Community discussions

MikroTik App
 
GiovanniG
Member
Member
Topic Author
Posts: 342
Joined: Sun Nov 15, 2015 4:12 pm

Create a tunnel between a Public WAN router and a private WAN one

Sun Sep 18, 2022 11:36 pm

Hi, I need to remotely control a Mikrotik (winbox) but not only, there are also IoT devices with light web interface that should be available. As its Mikrotik router is connected to internet by an LTE USB modem giving a private address (10.x.x.x) I thoght I would like to establish a tunnel between them, briefly I describe what I guess I need.

Let's call X the router with LTE on a private network and Y the router conntected to internet with public IP
1) the X send to Y requests (every 1-2 seconds) to establsh a connection until it creates it, if lost it will ask again forever.
2) The Y has a TCP port listening for connection, better if possible to personalize it and choose something far than default one
3) Y and X interface will have a static IP assiged /30
4) X is able to destnat from its tunnel IP:desidered port to the local IP of its LAN, in this way from LAN of Y router I can always reach the web interfaces of devices present under its local LAN. All local LAN devices are able to access to internet via LTE gateway (not tunnel)

Shortty:
On Router X the main LAN is 192.168.1.1 /24, the tunnel will be 192.168.2.1 /30. From here I can open 192.168.2.2 (the other side of tunnel, router Y) where are dest natted all the IoT devices control web pages.
On router Y the main LAN is 192.168.88.1 /24 the tunnel will be 192.168.2.2 /30

To create it I've followed two different guisde, one with IPsec, another with PPP, with both of them I can't see any requests of connection from Y to X:

Can you pease help me to create a tunnel with such characteristics? Thank you
Last edited by GiovanniG on Mon Sep 19, 2022 11:20 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Create a tunnel between a Public WAN router and a private WAN one

Mon Sep 19, 2022 2:12 am

Your requirement #4 has to be way better explained to be understood. the other ones one can get the idea.

Why does users on Router Y need access to router X's web interfaces.

What are web interfaces? Do you mean devices/servers on the LAN subnet of Router X.

DO you simply mean, users on Router Y, need to go out the internet of Router X??
 
GiovanniG
Member
Member
Topic Author
Posts: 342
Joined: Sun Nov 15, 2015 4:12 pm

Re: Create a tunnel between a Public WAN router and a private WAN one

Mon Sep 19, 2022 11:22 am

Hi! than you for your kind reply, I've edited the first message and added some infos to answer your questions.
The tunnel is useful only to access from a known internet IP the web pages (only) of the IoT devices and the Winbox of Mikrotik), as the router Y is under operator private network and I can't access it directly I need tunnel with another Mikrotik that stays on internet with a static public IP
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Create a tunnel between a Public WAN router and a private WAN one

Mon Sep 19, 2022 9:09 pm

Yeah anytime user requirements are explained using config speak, one gets a mess.
I have no clue what you are saying.

What is easy to understand.
X needs to initiate the connection because it has a private IP (and one cannot port forward from any existing edge router to Router X).
Y has a public IP and can be the receiver of vpn connections.
Traffic flow is mostly from Y to X.

Describe the traffic flow properly
Single User at Router Y (admin- you?) needs to access LAN device through the LAN IP of the device at ROUTER X.
There are multiple such devices?

So to be clear, Users on Router Y, need access to the LAN Subnet of Router X, and NOT the internet access of Router X??
Can we confirm that please!
( terminology of web interfaces leads me to believe that the users from Y, need to access the internet to access the iOT device). I really dont care if the IOT device talks to the internet or not is web facing or not, you want to connect to it on the LAN right?

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Easily accomplished all by simple wireguard tunnel. I dont see any requirement for special sourcenat or /30 networks etc..
Why not provide yourself direct access to the subnet on X and while your at it, secure config access to Router X as well?
I will break it down first with wireguard settings and then with appropriate rest of router settings.

WIREGUARD SETTINGS

Router Y (receiver)
/interface wireguard
listening port 15551  mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2,192.168.1.0/24 interface=wireguard-home public-key="---"
/ip address
add address=192.168.50.1/24 interface=wireguard-home
/ip firewall filter { input chain }
add chain=input action=accept dst-port=15551 protocol=udp in-interface-list=WAN
comment="allow initial connection"

...

Router X (initiator)
/interface wireguard
listening port 15551 (not used)  mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24,192.168.88.0/24  endpoint-address=mynetnameRouterY endpoint-port=15551 interface=wireguard-client public-key="..." \
persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client
...

ROUTER SETTINGS

Router Y
/ip firewall filter { forward chain }
add action=accept chain=forward src-address=192.168.88.0/24 dst-address=192.168.1.0/24 out-interface=wireguard-home
comment=" allow local subnet to enter tunnel"
/ip route
add dst-address=192.168.1.0/24 gwy=wireguard-home table=main
comment="provide route into tunnel"
...

