VPN to connect home network to cottage

hahnhell · Sun Oct 10, 2021 5:54 pm

Good morning everyone,

I'm looking at getting some help in the design and setup of extending my home network to my cottage so that I have access to all my services from both locations. I will post my current setup when I get back home but I wanted to first know what device I should get for the cottage location.

I currently have a RB4011iGS+5HacQ2HnD-IN with wifi (my kids call it the little alien). I also have a Cap AC (2.4&5GHz) to extend my WiFi around the house. I will probably need some Cap AC for the cottage as well, but that can be done once I have the initial connection.

At the cottage, I have had my Starlink working flawlessly and using only that. But now I would like to be able to start working from the cottage, have access to my home network (NAS, home server, Plex server, home automation server extension) to make it feel like I'm still at home. I continue to want WiFi in the cottage, be able to use my streaming services, add the cottage printer to the network.

So my first question is: What would be the recommended device to enable this connectivity? Should I just buy another 4011? Or is there something else that would work better?

Once I know the device, I'm hoping that is half the battle. My home network has a couple vlans, for the home automation stuff, the server stuff, and an admin one.

Thank you in advance for all the help. I'll post my config either later today or tonight.

Cheers,

ConnyMercier · Sun Oct 10, 2021 6:09 pm

Question 1:
What kind of Speed's are available via Starlink in your location ?
Something like ~ 70 Mbps (Download) and ~ 20 Mbps (Upload) ?

Question 2:
What kind of Speed's are available at Home ?

Question 3:
Do you have a Public IP at Home?

hahnhell · Sun Oct 10, 2021 11:05 pm

I am getting on averate 125 Mbps download and 20 Mbps upload
I have 500/500 FTTH service
If you mean do I have a static IP the answer would be no, but I do have my RB4011 which has DDNS enabled so I have at least that DNS that is reachable from anywhere.

I've attached my current home network config. @anav was nice enough to help me get this working. I'm sure there are still some things in there that should be cleaned out from me testing and tinkering here and there. TBH, I don't even know if my minecraft port forward works. haha. I haven't used it outside my network in a long time.

Thanks for the help!

ConnyMercier · Mon Oct 11, 2021 1:50 am

1. Router-Config
Just in case your "Virgin Mobile" ist still active,
You may want to remove some User-Information
under -> service-name="Virgin Mobile PPPoE" user=...........

2. Hardware for Cottage
If money isn't a issue, another RB4011 isn't a bad choice
It as a lot of features , like WLAN, 10 Ether-Ports, etc...
Performace of the Router can provide good IPsec-Tunnel with your ISP-Speeds.

If money or space is an issue, a cAP ac can be used.
It still as WLAN for the Cottage and 2 Ether-Port (1x for Starlink and 1x for PC or printer)
IPsec throughput isn't bad, but will be the limiting factor (bottleneck) of the system.

ConnyMercier · Mon Oct 11, 2021 2:21 am

Small addition to my last Post...
I assumed a "small" Cottage, but if you are already planning on multiple AP's
then I need to think bigger

Alternatively to the RB4011...
You could use the very powerfull RB5009UG+S+IN
in conjunction with one or more AP's like the cAP ac.

hahnhell · Mon Oct 11, 2021 5:22 am

Yep, missed that Virgin part. It's an old cancelled service, not a huge issue.

I was figuring it would be best to just get another 4011. It will help with the expansion in the cottage (not so small, probably more like a retirement home). I do think that the 5009 is a bit overkill for what I need. Had to look it up, what a nice piece of kit!

What would the next steps be in getting this setup?

hahnhell · Mon Oct 11, 2021 4:48 pm

Ordered the RB4011 (wifi version). I'll pick it up tomorrow and be able to install it on the weekend.

Then I can work on learning how to extend my current network out to the cottage.

I figure there will be 2 types of devices at the 'cottage:' Home_Devices and IoT. So I will need to figure out how to extend both VLAN15 and VLAN50 out to the cottage.

Thanks for the help so far! I really appreciate it.

