Hi, could someone please give more detail on the "dirty trick" mentioned above.
May it be myself? I've thought I've described it in detail enough, but obviously I haven't...
The overall architecture is as follows:
ascii-art code
_ other router/modem Mikrotik
) ,------------, ,-------------,
) etherE | dst-nat | etherI etherW | dst-nat |
)-----------O e.e.e.e O------------------O i.i.i.i |
) e.e.e.e | -> i.i.i.i | i.i.i.i | -> e.e.e.e |
_) '------------' | |
| O br-aux |
| e.e.e.e/32 |
'-------------'
The other modem has a public (
external) address e.e.e.e from the ISP. It by default src-nats whatever comes from its LAN (i.e. via etherI) to this address, and you manually configure a dst-nat on it towards the private (
internal) address of the Mikrotik on the LAN, i.i.i.i. The dst-nat works either selectively for UDP port 500, UDP port 4500 and ESP or as a DMZ (De-Militarized Zone, i.e. regardless protocols and ports). Except the ESP, it is the same setup you would use without any dirty trick at Mikrotik side.
The dirty trick is that you create an
/interface bridge name=br-aux, assign no member ports to it, and assign to it the public address the external router has got from the ISP, e.e.e.e/32. In fact you can attach e.e.e.e/32 even directly to the WAN interface (etherW) as a secondary address, but the use of br-aux makes it look less confusing. Next, you set up an "inverse" dst-nat rule, restoring the destination address i.i.i.i of packets received from the external router back to e.e.e.e. If you expect the Mikrotik to ever act as an initiator or you expect the external initiators to be on public IPs without NAT on their side, you have to add also src-nat rules to the Mikrotik so that packets sent with e.e.e.e as source address would be src-nated to i.i.i.i before leaving through etherW so that the external router wouldn't reject them.
And finally, you tell the IPsec peer on Mikrotik to use e.e.e.e by setting it as its
local-address parameter and by setting it as
pref-src of the default route.