Router X
/ip firewall filter 
{ input chain }
add action=accept chain=input  in-interface=wireguard-client  src-address=192.168.88.X  *****
comment="Admin access"
{ forward chain }
add action=accept chain=forward in-interface=wireguard-client  src-address=192.168.88.0/24 dst-address=192.168.1.0/24
comment="allow subnet access"
/ip route
add dst-address=192.168.88.0/24 gwy=wireguard-client table=main
comment="provide route back through tunnel"
...
***** If you have multiple Admin IPs, create a firewall address list called Admin for example
add address=192.168.88.x list=Admin ( desktop )
add address=192.168.88.y list=Admin ( laptop )
add address=192.168.88.z list=Admin ( ipad ) etc.....

add action=accept chain=input in-interface=wireguard-client src-address-list=Admin

++++++++++++++++++++

Now lets go one step further, lets say you have also added your smart phone, or laptop as a wireguard clients that can connect to Router Y, when away from home.
Lets say for the purposes of being able to configure Router Y remotely. Then we simply add the clients and we can also set it up so that you can access Router X to configure it as well.

wireguard ip address=192.168.50.3/32 smartphone
wireguard ip address=192.168.50.4/32 laptop

Router Y Additions:
....
/interface wireguard peers
add allowed-address=192.168.50.2,192.168.1.0/24 interface=wireguard-home public-key="---"  { router x }
add allowed-address=192.168.50.3  interface=wireguard-home public-key="vvvvv"  { smartphone }
add allowed-address=192.168.50.4  interface=wireguard-home public-key="ddd"  { laptop }
/ip firewall filter 
{ input chain }
add action=accept chain=input  in-interface=wireguard-home src-address-list=REMOTE
/firewall address list
add address=192.168.50.3 list=REMOTE
add address=192.168.50.4 list=REMOTE
{ forward chain }
add action=accept chain=forward in-interface=wireguard-home src-address=192.168.50.0/24
comment="allow remote users to exit the tunnel at router Y"
add action=accept chain=forward src-address=192.168.50.0/24 out-interface=wireguard=home
comment="allow remote user to enter the tunnel at router Y"
...

Note: The two forward address chain rule may appear to be confusing but since these are peer to peer links, the remote users first have to go from their remote location to the router via wireguard. They then are no longer in the tunnel but sitting parallel to the LAN. We then have to give them permission to re-enter the tunnel to get to their destination (router X).

Router X Additions:
...
/ip firewall filter { input chain }
add action=accept chain=input in-interface=wireguard-client src-address-list=Admin
/ip firewall address list
add address=192.168.88.x  list=Admin  ( desktop on router Y lan )
add address=192.168.88.y  list=Admin  ( laptop on router Y  lan)
add address=192.168.88.z  list=Admin  ( ipad on router Y lan )
add address=192.168.50.3 list=Admin  ( remote smartphone )
add address=192.168.50.4  list=Admin  ( remote laptop )
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Create a tunnel between a Public WAN router and a private WAN one

Mon Sep 19, 2022 9:12 pm

Oops you wanted a TCP tunnel, wireguard is UDP, which is actually better in the sense it gets through more easily than TCP packets....................
 
GiovanniG
Member
Member
Topic Author
Posts: 342
Joined: Sun Nov 15, 2015 4:12 pm

Re: Create a tunnel between a Public WAN router and a private WAN one

Thu Sep 22, 2022 12:50 am

Hi! Thanks for your kind support, and sorry me please for delay.
I try to explain in other words,
both X and Y have their gateway to internet, both serve their LANs with those gateways, they don't need each other at all, they are indipendent and it should be that with tunnel too.

Y is lucky, it has a public IP, once I want to manage a LAN device I simply destnat the connection

X is connected by an LTE modem, which gives him a random private IP address, the devices on its LAN doesn't support any cloud connection for management, so I need a tunnel to an host (Y) which has a known IP. The Y may NAT eventually to internet those management ports of devices on X's LAN. So I can manage anywhere in the world devices connected to router X, through Y.
Also, X is not lucky because has not unlimited data, I have a subscription for some gigabytes, so I need to reduce the unwanted traffic (fro example LAN broadcasts)

The idea is to connect a stable (means that if it will be lost, the devices will be able to understand that and establish tunel back as soon as possible I would say every 1-2 seconds to avoid flood and waste of data, this is also a parameter/technology I should be careful to choose.
X is the host which initiate the connection, Y has to be in listen mode.
I would use a /30 subnet between them to reduce broadcasts, if I assign to tunnel an IP from LAN of Y I'll wast lot of data on LTE, I don't need that, if a device on Y LAN wants to access the managing TCP port (for example web interface) of a device on X LAN it simply use the X side tunnel IP adress(192.168.2.2).+port: the Y will route to X the packet, and X will destnat to its LAN desidered device.
I'm sure you understood the purpose, does the commands you posted suites that?
I need TCP because I need to don't loose packets, and I want an oriented stable connection.
I've tried PPP and IPSEC on the examples above but X is not trasmitting to Y any packet, these solutions seems working for a destination IP present in the same broadcast domain of source.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Create a tunnel between a Public WAN router and a private WAN one