ConnyMercier · Wed Oct 13, 2021 2:11 am

A little "Food for Thought" until your new RB4011 arrives,

RouterOS supports many VPN and Tunneling Solutions.
But which one is the right one ? :D

The Main Question right now is,
Do you want or need Layer2 connectivity between your Main-Network and the Cottage?

anav · Wed Oct 13, 2021 2:26 am

Wireguard is the right solution, WHEN its out of beta, so you really mean in the interim ??

rextended · Wed Oct 13, 2021 2:40 am

ConnyMercier · Wed Oct 13, 2021 2:41 am

Yes, of course !!!!!
I hope we will get a Stable Ver.7 as a early Christmas present from Mikrotik

rextended · Wed Oct 13, 2021 2:41 am

@hahnhell
The export is really Sympatic oh...
you forgot to Hide Something while Export...

hahnhell · Wed Oct 13, 2021 3:01 am

@hahnhell
The export is really Sympatic oh...
you forgot to Hide Something while Export...

Yep, we mentioned that above. I went ahead and removed the PPPoE info from my defunct Virgin Mobile services. They've been deactivated for some time now. I went back to B[H]ell Fibe, got a plan for less money and upped my speed by 5x (and now it's symmetric).

Wireguard huh? That looks neat. I'll have to think about what I want to do exactly with the VPN. I honestly think right now it's just going to be an extension of my VLAN50 and VLAN15. I want to be able to access my Plex server as a local device on my googletv, will probably add a network printer at the cottage. That is probably it for now, until I start doing some work-from-home at the cottage, then my needs will change somewhat.

Good to see you @anav!

rextended · Wed Oct 13, 2021 3:13 am

Sympatico HSE is Virgin?

hahnhell · Wed Oct 13, 2021 3:21 am

Not sure where you're finding anything about Sympatico in that file

I haven't used/heard of that service since the 90's when I was living at my parents. I would have removed any public facing IPs if there were any in there... the only other item I see with a 76 in there is one of the MAC for the wireless interface.
Are we looking at the same file?

rextended · Wed Oct 13, 2021 3:24 am

[removed for not provide hint...]

hahnhell · Wed Oct 13, 2021 3:35 am

Ah you're right! Man there is a lot of simple things I keep forgetting about with this. Not that anything is accessible through that outside facing address.

Thanks for the insight. I'll do the changes above.

hahnhell · Wed Oct 13, 2021 3:37 am

And sympatico is Bell.. and Virgin is a sub of Bell, so yeah it probably was similar before when I was with Virgin.

Thanks for the lesson! I don't look for these things anymore. Maybe I should take some refresher courses.

ConnyMercier · Wed Oct 13, 2021 3:40 am

Thanks for the lesson!

No Problem, as a Thank you just send us a nice bowl of Poutine !

anav · Wed Oct 13, 2021 3:41 am

hahaha I hope rextended didnt also take your virginity at the same time..................

rextended · Wed Oct 13, 2021 3:43 am

ma.....

rextended · Wed Oct 13, 2021 3:44 am

@hahnhell
The export is really Sympatic oh...
you forgot to Hide Something while Export...

Now you understand the first "hint" ???

hahnhell · Wed Oct 13, 2021 4:04 am

Yep, I understand it fully now. It made a bit of sense because I remember Bell used to sell there services as Sympatico. but yeah, I forgot that SN+the rest gave you the routers facing page.

Is there a way to actually disable that, but continue to have the connectivity to services by using the mikrotik dns?

ConnyMercier · Wed Oct 13, 2021 4:30 am

Sadly no....

hahnhell · Wed Oct 13, 2021 8:27 pm

Alright, RB4011 in hand. Is there a way that I can configure the new one while being here at home and then just do minor tweaks when I arrive at the cottage this weekend?

Thanks!

ConnyMercier · Wed Oct 13, 2021 8:49 pm

Just use your Cellphone as a HotSpot!

Configure your Mikrotik-Device with the help of the "Interface-List" Funktion.
And simply use the 2.4Ghz wifi (wlan1) as the "WAN" until you are at the cottage

For Exemple:

/interface list
add name=WAN
/interface list member
add interface=wlan1 list=WAN
add interface=ether1 list=WAN

hahnhell · Thu Oct 14, 2021 11:50 pm

Man I wish I would have more time to do things like this.

