Hello everybody! I have got a Mikrotik CHR with 2 public IP addresses. I would like to assign one of the IP address to my server.
My server is at home, so i would need a tunnel that capable of this thing. So is there any solution for this ?
Thank you very much for any help!
Public IP over a tunnel ( SOLVED )
Last edited by Trackboy on Wed May 16, 2018 1:32 pm, edited 2 times in total.
Re: Public IP over a tunnel
There are different ways, it depends on exact details what's best for you.
One example, lets say you got x.x.x.10/24 and x.x.x.11/24, with x.x.x.1 being ISP's gateway (i.e. ISP expects both addresses connected to their network, not routed somewhere else). You want to route .11 to your server. Simple example:
From home server, connect using VPN to x.x.x.10 and let it use VPN as default gateway. This is enough for home server to get public address and use it as default. To make it visible for ISP where router is connected, use proxy ARP:
Then adjust firewall to allow traffic to/from this address and that's all.
Or you can make a tunnel between CHR and home router, instead of directly to server. It would require a little bit advanced config, but nothing too complicated either.
One example, lets say you got x.x.x.10/24 and x.x.x.11/24, with x.x.x.1 being ISP's gateway (i.e. ISP expects both addresses connected to their network, not routed somewhere else). You want to route .11 to your server. Simple example:
Code: Select all
/ppp secret
add local-address=<some random address not used anywhere else> name=<username> password=<password> remote-address=x.x.x.11
/interface l2tp-server server
set ipsec-secret=<secret> use-ipsec=yesCode: Select all
/ip arp
add address=x.x.x.11 interface=<WAN> published=yesOr you can make a tunnel between CHR and home router, instead of directly to server. It would require a little bit advanced config, but nothing too complicated either.
Re: Public IP over a tunnel
I would rather make a tunnel between them, and i would like to assign the IP to the server statically.
Maybe EoIP tunnel would be good for this ?
Maybe EoIP tunnel would be good for this ?
Re: Public IP over a tunnel
If your server is at home, and you really want to use a public IP configured at the CHR, then I suggest an EoIP or GRE tunnel between your CHR and a home router, if not, then the L2TP VPN may works with private addressing, and then you'll need to do some dst-nat / src-nat rules at the CHR.
Re: Public IP over a tunnel
It's possible too, same principle, make a tunnel, route the IP to server and make it visible on CHR's side with proxy ARP.
Only difference for tunnel terminated on home router will be traffic from server to internet, you'll need to make sure that it goes back via tunnnel and won't use home router's default gateway. It can be done e.g. like this:
Only difference for tunnel terminated on home router will be traffic from server to internet, you'll need to make sure that it goes back via tunnnel and won't use home router's default gateway. It can be done e.g. like this:
Code: Select all
/ip route
add dst-address=0.0.0.0/0 gateway=<IP on CHR's end of tunnel> routing-mark=vpn
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn src-address=<server's public IP>Re: Public IP over a tunnel
Thank you very much for the help, i will give it a try : )
Re: Public IP over a tunnel
I made a GRE tunnel between the 951G and CHR. The tunnel is working. I added routing mark too.
I added public IP to my server statically. But does not work. I can not find proxy arp feature in the GRE interface.
I added public IP to my server statically. But does not work. I can not find proxy arp feature in the GRE interface.
Re: Public IP over a tunnel
You don't need it there, only on CHR, on interface connected to ISP. Try to describe in more detail what you did.
Re: Public IP over a tunnel
I made an encrypted GRE tunnel with the IPsec secret feature. 172.16.1.0/30 is the GRE tunnel ip range.
On CHR added 10.10.100.0/24 route, this is behind the 951G. That's it.
On CHR added 10.10.100.0/24 route, this is behind the 951G. That's it.
