip route
add dst-address=0.0.0.0/0 gateway=<IP on CHR's end of tunnel> routing-mark=vpn
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn src-address=<server's public IP>
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 215
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Public IP over a tunnel

Thu May 10, 2018 10:20 am

Thank you very much for the help, i will give it a try : )
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 215
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Public IP over a tunnel

Sun May 13, 2018 2:30 pm

I made a GRE tunnel between the 951G and CHR. The tunnel is working. I added routing mark too.
I added public IP to my server statically. But does not work. I can not find proxy arp feature in the GRE interface.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Public IP over a tunnel

Sun May 13, 2018 4:27 pm

You don't need it there, only on CHR, on interface connected to ISP. Try to describe in more detail what you did.
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 215
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Public IP over a tunnel

Sun May 13, 2018 8:28 pm

I made an encrypted GRE tunnel with the IPsec secret feature. 172.16.1.0/30 is the GRE tunnel ip range.
On CHR added 10.10.100.0/24 route, this is behind the 951G. That's it.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Public IP over a tunnel

Sun May 13, 2018 9:32 pm

Check again my first reply. Do you get addresses from ISP as described? If so, then do not assign the other address (the one you want for server) to CHR. Add the route and arp entry and the address should be routed towards your server via tunnel. You can check with Tools->Torch on tunnel interface. If it doesn't go there, check firewall on CHR. If it does, check on home RB that packets arrive, pass through router and go to server. Then check what happens with replies, if server sends anything and if it goes back correctly via tunnel.
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 215
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Public IP over a tunnel

Mon May 14, 2018 11:50 am

So i have got a GRE tunnel that is working fine between the CHR and home Mikrotik.
On the CHR there is only one ether1 interface with 2 public IP addresses: 217.144.X.X/24, of course they are from the same range.
I added only 217.144.X.119/24 to ether1.
Mikrotik GRE interface IP address: 172.16.1.1/30
CHR GRE interface IP address: 172.16.1.2/30

You mentioned one thing, proxy ARP on CHR side. I set up ether1 interface to proxy-arp.
I added statically public IP on the target server but i can not ping anything.
The static IP configuration on server side:
IP address: 217.144.X.108/24
GW: 217.144.X.254
DNS: 8.8.8.8,8.8.4.4

I am not an expert btw, so please be patient : )
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Public IP over a tunnel

Mon May 14, 2018 3:34 pm

You have different options.

One way is pretty straightforward, make server really part of CHR's network, by bridging CHR's WAN with tunnel and on home side tunnel with interface dedicated for server. Then everything would behave as if the server was connected in same place as CHR. But you'd also get all unneeded broadcasts and stuff, so you probably don't want that.

What I meant was slighly "lighter" approach, only route a single address to your server. You don't need to enable proxy ARP on CHR's WAN interface, just the manual entry in /ip arp with published=yes is enough. And then on server side, don't configure /24, only use /32 address. You can either route it from home router to server's LAN address, assign it to some loopback interface on server and specifically tell network services to use it. Or you can use it as point-to-point address and then it will be used as default.

I can't test it right now and I don't want to forget anything, so I'll give you exact config later.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Public IP over a tunnel

Mon May 14, 2018 5:52 pm

Ok, I tested it and this works:

CHR:
/interface ipip
add allow-fast-path=no ipsec-secret=<secret> local-address=217.144.x.119 name=ipip-tunnel remote-address=<home router>
/ip address
add address=217.144.x.119/24 interface=<WAN>
add address=172.16.1.2/30 interface=ipip-tunnel
/ip arp
add address=217.144.x.108 interface=<WAN> published=yes
/ip route
add dst-address=217.144.x.108/32 gateway=172.16.1.1
Home router:
/interface ipip
add allow-fast-path=no ipsec-secret=<secret> local-address=<home router> name=ipip-tunnel remote-address=217.144.x.119
/ip address
add address=172.16.1.1/30 interface=ipip-tunnel
add address=192.168.x.x/32 interface=<LAN> network=217.144.x.108
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=217.144.x.108 in-interface=ipip-tunnel new-connection-mark=server-public passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=server-public passthrough=yes src-address=217.144.x.108
add action=mark-routing chain=prerouting connection-mark=server-public in-interface=<LAN> new-routing-mark=to-chr passthrough=no
/ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.2 routing-mark=to-chr
Server config:
IP address: 217.144.X.108/32 (mask 255.255.255.255)
GW: 192.168.x.x

The 192.168.x.x can be either same address as assigned to router's LAN interface (if server is connected there), or some other address, it doesn't really matter (only that the same address is used on router and as gateway on server).

