@anav asked
and I tried but got:Id be interested in your only one side needs public IP teaser. Please elaborate!!!
Y:ou have to be more clear than that sir,
I have no idea what you mean by this .....
But still need use the CGNAT'ed remote address on the "static IP" side
Take as many sentences as you need so the layperson (me) understands what you mean.
So this post in response to his prompting. Essentially trying to answer the question:
How to use EoIP+IPSec when one side is behind something like a CGNAT?
To be clear ONE side likely needs a fixed/static IP. And this approach obviously only work between two Mikrotik since EoIP is not a standard. Also, let's assume firewall is close to the default on most home routers. I tested this on an RB1100AHx4 with normal public IP to a wAPacR with an AT&T LTE connection, so it worked in one case at least. To provide an example, let assume two generic routers:
"HUB" with a unrestricted public IP of 203.0.113.1
"REMOTE" with a LTE connection that's providing a private/CGNAT address of 10.1.2.3
EoIP+IPSec Setup:
Let's assuming using winbox/webfig. The following steps should be done on EACH router ("HUB" and "REMOTE" but the steps are same regardless if WAN type):
1. Check "DDNS Enabled" in IP > Cloud dialog. We'll use the DNS name later. So do on both routers now.
2. Create (+) new EoIP interface in Interface > EoIP tab. In EoIP settings that appear, set the following (and leave others like "MTU" or "Local Address" blank/defaults):
a. Set name as desired (e.g. "eoip-romon").
b. For "Remote Address", use the IP Cloud DDNS name from the OTHER router (e.g. on HUB router, use REMOTE's DDNS name & vise versa)
c. Set "Tunnel ID" to match both routers (say "5" since RoMON has five letters – but both side just need to match)
d. Importantly, set "IPSec Secret" to something complex/long, again both side need to match exactly.
e. Uncheck "Allow Fast Path"
f. Hit OK
3. Go to IP > Firewall > Address Lists
a. Hit (+) to add new address list
b. Set "Address" to the OTHER route's DDNS name (e.g. same as used as Remote Address in EoIP setting)
c. Choice a name (say "allowed-eoip-remotes") and set that as the "List"
d. Hit OK
4. Go to IP > Firewall > Filter
a. Hit (+) to add new rule, and on first tab set
b. Set "Chain" to "input"
c. Set "Src. Address List" to be same as step 3.c above (e.g. "allowed-eoip-remotes")
d. Set "Protocol" to GRE
e. Check on Action tab to make sure it's "accept".
e. Hit OK
5. Go to IP > Addresses, to add an IP address for EoIP interface
a. Hit (+) to add new IP address
b. For "Address", use a unique subnet (say 172.19.5.1/24 for HUB and 172.19.5.2/24 for REMOTE – both side just need to be part SAME subnet, which one you use does not matter)
c. For "Interface", use the name of the EoIP interface created in STEP 2
d. Hit OK
(NOTE: An IP address is technically OPTIONAL if EoIP only used for RoMON)
6. Go to Interface > Address List to add EoIP to LAN to allow winbox through firewall
a. Hit (+) to add new list mapping
b. In dialog, set "Interface" to the EoIP interface name ("eoip-romon")
c. Select "LAN" as the "List"
d. Hit OK
(NOTE: This is also technically OPTIONAL if EoIP only used for RoMON)
7. Enable EoIP interface (if not already) and STEPS 1-5 have been done on BOTH routers......check if "running" marked with "R" next to EoIP in Interfaces > EoIP list. And if about to ping the OTHER router's IP set in STEP 5.
8. Enable RoMON in Tools > RoMON. You can set a "Secret" if you'd like, it just have to match on both sides. Also in "Ports", you set the default "all" to "Forbid" and add new port with just the EoIP interface to allow if you want. Although some of the benefits of RoMON is it can do path discovery BEYOND just the EoIP interface.
8. In new winbox login window, using the HUB router IP/user/passwd, then click "Connect to RoMON", you should see the remote router (via winbox protocol to first router, then internally RoMON protocol is used over the EoIP+IPSec tunnel to far end).
Background on EoIP + IPSec
EoIP enables a Ethernet-like Layer2 point to point connection using GRE protocol. BUT...one feature in EoIP is that can be made secure by using IPSec simply by setting the "IPSec Secret" on both ends of an EoIP tunnel. Internally, Mikrotik adds some need dynamic config to /ip/ipsec to make this happen & can look there to see the actually tunnel connections.
Importantly, the Layer2 traffic is wrapped in GRE, then IPSec... you got two tunnels going on from a firewall/security POV.
There are a lot of VPN choices on Mikrotik, most be better than EoIP+IPSec for "normal" traffic. But for enable a "secure, wide-area RoMON" network, this approach has some value. Probably other use cases too. But for efficient and high performance needs might look elsewhere. So more as what if the "main" VPN failed kinda cases.
IPIP (and GRE) using IPSec Secret Should Work Same
@anav also asked:
IPIP won't work for RoMON as IP-only / Layer 3 . And you kinda need some very specific case for it be useful over WG or anything. But all the steps above be identical, since both EoIP and IPIP are just a layer above GRE. And all of them support setting an "IPSec Secret" which is what deals with the some restricted NAT.Also any reason why I should not be able to do same in IPIP which in my mind is superior having less overhead !!
Example Config
I've left out some parts, but all firewall stuff is show as-is
Code: Select all
/interface eoip
add allow-fast-path=no mac-address=02:4C:00:A7:00:01 name=eoip-tunnel1 remote-address=b111111111111111.sn.mynetname.net tunnel-id=19
/interface list member
add interface=eoip-tunnel1 list=LAN
/ip address
add address=172.20.19.2/24 disabled=yes interface=eoip-tunnel1 network=172.20.19.0
/ip cloud
set ddns-enabled=yes
/ip firewall address-list
add address=a000000000000.sn.mynetname.net list=eoip-romon-hub
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="accept GRE for EoIP" protocol=gre src-address-list=eoip-romon-hub
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/tool romon
set enabled=yes
/tool romon port
set [ find default=yes ] forbid=yes
add disabled=no interface=eoip-tunnel1