Re: Public IP over a tunnel
Check again my first reply. Do you get addresses from ISP as described? If so, then do not assign the other address (the one you want for server) to CHR. Add the route and arp entry and the address should be routed towards your server via tunnel. You can check with Tools->Torch on tunnel interface. If it doesn't go there, check firewall on CHR. If it does, check on home RB that packets arrive, pass through router and go to server. Then check what happens with replies, if server sends anything and if it goes back correctly via tunnel.
Re: Public IP over a tunnel
So i have got a GRE tunnel that is working fine between the CHR and home Mikrotik.
On the CHR there is only one ether1 interface with 2 public IP addresses: 217.144.X.X/24, of course they are from the same range.
I added only 217.144.X.119/24 to ether1.
Mikrotik GRE interface IP address: 172.16.1.1/30
CHR GRE interface IP address: 172.16.1.2/30
You mentioned one thing, proxy ARP on CHR side. I set up ether1 interface to proxy-arp.
I added statically public IP on the target server but i can not ping anything.
The static IP configuration on server side:
IP address: 217.144.X.108/24
GW: 217.144.X.254
DNS: 8.8.8.8,8.8.4.4
I am not an expert btw, so please be patient : )
On the CHR there is only one ether1 interface with 2 public IP addresses: 217.144.X.X/24, of course they are from the same range.
I added only 217.144.X.119/24 to ether1.
Mikrotik GRE interface IP address: 172.16.1.1/30
CHR GRE interface IP address: 172.16.1.2/30
You mentioned one thing, proxy ARP on CHR side. I set up ether1 interface to proxy-arp.
I added statically public IP on the target server but i can not ping anything.
The static IP configuration on server side:
IP address: 217.144.X.108/24
GW: 217.144.X.254
DNS: 8.8.8.8,8.8.4.4
I am not an expert btw, so please be patient : )
Re: Public IP over a tunnel
You have different options.
One way is pretty straightforward, make server really part of CHR's network, by bridging CHR's WAN with tunnel and on home side tunnel with interface dedicated for server. Then everything would behave as if the server was connected in same place as CHR. But you'd also get all unneeded broadcasts and stuff, so you probably don't want that.
What I meant was slighly "lighter" approach, only route a single address to your server. You don't need to enable proxy ARP on CHR's WAN interface, just the manual entry in /ip arp with published=yes is enough. And then on server side, don't configure /24, only use /32 address. You can either route it from home router to server's LAN address, assign it to some loopback interface on server and specifically tell network services to use it. Or you can use it as point-to-point address and then it will be used as default.
I can't test it right now and I don't want to forget anything, so I'll give you exact config later.
One way is pretty straightforward, make server really part of CHR's network, by bridging CHR's WAN with tunnel and on home side tunnel with interface dedicated for server. Then everything would behave as if the server was connected in same place as CHR. But you'd also get all unneeded broadcasts and stuff, so you probably don't want that.
What I meant was slighly "lighter" approach, only route a single address to your server. You don't need to enable proxy ARP on CHR's WAN interface, just the manual entry in /ip arp with published=yes is enough. And then on server side, don't configure /24, only use /32 address. You can either route it from home router to server's LAN address, assign it to some loopback interface on server and specifically tell network services to use it. Or you can use it as point-to-point address and then it will be used as default.
I can't test it right now and I don't want to forget anything, so I'll give you exact config later.
Re: Public IP over a tunnel
Ok, I tested it and this works:
CHR:
Home router:
Server config:
IP address: 217.144.X.108/32 (mask 255.255.255.255)
GW: 192.168.x.x
The 192.168.x.x can be either same address as assigned to router's LAN interface (if server is connected there), or some other address, it doesn't really matter (only that the same address is used on router and as gateway on server).