Server configuration depends on used OS. In Windows, it would be as written above. For Linux it depends on used distribution (they all seem to have different ways how to configure network), but manual config can be done using:
ip addr add 217.144.x.108 peer 192.168.x.x dev <interface>
ip route add default via 192.168.x.x
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 215
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Public IP over a tunnel

Tue May 15, 2018 9:36 pm

It should work with GRE too ?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Public IP over a tunnel

Tue May 15, 2018 10:30 pm

Yes.
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 215
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Public IP over a tunnel

Wed May 16, 2018 12:20 pm

I tried with IPIP tunnel, working very well. Thank you very much for your help and your patient : ) This is really helpful and valuable for me.
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 215
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Public IP over a tunnel ( SOLVED )

Fri May 18, 2018 10:42 pm

One more question. I have got a PPPoE connection with dynamic IP. I tried the tunnel with this connection. The speed was around 2-3 Mbit/sec. The ping is perfect and i do not have packet loss.
Maybe i have got MTU issue, and i would need to change with the mangle. I have got another connection with static IP, that is working perfectly.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Public IP over a tunnel ( SOLVED )

Mon May 21, 2018 2:01 am

Both IPIP and GRE tunnels have MTU option and "Clamp TCP MSS" enabled by default. If you lower MTU on both ends, it should work even without manual mangle rules.
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 215
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Public IP over a tunnel ( SOLVED )

Mon May 21, 2018 1:43 pm

My PPPoE connection shows now 1480 MTU and MRU. I set this value on the both side in the IPIP configuration. But the problem is the same.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Public IP over a tunnel ( SOLVED )

Mon May 21, 2018 3:39 pm

I don't know exact sizes from top of my head, but I've seen some online calculators, or you can start lower and use trial & error. If main connection has 1480, the tunnel will need a little less.
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 215
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Public IP over a tunnel ( SOLVED )

Thu May 24, 2018 7:57 am

I tried several MTU-s so far, but the problem is the same. If i want to ping a host that is working fine, there is not packet loss. On the speedtest.net i get 100/100 Mbit/sec.
So the web browsing is very slow.
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Public IP over a tunnel ( SOLVED )

Tue Jun 05, 2018 8:58 am

If you search my old posts you'll find some in-depth ones on MTU with screenshot examples of packet captures.

TLDR; if your PPPoE connection is 1480 then you'll want your tunnel MTU to be 1480 - the tunnels overhead. Depending on the protocol (IPIP, GRE, IPSec transport vs tunnel) will determine exactly how much smaller. It's a safe bet to set it to 1280 the minimum MTU of IPv6 and test. Their are calculators to help with calculating the ideal MTU bit you'll find when crypto is added it becomes more difficult to determine a specific MTU because of the additional variables you need to account for.

Also, TCP MSS clamping is and should be unnecessary if MTU is set correctly and the necessary ICMP v4 and v6 messages are allowed. If you rely on it know it's only doctoring TCP packets and no other protocol.
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 215
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Public IP over a tunnel ( SOLVED )

Mon Jul 02, 2018 11:06 am

I tried lot of MTU, but i could not find the proper value. I tried L2TP/IPSec solution and that is working fine and assign public IP.
 
majestic
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Mon Dec 05, 2016 11:19 am

Re: Public IP over a tunnel ( SOLVED )

Sat Sep 15, 2018 1:29 pm

Hi Guys,

Just wanted to chime in here, this works abosulty awesome and thank you so much @Sob for taking the time to share your solution.

I am using a Hetzner Cloud VPS and ive found using a single vCPU, you can get around 400MBits, which ant bad at all. Adding an additional CPU produces around 800Mits. It seems to be CPU limited due to encryption so im looking at tweaking it a bit and see if can get a bit more out of it. All in all tho, really amazing thank you.