I have internet connectivity on my laptop that is connected to the cottage rb4011. It is getting that internet via wifi hotspot on wlan2 (2.4GHz).

I've gone ahead and created my wifi interfaces the way I want them at my cottage.

Now I need to know how to get my cottage IP range to have:

VLAN15 (from home network) on cottage ethernet and wifi.
If that isn't clear because I'm not super detailed sometimes, I would like to plug a PC into the cottage rb4011 (2-10) and over JBHLMH_Cottage_WiFi_(2or5)GHz and have an IP from the VLAN15 range (Home).
VLAN50 (from home network) on cottage wifi
Same thing, if I connect a device to IoT_WiFi it will get an IP from the VLAN50 range (Home).
Starlink_WAN ethernet port will be where my internet is coming from the actual StarLink.

So what do I need to do on my Home device to enable a L2PT VPN (using the built in DNS I'm hoping??) and also what needs to be done on the Cottage device to connect? I've provided the config of the Cottage RB4011 here. Firewall, etc is using default config as the device arrived.

hahnhell · Sat Oct 16, 2021 6:37 pm

I really can't complain about Starlink. It has made working from the cottage a real thing! And now I can even have the whole family kicking around and able to do stuff on a rainy/snowy day.

All the more reason to get some better connectivity with the house now.

ConnyMercier · Tue Oct 19, 2021 7:17 pm

200/200 Mbit/s isn't bad at all !!
I will go now and cry about my miserable 50/10 Mbit/s :(

Where you able to setup a VPN-Connection ?
or do you still need help ?

hahnhell · Tue Oct 19, 2021 9:00 pm

I honestly haven't looked. I watched a couple YT videos on how to enable the L2TP VPN, but I am not sure about the IPs required. Will I need to create a second IP range within both VLAN50 and VLAN15 that will be the ones the cottage will use? That seems to me the most logical thing... But I'm not great with networking.

anav · Tue Oct 19, 2021 10:05 pm

Ahh brother, I am with you and would be at the same exact spot.
What I can tell you is that wireguard is as easy as vanilla bean icecream melting off hot apple pie!!!
Three choices.
a. config routers to vers 7.1beta RC4 adn take your chances............. should be fine in my view for most easy configs
b. wait
c. go out and buy two hex routers one for either end to colocate with the existing Main Routers and use these as routers but just for wireguard .

ConnyMercier · Tue Oct 19, 2021 10:08 pm

ahhhh ahhhhh !!!

C

hahnhell · Tue Oct 19, 2021 11:31 pm

C'mon folks, that's not fair! I just went and spent money on a nice new RB4011 which I find to be a super slick and powerful device.

What you're telling me is that VPN over VLAN is complicated and I ought to wait until wireguard is out?

ConnyMercier · Tue Oct 19, 2021 11:34 pm

lol =)

I have some time tomorrow
I will do some Test in the LAB for L2TP/IPsec

and post a Step-by-Step Guide

anav · Wed Oct 20, 2021 12:18 am

Yes, dont you want to save yourself hours of frustration!!
You can always load up ver7.1b RC4 on both routers and go for it LOL

Read through this thread to see if there are any gotchas for a basic setup..........
viewtopic.php?t=178704

Yeah I had a read through I would wait until rc5 comes out too many notes of RB4011s crashing.

hahnhell · Wed Oct 20, 2021 2:20 am

Thanks for the quick review @anav. Wireguard looks promising! I'm sure I'll eventually be able to migrate to that. For now, 2 VLANS need to get shoved through a VPN to my cottage somehow.

Will it take more than 1 VPN? perhaps 1 VPN per VLAN? I'm just trying to conceptualise this.

anav · Wed Oct 20, 2021 2:28 am

I would hope that only one IPSEC tunnel is needed.

felixka · Wed Oct 20, 2021 5:30 am

For now, 2 VLANS need to get shoved through a VPN to my cottage somehow.

Will it take more than 1 VPN? perhaps 1 VPN per VLAN? I'm just trying to conceptualise this.

VLANs are Layer2, IPsec is Layer 3. You can route all your home traffic through one tunnel and then separate it into VLANs again in the cottage's router.
If you need to extend the Layer2 aspect of your VLANs then you'd need something like EoIP. But beware the MTU issues with Layer2 encapsulation.