Server configuration depends on used OS. In Windows, it would be as written above. For Linux it depends on used distribution (they all seem to have different ways how to configure network), but manual config can be done using:
CHR:
Code: Select all
/interface ipip
add allow-fast-path=no ipsec-secret=<secret> local-address=217.144.x.119 name=ipip-tunnel remote-address=<home router>
/ip address
add address=217.144.x.119/24 interface=<WAN>
add address=172.16.1.2/30 interface=ipip-tunnel
/ip arp
add address=217.144.x.108 interface=<WAN> published=yes
/ip route
add dst-address=217.144.x.108/32 gateway=172.16.1.1Code: Select all
/interface ipip
add allow-fast-path=no ipsec-secret=<secret> local-address=<home router> name=ipip-tunnel remote-address=217.144.x.119
/ip address
add address=172.16.1.1/30 interface=ipip-tunnel
add address=192.168.x.x/32 interface=<LAN> network=217.144.x.108
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=217.144.x.108 in-interface=ipip-tunnel new-connection-mark=server-public passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=server-public passthrough=yes src-address=217.144.x.108
add action=mark-routing chain=prerouting connection-mark=server-public in-interface=<LAN> new-routing-mark=to-chr passthrough=no
/ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.2 routing-mark=to-chrIP address: 217.144.X.108/32 (mask 255.255.255.255)
GW: 192.168.x.x
The 192.168.x.x can be either same address as assigned to router's LAN interface (if server is connected there), or some other address, it doesn't really matter (only that the same address is used on router and as gateway on server).
Server configuration depends on used OS. In Windows, it would be as written above. For Linux it depends on used distribution (they all seem to have different ways how to configure network), but manual config can be done using:
Code: Select all
ip addr add 217.144.x.108 peer 192.168.x.x dev <interface>
ip route add default via 192.168.x.xRe: Public IP over a tunnel
It should work with GRE too ?
Re: Public IP over a tunnel
I tried with IPIP tunnel, working very well. Thank you very much for your help and your patient : ) This is really helpful and valuable for me.
Re: Public IP over a tunnel ( SOLVED )
One more question. I have got a PPPoE connection with dynamic IP. I tried the tunnel with this connection. The speed was around 2-3 Mbit/sec. The ping is perfect and i do not have packet loss.
Maybe i have got MTU issue, and i would need to change with the mangle. I have got another connection with static IP, that is working perfectly.
Maybe i have got MTU issue, and i would need to change with the mangle. I have got another connection with static IP, that is working perfectly.
Re: Public IP over a tunnel ( SOLVED )
Both IPIP and GRE tunnels have MTU option and "Clamp TCP MSS" enabled by default. If you lower MTU on both ends, it should work even without manual mangle rules.
Re: Public IP over a tunnel ( SOLVED )
My PPPoE connection shows now 1480 MTU and MRU. I set this value on the both side in the IPIP configuration. But the problem is the same.
Re: Public IP over a tunnel ( SOLVED )
I don't know exact sizes from top of my head, but I've seen some online calculators, or you can start lower and use trial & error. If main connection has 1480, the tunnel will need a little less.
Re: Public IP over a tunnel ( SOLVED )
I tried several MTU-s so far, but the problem is the same. If i want to ping a host that is working fine, there is not packet loss. On the speedtest.net i get 100/100 Mbit/sec.
So the web browsing is very slow.
So the web browsing is very slow.
Re: Public IP over a tunnel ( SOLVED )
If you search my old posts you'll find some in-depth ones on MTU with screenshot examples of packet captures.
TLDR; if your PPPoE connection is 1480 then you'll want your tunnel MTU to be 1480 - the tunnels overhead. Depending on the protocol (IPIP, GRE, IPSec transport vs tunnel) will determine exactly how much smaller. It's a safe bet to set it to 1280 the minimum MTU of IPv6 and test. Their are calculators to help with calculating the ideal MTU bit you'll find when crypto is added it becomes more difficult to determine a specific MTU because of the additional variables you need to account for.
Also, TCP MSS clamping is and should be unnecessary if MTU is set correctly and the necessary ICMP v4 and v6 messages are allowed. If you rely on it know it's only doctoring TCP packets and no other protocol.