Here's my config for Hetzner if anyones intrested, its slightly different (very very slight) due to hetzners routing/dhcp stuff.

KEY
94.xxx.xxx.150 - Local IP address of Hetzner Cloud VPS (local being what they provide you)
46.xxx.xxx.162 - IP address of endpoint (where you want the IP's to work on)
172.30.4.1/32 - My local/LAN IP of my gateway on the network you want to use this on.

.. rest can be changed to what you like, I just used what he suggested to keep it simple for testing.

CHR Gateway (The side you buy/have the IP's you want to use, Hetzner Cloud VPS in my case)
/interface ipip
add allow-fast-path=no ipsec-secret=*********** local-address=94.xxx.xxx.150 name=ipip-tunnel remote-address=46.xxx.xxx.162
/ip address
add address=172.16.1.2/30 interface=ipip-tunnel
/ip arp
add address=195.xxx.xxx.6 interface=ether1-gateway published=yes
/ip route
add dst-address=195.xxx.xxx.6/32 gateway=172.16.1.1
Destination Side (The side you want to use the IP's)
/interface ipip
add allow-fast-path=no ipsec-secret=************ local-address=46.xxx.xxx.162 name=ipip-tunnel remote-address=94.xxx.xxx.150
/ip address
add address=172.16.1.1/30 interface=ipip-tunnel
add address=172.30.4.1/32 interface=ether2-master network=195.xxx.xxx.6
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=195.xxx.xxx.6  in-interface=ipip-tunnel new-connection-mark=server-public passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=server-public passthrough=yes src-address=195.xxx.xxx.6
add action=mark-routing chain=prerouting connection-mark=server-public in-interface=ether2-master new-routing-mark=to-chr passthrough=no
/ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.2 routing-mark=to-chr
On the server that I wanted the IP on which is on the destination network, I just used the following: (Assumes debian here):
# /etc/network/interces

interface eth0 inet static
  address 195.xxx.xxx.6
  netmask 255.255.255.255
  gateway 172.30.4.1
Hope this can help anyone trying to achieve the same result using Hetzner.

Regards,

Majestic
 
majestic
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Mon Dec 05, 2016 11:19 am

Re: Public IP over a tunnel ( SOLVED )

Sat Sep 15, 2018 2:10 pm

Hi @Sob,

On an additional note, you don't by any chance have a working IPv6 version of this?

This would need to be IPv6 over IPv4 i.e. for sites which don't have native IPv6 yet.

If you have anything which you wouldn't mind sharing I would really be apresahted.

Thank you.

Kind Regards,

Majestic
 
majestic
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Mon Dec 05, 2016 11:19 am

Re: Public IP over a tunnel

Sat Sep 15, 2018 2:44 pm

Hi Sob,

One thing I have noticed is, the outgoing packets seems to have the wrong source address. If you say do a curl ifconfig.io you will see the public IP of the end point which you used the IP's from. Iv'e tried to add an SNAT rule but didn't help, I expect its because of the interface/way I tried so if you can offer any suggesions would love to hear, thanks.

Update
Found the solution, adding the following code on the CHR (Router you get the IP's from) fixes this.
/ip firewall nat
add action=src-nat chain=srcnat comment="Hetzner SNAT -- 195.xxx.xxx.6 via ether1-gateway (used with ipip tunnel)" out-interface=ether1-gateway src-address=195.xxx.xxx.6 to-addresses=195.xxx.xxx.6
Kind Regards,

Majestic
Ok, I tested it and this works:

CHR:
/interface ipip
add allow-fast-path=no ipsec-secret=<secret> local-address=217.144.x.119 name=ipip-tunnel remote-address=<home router>
/ip address
add address=217.144.x.119/24 interface=<WAN>
add address=172.16.1.2/30 interface=ipip-tunnel
/ip arp
add address=217.144.x.108 interface=<WAN> published=yes
/ip route
add dst-address=217.144.x.108/32 gateway=172.16.1.1
Home router:
/interface ipip
add allow-fast-path=no ipsec-secret=<secret> local-address=<home router> name=ipip-tunnel remote-address=217.144.x.119
/ip address
add address=172.16.1.1/30 interface=ipip-tunnel
add address=192.168.x.x/32 interface=<LAN> network=217.144.x.108
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=217.144.x.108 in-interface=ipip-tunnel new-connection-mark=server-public passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=server-public passthrough=yes src-address=217.144.x.108
add action=mark-routing chain=prerouting connection-mark=server-public in-interface=<LAN> new-routing-mark=to-chr passthrough=no
/ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.2 routing-mark=to-chr
Server config:
IP address: 217.144.X.108/32 (mask 255.255.255.255)
GW: 192.168.x.x

