Hi,
I have three lacation without public IP adress. Iam succesfully using Zerotier between them. I do not really need public IP adresss. But on one location I have NAS server with Plex and on this location I can get public IP for good price.

I like to play with Mikrotik and I would try Wireguard etc. with public IP.

What are advantage and disanvantage of public IP?

Im just i bit afraid of attacks from internet to this public IP. Will my usage of procesor increase a lot defending those attacks?

Will I have full log of information about those attacks?

Another questions is about Wireguard..
Location A with public IP and WG server.
Location B connected to WG server in location A, no public IP
Location C connected to WG server in location A, no public IP

If I will download data from location B to location C will go those data thoroug location A whre is WG server?

Thank you

A public IP can help for LetsEncrypt cert generation and renewal though opening port 80 to the Internet is scaring.

My view:
- don't open any incoming ports except for ...
- use VPN solution like Wireguard (or ZT, then you will not have to open an incoming port)
- You do not NEED a static public IP for Wireguard. Things can get a little bit trickier with dynamic DNS but still pretty workable (my home ISP gives me theoretically a dynamic IP, in practice I have not seen it change in more then a year but my setup takes into account it could change).
- in your WG setup, of course info will go from B to A and then from A to C. But shouldn't Zerotier also be possible ? Still the same B to D and D to C approach except I would think ZT channels have a better bandwidth then what you have towards A. My thinking. If you trust ZT enough. (I don't so I use WG)
- proper firewall rules can be sufficient to fight abusers with little processor impact (RAW rules and dynamic constructed address lists are your friend here).
- Don't bother too much logging what gets dropped (obviously if that address somehow gets added to the dynamic block list). Wasted effort and resources.
- Don't make the mistake thinking you will never have problems. If such guys want to come in or take down your network, given time and effort they WILL do so. You just have to make it as hard as possible so they loose interest.

Hello holvoetn,

thank you for helping.

I do not have even dynamic public IP.

I thik all locations are dorectly connected to Zerotier and when I download from location B to location C it is without any traffic from location A.

Ok, info will go thorough location A but what about traffic? Will go all traffic from B to A and then to B? Or only some information will go thorough A and traffic will go directly from B to C?

Thank you

If you have a device that permits containers ( arm ? ) then you can setup zero trust tunnel and not expose the public IP when having servers.

I have asked Mikrotik to WAKE THE EFF UP, and provide zero trust tunnel as part of core ROS or at least a package so that ALL users can access a safer way of providing servers and without the
a. complexity of having to learn and setup containers and
b. the extra risks of setting up containers that MT warns about..............