ConnyMercier · Thu Oct 21, 2021 9:40 pm

@hahnhell, can you post please POST you latest Config-Files for both Home and Cottage routers?

In return i will post a IPSEC/EOIP Config

ConnyMercier · Fri Oct 22, 2021 12:19 am

IPSec-Configuration Server (Home-Router)
Based on your Config (10.10.2021)

Step 0: Backup
Just in case something goes wrong =)

----------------------------------------------------------------------------
Step 1: Generate and Sign CA-Certificate

/certificate
add common-name=IPSEC-CA name=IPSEC-CA days-valid=3650

/certificate
sign IPSEC-CA

----------------------------------------------------------------------------
Step 2: Generate and Sign IPSec-Server

--- Warning ----
Replace both xxxxxxxxxx.sn.mynetname.net with own DNS-Name

/certificate
add common-name=xxxxxxxxxx.sn.mynetname.net subject-alt-name=DNS:xxxxxxxxxx.sn.mynetname.net days-valid=3650 key-usage=tls-server name=IPSec-Server

/certificate
sign IPSec-Server ca=IPSEC-CA

----------------------------------------------------------------------------
Step 3: Generate and Sign IPSec-Client

/certificate
add common-name=IPSec-Client1 name=IPSec-Client1 days-valid=3650 key-usage=tls-client


/certificate
sign IPSec-Client1 ca=IPSEC-CA

----------------------------------------------------------------------------
Step 4: Export CA-Certificate

/certificate
export-certificate IPSEC-CA type=pem file-name=IPSEC-CA

----------------------------------------------------------------------------
Step 5: Export

--- Warning ----
Replace xxxxxxxxxx with own Passphrase

/certificate
export-certificate IPSec-Client1 export-passphrase=xxxxxxxxxx type=pkcs12 file-name=IPSec-Client1

----------------------------------------------------------------------------
Step 6: Download
Select both Files in Winbox, and download to your computer.

IPSEC-CA.crt
IPSec-Client1.p12

----------------------------------------------------------------------------
Step 7: Create IPSec-Server

/ip ipsec mode-config
add address=192.168.77.100 address-prefix-length=32 name=IPSec-ModeConfig system-dns=no

/ip ipsec policy group
add name=IPSec-Policies

/ip ipsec profile
add enc-algorithm=aes-256,aes-192,aes-128 name=IPSec-Profile

/ip ipsec peer
add exchange-mode=ike2 name=IPSec-Peer1 passive=yes profile=IPSec-Profile

/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 name=IPSec-Proposal pfs-group=none

/ip ipsec identity
add auth-method=digital-signature certificate=IPSec-Server generate-policy=port-strict mode-config=IPSec-ModeConfig peer=IPSec-Peer1 policy-template-group=IPSec-Policies remote-certificate=IPSec-Client1

/ip ipsec policy
add disabled=no dst-address=192.168.77.0/24 group=IPSec-Policies proposal=IPSec-Proposal src-address=0.0.0.0/0 template=yes

----------------------------------------------------------------------------
Step 8: Create IP-Counterpart

--- Warning ----
This Step may be .. let say "Suboptimal"

/interface bridge
add name=IPSec-Counterpart

/ip address
add address=192.168.77.200 interface=IPSec-Counterpart network=192.168.77.200

----------------------------------------------------------------------------
Step 9: Input-Firewall

--- Warning ----
Very Basic Firewall, you may need to add or modify depending on your needs.

/ip firewall filter
add action=accept chain=input comment="Accept: IPSec UDP  (Internet -> Router)" connection-state=established,related,new dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Accept: IPSec-Traffic (Cottage --> Router)" dst-address=192.168.77.200 in-interface-list=WAN ipsec-policy=in,ipsec src-address=192.168.77.100

----------------------------------------------------------------------------
Step 10: Create EOIP-Tunnels

/interface eoip
add comment="EOIP iD111 Home-Network" local-address=192.168.77.200 name=eoip-tunnel1 remote-address=192.168.77.100 tunnel-id=111
add comment="EOIP iD222 IOT-Network" local-address=192.168.77.200 name=eoip-tunnel2 remote-address=192.168.77.100 tunnel-id=222