TLDR; if your PPPoE connection is 1480 then you'll want your tunnel MTU to be 1480 - the tunnels overhead. Depending on the protocol (IPIP, GRE, IPSec transport vs tunnel) will determine exactly how much smaller. It's a safe bet to set it to 1280 the minimum MTU of IPv6 and test. Their are calculators to help with calculating the ideal MTU bit you'll find when crypto is added it becomes more difficult to determine a specific MTU because of the additional variables you need to account for.
Also, TCP MSS clamping is and should be unnecessary if MTU is set correctly and the necessary ICMP v4 and v6 messages are allowed. If you rely on it know it's only doctoring TCP packets and no other protocol.
Re: Public IP over a tunnel ( SOLVED )
I tried lot of MTU, but i could not find the proper value. I tried L2TP/IPSec solution and that is working fine and assign public IP.
Re: Public IP over a tunnel ( SOLVED )
Hi Guys,
Just wanted to chime in here, this works abosulty awesome and thank you so much @Sob for taking the time to share your solution.
I am using a Hetzner Cloud VPS and ive found using a single vCPU, you can get around 400MBits, which ant bad at all. Adding an additional CPU produces around 800Mits. It seems to be CPU limited due to encryption so im looking at tweaking it a bit and see if can get a bit more out of it. All in all tho, really amazing thank you.
Here's my config for Hetzner if anyones intrested, its slightly different (very very slight) due to hetzners routing/dhcp stuff.
KEY
94.xxx.xxx.150 - Local IP address of Hetzner Cloud VPS (local being what they provide you)
46.xxx.xxx.162 - IP address of endpoint (where you want the IP's to work on)
172.30.4.1/32 - My local/LAN IP of my gateway on the network you want to use this on.
.. rest can be changed to what you like, I just used what he suggested to keep it simple for testing.
CHR Gateway (The side you buy/have the IP's you want to use, Hetzner Cloud VPS in my case)
Destination Side (The side you want to use the IP's)
On the server that I wanted the IP on which is on the destination network, I just used the following: (Assumes debian here):
Hope this can help anyone trying to achieve the same result using Hetzner.
Regards,
Majestic
Just wanted to chime in here, this works abosulty awesome and thank you so much @Sob for taking the time to share your solution.
I am using a Hetzner Cloud VPS and ive found using a single vCPU, you can get around 400MBits, which ant bad at all. Adding an additional CPU produces around 800Mits. It seems to be CPU limited due to encryption so im looking at tweaking it a bit and see if can get a bit more out of it. All in all tho, really amazing thank you.
Here's my config for Hetzner if anyones intrested, its slightly different (very very slight) due to hetzners routing/dhcp stuff.
KEY
94.xxx.xxx.150 - Local IP address of Hetzner Cloud VPS (local being what they provide you)
46.xxx.xxx.162 - IP address of endpoint (where you want the IP's to work on)
172.30.4.1/32 - My local/LAN IP of my gateway on the network you want to use this on.
.. rest can be changed to what you like, I just used what he suggested to keep it simple for testing.
CHR Gateway (The side you buy/have the IP's you want to use, Hetzner Cloud VPS in my case)
Code: Select all
/interface ipip
add allow-fast-path=no ipsec-secret=*********** local-address=94.xxx.xxx.150 name=ipip-tunnel remote-address=46.xxx.xxx.162
/ip address
add address=172.16.1.2/30 interface=ipip-tunnel
/ip arp
add address=195.xxx.xxx.6 interface=ether1-gateway published=yes
/ip route
add dst-address=195.xxx.xxx.6/32 gateway=172.16.1.1
Code: Select all
/interface ipip
add allow-fast-path=no ipsec-secret=************ local-address=46.xxx.xxx.162 name=ipip-tunnel remote-address=94.xxx.xxx.150
/ip address
add address=172.16.1.1/30 interface=ipip-tunnel
add address=172.30.4.1/32 interface=ether2-master network=195.xxx.xxx.6
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=195.xxx.xxx.6 in-interface=ipip-tunnel new-connection-mark=server-public passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=server-public passthrough=yes src-address=195.xxx.xxx.6
add action=mark-routing chain=prerouting connection-mark=server-public in-interface=ether2-master new-routing-mark=to-chr passthrough=no
/ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.2 routing-mark=to-chrCode: Select all
# /etc/network/interces
interface eth0 inet static
address 195.xxx.xxx.6
netmask 255.255.255.255
gateway 172.30.4.1Regards,
Majestic
Re: Public IP over a tunnel ( SOLVED )
Hi @Sob,
On an additional note, you don't by any chance have a working IPv6 version of this?