The 192.168.x.x can be either same address as assigned to router's LAN interface (if server is connected there), or some other address, it doesn't really matter (only that the same address is used on router and as gateway on server).

Server configuration depends on used OS. In Windows, it would be as written above. For Linux it depends on used distribution (they all seem to have different ways how to configure network), but manual config can be done using:
ip addr add 217.144.x.108 peer 192.168.x.x dev <interface>
ip route add default via 192.168.x.x
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Public IP over a tunnel ( SOLVED )

Sat Sep 15, 2018 7:09 pm

Wrong source address, if I understand correctly that it's 94.xxx.xxx.150, it must be caused by another srcnat/masquerade rule. Instead of adding another srcnat, it's better to use accept rule, to exclude 195.xxx.xxx.6 from srcnat completely. It doesn't need any, it already has correct address.

IPv6 depends on how you get it. If a subnet would be routed to CHR, then you can just route part of it further over appropriate tunnel type, nice and clean. If not and it would be a subnet on WAN side of CHR, where you can only connect other hosts, then currently the only way would be to bridge everything all the way from CHR WAN to server. It should also be possible using some ND proxy, but RouterOS doesn't have that.
 
User avatar
Joni
Member Candidate
Member Candidate
Posts: 156
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: Public IP over a tunnel ( SOLVED )

Sat Sep 15, 2018 9:14 pm

I am using a Hetzner Cloud VPS and ive found using a single vCPU, you can get around 400MBits, which ant bad at all. Adding an additional CPU produces around 800Mits. It seems to be CPU limited due to encryption so im looking at tweaking it a bit and see if can get a bit more out of it.
Does Hetzner give public (IPv4) subnets on VPS? (Dedicated, yes)
Which VPS series are you running? CX series surely didn't use to have even additional IPs and now there are only "floating ips".

https://wiki.hetzner.de/index.php/IP-Adressen/en
https://wiki.hetzner.de/index.php/Cloud ... sistent/en
Last edited by Joni on Sat Sep 15, 2018 9:24 pm, edited 2 times in total.
 
majestic
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Mon Dec 05, 2016 11:19 am

Re: Public IP over a tunnel ( SOLVED )

Sat Sep 15, 2018 9:22 pm

Wrong source address, if I understand correctly that it's 94.xxx.xxx.150, it must be caused by another srcnat/masquerade rule. Instead of adding another srcnat, it's better to use accept rule, to exclude 195.xxx.xxx.6 from srcnat completely. It doesn't need any, it already has correct address.

IPv6 depends on how you get it. If a subnet would be routed to CHR, then you can just route part of it further over appropriate tunnel type, nice and clean. If not and it would be a subnet on WAN side of CHR, where you can only connect other hosts, then currently the only way would be to bridge everything all the way from CHR WAN to server. It should also be possible using some ND proxy, but RouterOS doesn't have that.
Thanks, spot on, I had a srcnat rule on the 150 address, now all sorted, thank you.

With regards to IPv6 will have a play around now that I have an idea from what you have said, thank you.

Regards,

Majestic
 
majestic
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Mon Dec 05, 2016 11:19 am

Re: Public IP over a tunnel ( SOLVED )

Sat Sep 15, 2018 9:24 pm

I am using a Hetzner Cloud VPS and ive found using a single vCPU, you can get around 400MBits, which ant bad at all. Adding an additional CPU produces around 800Mits. It seems to be CPU limited due to encryption so im looking at tweaking it a bit and see if can get a bit more out of it.
Does Hetzner give public subnets on VPS? (Dedicated, yes)
Which VPS series are you running? CX series surely doesn't have even additional IPs.
Hi @Joni,