----------------------------------------------------------------------------
Step 11: Assign Bridge to EOIP-Tunnels

/interface bridge port
add bridge=Home_Bridge interface=eoip-tunnel1 pvid=15
add bridge=Home_Bridge interface=eoip-tunnel2 pvid=50

----------------------------------------------------------------------------
Step 12: Configure VLAN-Filtering on EOIP-Tunnels

/interface bridge vlan
add bridge=Home_Bridge tagged=Home_Bridge,10-cAP_AC untagged="Home_WiFi_2GHz,3-Server,7-Synology,4-Work_PC,8-Printer,Home_WiFi_5GHz,5-Upstairs,eoip-tunnel1" vlan-ids=15
add bridge=Home_Bridge tagged=Home_Bridge,10-cAP_AC untagged="IoT_WiFi,eoip-tunnel2" vlan-ids=50

ConnyMercier · Fri Oct 22, 2021 12:28 am

IPSec-Configuration Client (Cottage-Router)
Based on your Config (10.10.2021)

Step 0: Backup
Just in case something goes wrong =)

----------------------------------------------------------------------------
Step 1: Upload
Upload both Files in Winbox

IPSEC-CA.crt
IPSec-Client1.p12

----------------------------------------------------------------------------
Step 2: Import Certificates

--- Warning ----
Replace xxxxxxxxxx with own Passphrase
IPSEC-CA.crt doesn't have a passphrase, leave empty

/certificate import file-name=IPSEC-CA.crt passphrase=""

/certificate import file-name=IPSec-Client1.p12  passphrase=xxxxxxxxxx

----------------------------------------------------------------------------
Step 3: Create IPSec-Client

--- Warning ----
Replace xxxxxxxxxx.sn.mynetname.net with own DNS-Name

/ip ipsec mode-config
add connection-mark=IPSec name=IPSec-ModeConfig responder=no use-responder-dns=no
/ip ipsec policy group
add name=IPSec-Group
/ip ipsec profile
add enc-algorithm=aes-256,aes-192,aes-128 name=IPSec-Profile
/ip ipsec peer
add address=xxxxxxxxxx.sn.mynetname.net exchange-mode=ike2 name=IPSec-Peer1 profile=IPSec-Profile
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 name=IPSec-Proposal pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=IPSec-Client1 generate-policy=port-strict mode-config=IPSec-ModeConfig peer=IPSec-Peer1 policy-template-group=IPSec-Group
/ip ipsec policy
add disabled=no dst-address=0.0.0.0/0 group=IPSec-Group proposal=IPSec-Proposal src-address=0.0.0.0/0 template=yes
add group=IPSec-Group proposal=IPSec-Proposal template=yes

----------------------------------------------------------------------------
Step 4: Create Mangle Rule

--- Warning ----
This Step may be .. let say "Suboptimal"

/ip firewall mangle
add action=mark-connection chain=output dst-address=192.168.77.0/24 new-connection-mark=IPSec passthrough=yes

----------------------------------------------------------------------------
Step 5: Input-Firewall

--- Warning ----
Very Basic Firewall, you may need to add or modify depending on your needs

/ip firewall filter
add action=accept chain=input comment="Accept: IPSec-Traffic (Home --> Router)" dst-address=192.168.77.200 in-interface-list=WAN ipsec-policy=in,ipsec src-address=192.168.77.100

----------------------------------------------------------------------------
Step 6: Create EOIP-Tunnels

/interface eoip
add comment="EOIP iD111 Home-Network" local-address=192.168.77.100 name=eoip-tunnel1 remote-address=192.168.77.200 tunnel-id=111
add comment="EOIP iD222 IOT-Network" local-address=192.168.77.100 name=eoip-tunnel2 remote-address=192.168.77.200 tunnel-id=222

----------------------------------------------------------------------------
Step 7: Assign Bridge to EOIP-Tunnels

--- Warning ----
In your config, VLAN-Filtering isn't active...
To avoid any L2-Loop you will need to edit your config.
Option A: Activate VLAN-Filtering
Option B: Have two seperate Bridges

/interface bridge port
add bridge=bridge2 interface=eoip-tunnel1
add bridge=bridge3 interface=eoip-tunnel2

hahnhell · Sat Oct 23, 2021 2:28 pm

Ok, so I've managed to input all of this on both devices.