This would need to be IPv6 over IPv4 i.e. for sites which don't have native IPv6 yet.
If you have anything which you wouldn't mind sharing I would really be apresahted.
Thank you.
Kind Regards,
Majestic
On an additional note, you don't by any chance have a working IPv6 version of this?
This would need to be IPv6 over IPv4 i.e. for sites which don't have native IPv6 yet.
If you have anything which you wouldn't mind sharing I would really be apresahted.
Thank you.
Kind Regards,
Majestic
Re: Public IP over a tunnel
Hi Sob,
One thing I have noticed is, the outgoing packets seems to have the wrong source address. If you say do a curl ifconfig.io you will see the public IP of the end point which you used the IP's from. Iv'e tried to add an SNAT rule but didn't help, I expect its because of the interface/way I tried so if you can offer any suggesions would love to hear, thanks.
Update
Found the solution, adding the following code on the CHR (Router you get the IP's from) fixes this.
Kind Regards,
Majestic
One thing I have noticed is, the outgoing packets seems to have the wrong source address. If you say do a curl ifconfig.io you will see the public IP of the end point which you used the IP's from. Iv'e tried to add an SNAT rule but didn't help, I expect its because of the interface/way I tried so if you can offer any suggesions would love to hear, thanks.
Update
Found the solution, adding the following code on the CHR (Router you get the IP's from) fixes this.
Code: Select all
/ip firewall nat
add action=src-nat chain=srcnat comment="Hetzner SNAT -- 195.xxx.xxx.6 via ether1-gateway (used with ipip tunnel)" out-interface=ether1-gateway src-address=195.xxx.xxx.6 to-addresses=195.xxx.xxx.6
Majestic
Ok, I tested it and this works:
CHR:Home router:Code: Select all/interface ipip add allow-fast-path=no ipsec-secret=<secret> local-address=217.144.x.119 name=ipip-tunnel remote-address=<home router> /ip address add address=217.144.x.119/24 interface=<WAN> add address=172.16.1.2/30 interface=ipip-tunnel /ip arp add address=217.144.x.108 interface=<WAN> published=yes /ip route add dst-address=217.144.x.108/32 gateway=172.16.1.1Server config:Code: Select all/interface ipip add allow-fast-path=no ipsec-secret=<secret> local-address=<home router> name=ipip-tunnel remote-address=217.144.x.119 /ip address add address=172.16.1.1/30 interface=ipip-tunnel add address=192.168.x.x/32 interface=<LAN> network=217.144.x.108 /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=217.144.x.108 in-interface=ipip-tunnel new-connection-mark=server-public passthrough=no add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=server-public passthrough=yes src-address=217.144.x.108 add action=mark-routing chain=prerouting connection-mark=server-public in-interface=<LAN> new-routing-mark=to-chr passthrough=no /ip route add dst-address=0.0.0.0/0 gateway=172.16.1.2 routing-mark=to-chr
IP address: 217.144.X.108/32 (mask 255.255.255.255)
GW: 192.168.x.x
The 192.168.x.x can be either same address as assigned to router's LAN interface (if server is connected there), or some other address, it doesn't really matter (only that the same address is used on router and as gateway on server).