Hetzner has a failry recent new addition, not just their dedciated servers but also VPS's (https://www.hetzner.com/cloud) and my CHR is on here currently. Using their "failover/extra IP" is working by routing it though to other network fine and yes these are the CX series. Whether the IPv6 will work, needs more investigations and will grab a range soon to test.
 
ravix
just joined
Posts: 2
Joined: Mon Sep 17, 2018 9:51 pm

Re: Public IP over a tunnel ( SOLVED )

Mon Sep 17, 2018 10:16 pm

Hello Guys,

I have a similar scenario where I am trying to address my server with public ip addresses remotely via vpn tunnel. I have try the method Sob showed with the ipip tunnel and it works well for one server. I have a /28 I want to use to address multiple servers Can you assist with a sample config. CHR end 52.x.x.0/28. Need to address 12 servers so it doesn't matter to me if I have to bridge it. I tried bridging it but I cannot seem to ping the isp gateway 52.x.x.1 but I can ping the CHR interface.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Public IP over a tunnel ( SOLVED )

Wed Sep 19, 2018 6:22 pm

One address or twelve, there's not much difference, you can use the same method, it will work.
 
majestic
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Mon Dec 05, 2016 11:19 am

Re: Public IP over a tunnel ( SOLVED )

Wed Sep 19, 2018 6:51 pm

One address or twelve, there's not much difference, you can use the same method, it will work.
Aye, confirmed myself with multiple addresses, works like a dream, thank you.
 
ravix
just joined
Posts: 2
Joined: Mon Sep 17, 2018 9:51 pm

Re: Public IP over a tunnel ( SOLVED )

Thu Sep 20, 2018 8:30 pm

Thanks Guys.
 
jeremiedigre
just joined
Posts: 4
Joined: Thu Feb 21, 2019 9:33 am

Re: Public IP over a tunnel ( SOLVED )

Fri Mar 01, 2019 4:53 pm

Hello everyone. please, I have a preocupation, the same problem. i'm a beginner with Mikrotik.
I have set a pptp vpn between two sites A (192.168.2.0) and B (192.168.1.0) which works very well,
but I want to go through the internet to reach a machine from my local site, ie network B, as ip public: port -> pptp vpn --> local network machine.
for example 156.202.X.X:8963 -> pptp vpn --> 192.168.1.32:80
I tried many indications without success. thanks for the help.
My routers are RB2011UiAS-2HnD
 
ynblpb
just joined
Posts: 2
Joined: Tue Feb 14, 2023 11:04 pm

Re: Public IP over a tunnel ( SOLVED )

Sat Feb 18, 2023 11:45 pm

RouterOS 7.7 tested:

extending majestic's https://forum.mikrotik.com/viewtopic.p ... 80#p686408 post

CHR Gateway


/interface ipip
add allow-fast-path=no ipsec-secret=*********** local-address=94.xxx.xxx.150 name=ipip-tunnel remote-address=46.xxx.xxx.162
/ip address
add address=172.16.1.2/30 interface=ipip-tunnel
/ip arp
add address=195.xxx.xxx.6 interface=ether1-gateway published=yes
/ip route
add dst-address=195.xxx.xxx.6/32 gateway=172.16.1.1







Destination Side

/interface ipip
add allow-fast-path=no ipsec-secret=************ local-address=46.xxx.xxx.162 name=ipip-tunnel remote-address=94.xxx.xxx.150
/ip address
add address=172.16.1.1/30 interface=ipip-tunnel
add address=172.30.4.1/32 interface=ether2-master network=195.xxx.xxx.6

+++ /routing table
add disabled=no fib name=to-chr

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=195.xxx.xxx.6  in-interface=ipip-tunnel new-connection-mark=server-public passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=server-public passthrough=yes src-address=195.xxx.xxx.6
add action=mark-routing chain=prerouting connection-mark=server-public in-interface=ether2-master new-routing-mark=to-chr passthrough=no



--- /ip route add dst-address=0.0.0.0/0 gateway=172.16.1.2 routing-mark=to-chr
+++ /ip route add dst-address=0.0.0.0/0 gateway=%ipip-tunnel routing-table=to-chr

--- removed lines
+++ added lines

Who is online

Users browsing this forum: No registered users and 13 guests