I'm not sure what I'm supposed to see :/ I don't feel like it is working as we haven't reached any sort of difference in the IP range of the cottage devices. I tried enabling VLAN filtering on the Cottage however it just kicks me out right away and I can't get anything to work.

Question about the firewall rules: Where exactly should those be? see the attached and let me know if I've slid them into the right hierarchy.

When I'm connecting, I'm just getting a default 88 IP address. How do I enable the connection to home from the cottage?

ConnyMercier · Sat Oct 23, 2021 3:12 pm

To quickly understand if the IPsec-Tunnel and EoIP works,
simply create a DHCP-Client on bridge1 and bridge2

/ip dhcp-client
add disabled=no interface=bridge1
add disabled=no interface=bridge2

You can check if the Bridge receives an IP-Address from the Home-Router.

/ip dhcp-client print

hahnhell · Sat Oct 23, 2021 3:23 pm

Nadda, just says searching. :/ I'm not good enough at this to even know where to start. you used ipsec vice l2pt, which I don't know anything about both other than I understood the part about the shared key so I don't have to put in a password every time they go to connect...

hahnhell · Sat Oct 23, 2021 3:29 pm

When you wrote

Replace xxxxxxxxxx.sn.mynetname.net with own DNS-Name

I'm assuming you meant my HOME device.

ConnyMercier · Sat Oct 23, 2021 3:33 pm

When you wrote
Replace xxxxxxxxxx.sn.mynetname.net with own DNS-Name
I'm assuming you meant my HOME device.

Yes , use your home-Router xxxxxxxxxx.sn.mynetname.net
For both Home-config (Step 2) and Cottage-Config (Step3)

ConnyMercier · Sat Oct 23, 2021 3:46 pm

Found a mistake on your Home-Router

The Firewall-Rules for IPSec
-> add action=accept chain=input comment="Accept: IPSec UDP (Internet -> Router)" ......
-> add action=accept chain=input comment="Accept: IPSec-Traffic (Cottage -> Router)" .....

Need to be BEFORE
-> add action=drop chain=input comment="Drop All Else"

**You can use Winbox to "Drag&Drop"

anav · Sat Oct 23, 2021 3:55 pm

Found a mistake on your Home-Router

The Firewall-Rules for IPSec
-> add action=accept chain=input comment="Accept: IPSec UDP (Internet -> Router)" ......
-> add action=accept chain=input comment="Accept: IPSec-Traffic (Cottage -> Router)" .....

Need to be BEFORE
-> add action=drop chain=input comment="Drop All Else"

**You can use Winbox to "Drag&Drop"

Thats not a mistake in the config, thats lack of understanding of the fact that order in rules is critical.
In that the router starts at the first rule of the input chain and attempts to match packets to rules which then are actioned and dont see any more of the rules.
In this case all the ipsec packets hit the rule, drop everything else and then are dropped so the next rules are never seen.

Better to learn about the config instead of copying blindly

ConnyMercier · Sat Oct 23, 2021 3:59 pm

Found the same Firewall "Mistake" on the Cottage-Router

-> add action=accept chain=input comment="Accept: IPSec-Traffic (Home -> Router)" ......

Needs to be before
-> add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

ConnyMercier · Sat Oct 23, 2021 4:02 pm

After correcting the small mistakes
Restart the Cottage-Router and recheck DHCP-Client

/ip dhcp-client print

hahnhell · Sat Oct 23, 2021 4:24 pm

Good morning Anav!

Thanks ConnyMercier.

I've moved the rules up in both devices. restarted - No joy.

What exactly are the 2 ipsec policies added but not enabled? Neither are doing anything, and the cottage one has 0.0.0.0 for dest and src.

I'm just trying to find things that we added that may be out of place..

ConnyMercier · Sat Oct 23, 2021 4:27 pm

My mistake, please enable them !
I will correct the Step-by-Step Guide

hahnhell · Sat Oct 23, 2021 4:42 pm

I still seem to have nothing.