Server configuration depends on used OS. In Windows, it would be as written above. For Linux it depends on used distribution (they all seem to have different ways how to configure network), but manual config can be done using:Code: Select allip addr add 217.144.x.108 peer 192.168.x.x dev <interface> ip route add default via 192.168.x.x
Re: Public IP over a tunnel ( SOLVED )
Wrong source address, if I understand correctly that it's 94.xxx.xxx.150, it must be caused by another srcnat/masquerade rule. Instead of adding another srcnat, it's better to use accept rule, to exclude 195.xxx.xxx.6 from srcnat completely. It doesn't need any, it already has correct address.
IPv6 depends on how you get it. If a subnet would be routed to CHR, then you can just route part of it further over appropriate tunnel type, nice and clean. If not and it would be a subnet on WAN side of CHR, where you can only connect other hosts, then currently the only way would be to bridge everything all the way from CHR WAN to server. It should also be possible using some ND proxy, but RouterOS doesn't have that.
IPv6 depends on how you get it. If a subnet would be routed to CHR, then you can just route part of it further over appropriate tunnel type, nice and clean. If not and it would be a subnet on WAN side of CHR, where you can only connect other hosts, then currently the only way would be to bridge everything all the way from CHR WAN to server. It should also be possible using some ND proxy, but RouterOS doesn't have that.
Re: Public IP over a tunnel ( SOLVED )
Does Hetzner give public (IPv4) subnets on VPS? (Dedicated, yes)I am using a Hetzner Cloud VPS and ive found using a single vCPU, you can get around 400MBits, which ant bad at all. Adding an additional CPU produces around 800Mits. It seems to be CPU limited due to encryption so im looking at tweaking it a bit and see if can get a bit more out of it.
Which VPS series are you running? CX series surely didn't use to have even additional IPs and now there are only "floating ips".
https://wiki.hetzner.de/index.php/IP-Adressen/en
https://wiki.hetzner.de/index.php/Cloud ... sistent/en
Last edited by Joni on Sat Sep 15, 2018 9:24 pm, edited 2 times in total.
Re: Public IP over a tunnel ( SOLVED )
Thanks, spot on, I had a srcnat rule on the 150 address, now all sorted, thank you.Wrong source address, if I understand correctly that it's 94.xxx.xxx.150, it must be caused by another srcnat/masquerade rule. Instead of adding another srcnat, it's better to use accept rule, to exclude 195.xxx.xxx.6 from srcnat completely. It doesn't need any, it already has correct address.
IPv6 depends on how you get it. If a subnet would be routed to CHR, then you can just route part of it further over appropriate tunnel type, nice and clean. If not and it would be a subnet on WAN side of CHR, where you can only connect other hosts, then currently the only way would be to bridge everything all the way from CHR WAN to server. It should also be possible using some ND proxy, but RouterOS doesn't have that.
With regards to IPv6 will have a play around now that I have an idea from what you have said, thank you.
Regards,
Majestic
Re: Public IP over a tunnel ( SOLVED )
Hi @Joni,Does Hetzner give public subnets on VPS? (Dedicated, yes)I am using a Hetzner Cloud VPS and ive found using a single vCPU, you can get around 400MBits, which ant bad at all. Adding an additional CPU produces around 800Mits. It seems to be CPU limited due to encryption so im looking at tweaking it a bit and see if can get a bit more out of it.
Which VPS series are you running? CX series surely doesn't have even additional IPs.
Hetzner has a failry recent new addition, not just their dedciated servers but also VPS's (https://www.hetzner.com/cloud) and my CHR is on here currently. Using their "failover/extra IP" is working by routing it though to other network fine and yes these are the CX series. Whether the IPv6 will work, needs more investigations and will grab a range soon to test.
Re: Public IP over a tunnel ( SOLVED )
Hello Guys,
I have a similar scenario where I am trying to address my server with public ip addresses remotely via vpn tunnel. I have try the method Sob showed with the ipip tunnel and it works well for one server. I have a /28 I want to use to address multiple servers Can you assist with a sample config. CHR end 52.x.x.0/28. Need to address 12 servers so it doesn't matter to me if I have to bridge it. I tried bridging it but I cannot seem to ping the isp gateway 52.x.x.1 but I can ping the CHR interface.