Thu Sep 22, 2022 1:13 am

If you need TCP (I don't think you really do, but let's go with it), then you're looking for SSTP or OpenVPN:

https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN

It's simple client connecting to server. Only slightly annoying part is need for certificates, it's nothing too difficult, but not as simple as just passwords. At least when it's only between your routers, you can use self-signed one.
 
GiovanniG
Member
Member
Topic Author
Posts: 342
Joined: Sun Nov 15, 2015 4:12 pm

Re: Create a tunnel between a Public WAN router and a private WAN one

Sat Oct 29, 2022 8:25 pm

Thanks, I've found a better guide about OVPN and I've managed to establish connection, by that I can anywhere remotely winbox the Mikrotik and cambera webpage, as well of IoT devices.

I've nocided unfortunately that the susteined traffic to keep the tunnel working is not a few, it'a baout 1,5KB/sec that in one month is about 3,8GB, consdering I've abut 10GB as subscription I don't like it, there is any way to reduce this traffic?
Also, I've torched the link and noticed some DNS entries, probably coming from the main gateway router with static IP, and that's strange because the defount route 0.0.0.0 is on both present. I've tried to filter out all outputs UDPs with 53 destination port on the tunnel interface, from both sides, and placed the rule on top.. but there still are. Why? How can I overcome undesidered DNS on tunnel? Thanks
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Create a tunnel between a Public WAN router and a private WAN one

Sat Oct 29, 2022 9:48 pm

I'm pretty sure that you don't need 1.5 kB/s just to keep connection alive. One small ping every minute or so should be more than enough.

As for DNS, there's not enough info to tell what it might be.
 
GiovanniG
Member
Member
Topic Author
Posts: 342
Joined: Sun Nov 15, 2015 4:12 pm

Re: Create a tunnel between a Public WAN router and a private WAN one

Sun Oct 30, 2022 2:57 pm

Thank you for your kind help,
If to someone can be useful, here is the guide I've used: https://systemzone.net/mikrotik-openvpn ... indows-os/
And here something to create the client on Mikrotik, but it's not really complete, you may guess what is missing after you created the server, it should mirror it somehow https://voxlink.ru/kb/voip-devices-conf ... tmikrotik/
I've sniffed about 30 seconds and I've noticed only DNS request, the 2.1 (the OVPN server router with public IP) gets from provider the IP address with those DNS, so it's him who is sending them, I don't now for which reason it sends them into the tunnel
I've not tested if the tunnel become the priority way to send DNS, because eventually the clien is able to forward the replies back.. eve if I haven't seen them. Probably mikrotik loves to spread DNS everywhere lookng for answers.
How can I fix it? A filter rule on firewall haven't affected it
You do not have the required permissions to view the files attached to this post.
 
GiovanniG
Member
Member
Topic Author
Posts: 342
Joined: Sun Nov 15, 2015 4:12 pm

Re: Create a tunnel between a Public WAN router and a private WAN one

Sun Oct 30, 2022 3:48 pm

Maybe the problem is here, look ant the log,
For some times the tunnel was no available, I saw it on PPP server but couldn't ping the client, something was wrong on the handshaking between them..
I've tried to change some parabeters, but not influent ones, and disable/renable it appears back. The interensting thing the log reported a detect WAN and later (when worked) detect INTERET, why?
And why on server there are refers to WAN? It should be to him a simple private connection. Maybe the client can be interested to WAN.. but not the server

Maybe because of this the server send to client DNS requests?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Create a tunnel between a Public WAN router and a private WAN one

Sun Oct 30, 2022 6:38 pm

Phuck OPVN are you a masochist. Please let me bang your head against the wall, for free even!!!

Use wireguard.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Create a tunnel between a Public WAN router and a private WAN one

Sun Oct 30, 2022 7:02 pm

viewtopic.php?t=187814

In short, you probably want:
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
 
GiovanniG
Member
Member
Topic Author
Posts: 342
Joined: Sun Nov 15, 2015 4:12 pm

Re: Create a tunnel between a Public WAN router and a private WAN one

Sun Oct 30, 2022 11:33 pm

viewtopic.php?t=187814

In short, you probably want:
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
Solved, fantastic! was selected "detect interface list" all on server side

Who is online

Users browsing this forum: acn, Sailwebwifi and 42 guests