How exactly does this IPSec-Counterpart Bridge come into play?

hahnhell · Sat Oct 23, 2021 5:02 pm

by the way, not sure where in the line of all of this it happened, but it has killed my ability to ssh correctly. I was having trouble getting git to work along with VSCode with remote-SSH. Just reverted to see and it is working again. Seems to be something with my remote-host service though because it didn't do it for everything, just that particular host.

ConnyMercier · Sat Oct 23, 2021 5:32 pm

I am very sorry @hahnhell, but i found a small error in my Step-by-Step Guide...
I already corrected it in the Step-by-Step Guide...

You will have to execute following on your Home-Router :

/certificate remove IPSec-Server

And then redo the now corrected Step 2: Generate and Sign IPSec-Server

AND Forgot the pvid for the Bridge-Ports on the Home-Router

/interface bridge port
add bridge=Home_Bridge interface=eoip-tunnel1 pvid=15
add bridge=Home_Bridge interface=eoip-tunnel2 pvid=50

anav · Sat Oct 23, 2021 6:25 pm

Ahh, I cant wait for wireguard to go mainstream, watching this torture is no fun....

hahnhell · Sat Oct 23, 2021 8:24 pm

I went through the steps again, this is what I'm at now.

Still no luck.

Is there anything on the Cottage side we have to do with UDP? Just wondering since we didn't do anything on that part compared to 'home'.

anav · Sat Oct 23, 2021 8:39 pm

In the meantime, try downloading winbox remote for your main router and also for the cottage router.
You will need to use two different email addresses as you only get one free tunnel per location.
The free version costs nothing............

You can have a tunnel up and running in 5- 10 minutes.
Just tell me if you want to try and I can give you assistance.........

OR maybe you already have connection as you are configuring your cottage router remotely??

ConnyMercier · Sat Oct 23, 2021 8:44 pm

Still an Error in the Firewall (Home-Config)
Both Firewall-Rules are still at the bottom and need go go up !

hahnhell · Sat Oct 23, 2021 8:46 pm

The rules are up above in winbox. I don't know what else I'm supposed to do. I dragged them up there!

hahnhell · Sat Oct 23, 2021 8:48 pm

@anav,

I just have both devices sitting here on my workbench. cottage is connected to my cellphone(using moblie only, not wifi) the other is the main house router/device. I'm using a laptop to configure the cottage one (through port 2).

ConnyMercier · Sat Oct 23, 2021 8:51 pm

I rechecked your last Export (Home-Config)

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="VLAN Allow Admin to Router" in-interface=AdminPC_VLAN101 src-address=192.168.101.101
add action=accept chain=input comment="TCP for cAP AC" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="UDP for cAP AC" dst-port=53 in-interface-list=LAN protocol=udp
---------------------------------------------------------------------------------
Firewall Rules should be here
---------------------------------------------------------------------------------
add action=drop chain=input comment="Drop All Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="VLAN Admin Access" in-interface=AdminPC_VLAN101 out-interface-list=Admin src-address=192.168.101.101
add action=accept chain=forward comment="VLAN Internet Access" in-interface-list=Internet out-interface-list=WAN
add action=accept chain=forward comment="Server Access" in-interface=Home_Devices_VLAN15 out-interface=IoT_VLAN50 src-address=192.168.15.10
add action=accept chain=forward comment="VLAN IoT Access" dst-address=192.168.15.10 in-interface=IoT_VLAN50
add action=accept chain=forward comment="defconf: Allow Port Forward" connection-nat-state=dstnat connection-state=new in-interface-list=WAN

---------------------------------------------------------------------------------
Firewall Rules are here (Wrong place)

add action=accept chain=input comment="Accept: IPSec UDP (Internet->Router)" connection-state=established,related,new dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Accept: IPSec-Traffic (Cottage->Router)" dst-address=192.168.77.200 in-interface-list=WAN ipsec-policy=in,ipsec src-address=192.168.77.100
---------------------------------------------------------------------------------
add action=drop chain=forward comment="drop all else"

hahnhell · Sat Oct 23, 2021 9:03 pm

I'll have to see what's bugging out with my ssh when I do that firewall. :/

Will investigate later. I thank you both for your amazing help today! Super fast responses. I have the rest of the day with the family. I'll crack on with this a bit later.