I have a similar scenario where I am trying to address my server with public ip addresses remotely via vpn tunnel. I have try the method Sob showed with the ipip tunnel and it works well for one server. I have a /28 I want to use to address multiple servers Can you assist with a sample config. CHR end 52.x.x.0/28. Need to address 12 servers so it doesn't matter to me if I have to bridge it. I tried bridging it but I cannot seem to ping the isp gateway 52.x.x.1 but I can ping the CHR interface.
Re: Public IP over a tunnel ( SOLVED )
One address or twelve, there's not much difference, you can use the same method, it will work.
Re: Public IP over a tunnel ( SOLVED )
Aye, confirmed myself with multiple addresses, works like a dream, thank you.One address or twelve, there's not much difference, you can use the same method, it will work.
-
-
jeremiedigre
just joined
- Posts: 4
- Joined:
Re: Public IP over a tunnel ( SOLVED )
Hello everyone. please, I have a preocupation, the same problem. i'm a beginner with Mikrotik.
I have set a pptp vpn between two sites A (192.168.2.0) and B (192.168.1.0) which works very well,
but I want to go through the internet to reach a machine from my local site, ie network B, as ip public: port -> pptp vpn --> local network machine.
for example 156.202.X.X:8963 -> pptp vpn --> 192.168.1.32:80
I tried many indications without success. thanks for the help.
My routers are RB2011UiAS-2HnD
I have set a pptp vpn between two sites A (192.168.2.0) and B (192.168.1.0) which works very well,
but I want to go through the internet to reach a machine from my local site, ie network B, as ip public: port -> pptp vpn --> local network machine.
for example 156.202.X.X:8963 -> pptp vpn --> 192.168.1.32:80
I tried many indications without success. thanks for the help.
My routers are RB2011UiAS-2HnD
Re: Public IP over a tunnel ( SOLVED )
RouterOS 7.7 tested:
extending majestic's https://forum.mikrotik.com/viewtopic.p ... 80#p686408 post
CHR Gateway
Destination Side
--- removed lines
+++ added lines
extending majestic's https://forum.mikrotik.com/viewtopic.p ... 80#p686408 post
CHR Gateway
Code: Select all
/interface ipip
add allow-fast-path=no ipsec-secret=*********** local-address=94.xxx.xxx.150 name=ipip-tunnel remote-address=46.xxx.xxx.162
/ip address
add address=172.16.1.2/30 interface=ipip-tunnel
/ip arp
add address=195.xxx.xxx.6 interface=ether1-gateway published=yes
/ip route
add dst-address=195.xxx.xxx.6/32 gateway=172.16.1.1
Destination Side
Code: Select all
/interface ipip
add allow-fast-path=no ipsec-secret=************ local-address=46.xxx.xxx.162 name=ipip-tunnel remote-address=94.xxx.xxx.150
/ip address
add address=172.16.1.1/30 interface=ipip-tunnel
add address=172.30.4.1/32 interface=ether2-master network=195.xxx.xxx.6
+++ /routing table
add disabled=no fib name=to-chr
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=195.xxx.xxx.6 in-interface=ipip-tunnel new-connection-mark=server-public passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=server-public passthrough=yes src-address=195.xxx.xxx.6
add action=mark-routing chain=prerouting connection-mark=server-public in-interface=ether2-master new-routing-mark=to-chr passthrough=no
--- /ip route add dst-address=0.0.0.0/0 gateway=172.16.1.2 routing-mark=to-chr
+++ /ip route add dst-address=0.0.0.0/0 gateway=%ipip-tunnel routing-table=to-chr
--- removed lines
+++ added lines
Who is online
Users browsing this forum: Boertjes and 11 guests