THANKS!

hahnhell · Fri Oct 29, 2021 11:26 pm

Alright, I have refreshed everything and started from scratch. Followed the rules, moved the firewall rules on the 'home' device, and I don't seem to have got anywhere.

The thing that does happen is that when I enable the firewall rules on my home device, it kills my ability to SSH/SFTP to certain hosts. I'm don't understand why.

Please tell me I have my filters in the right place, but I still don't get a connection.

ConnyMercier · Sat Oct 30, 2021 12:17 pm

Config-Review of your Home-Network (29Oct21Home.rsc)

Error 1: Firewall Rules for IPSEC are disabled (see attachment)
Enable them to allow IPSEC-Communication between "Cottage" and "Home"

Error 2: Firewall "DROP" rules (SSH)
You have two Firewall Rules, that Drops all non previously specified Traffic.

The Rule (add action=drop chain=input comment="Drop All Else") will DROP SSH to the Router
if the Client-Computer isn't in the AdminPC_VLAN101 AND doens't have the IP 192.168.101.101

The Rule (add action=drop chain=forward comment="drop all else") will drop SSH to ANY device,
If the Client-Computer isn't in the same Network.

-----------------------------------------------------------------------------------------------
This is how i tested you Configuration, to make sure everything works.
Just in case someone is interrested.

1. Reset my RB4011 (no-defaults)

2. Imported your Config-File in my RB4011
Some exeptions to import
- Didn't import PPOE-Interfaces
- Didn't import Wireless
- Didn't import any IPSec-Config (/IP IPSEC)

3. Added DHCP-Client to ether1
4. Enabled SNTP-Client and added NTP-Servers
5. Added 2 Firewall-Rules to allow Winbox form interface-list "WAN"

6. Followed IPsec-Instructions
Post #40 (Steps 1 thru 7)
Link -> viewtopic.php?t=179311#p886910

7. Configured a temporary IPSec-Client
using a hAP ac² -> Internet via my Phones Hotspot

8. Tested ... IPsec didn't work

9. Enable the disabled Firewall-Rules

10. Tested.... IPsec works

hahnhell · Sat Oct 30, 2021 2:04 pm

So the SSH on 101 only is by design. It works fine up until I enable those IPSec rules. Once the IPSec Rules are enabled, SSH goes out nor do I get IPSec-Traffic to my Cottage RB4011.

that was why those rules are disabled. They were when I tested the connection. If it's not visible on the Cottage RB4011, I'm using my cell as a hotspot (wifi disabled) and I do get internet on the Cottage, but no other connectivity to Home.

ConnyMercier · Sat Oct 30, 2021 2:11 pm

What does the LOG on the HOME-Router say ?
Can you please make a Screenshot ?

hahnhell · Sat Oct 30, 2021 2:24 pm

I've named the files... One is Home the other is Cottage. I did a reboot on each and took as much of the last bits as I could.

Nothing seems to be happening on cottage. I know there are a lot less devices connecting etc. but nothing wrt IPSec is going on?

ConnyMercier · Sat Oct 30, 2021 2:35 pm

Log #82 and Log #83 is a good sign!
Can you see if something came after that ?

I would expect the eoip-interfaces to come online,
Like this :

30-10-_2021_13-33-16.jpg

hahnhell · Sat Oct 30, 2021 2:36 pm

Ok, one thing I am noticing is I cannot reach b*****.sn.mynetname.net from the laptop on Cottage. I get Connection timed out.

I can get to it locally...

hahnhell · Sat Oct 30, 2021 2:39 pm

So, i just got this...

ConnyMercier · Sat Oct 30, 2021 2:43 pm

Now check on the Cottage-Router under
Winbox: IP-->> Addresses
If bridge2 and bridge3 got an IP-Address !

or Terminal:

/ip address print

hahnhell · Sat Oct 30, 2021 2:48 pm

And the thing with SSH, it authenticates, but then just times out...

hahnhell · Sat Oct 30, 2021 2:54 pm

Lots of pretty pictures in this thread now! lol.

Thanks for being patient with me.

It looks like the IP range 77 is there... I didn't configure Static IP on my laptop. I suppose this is something I need to do right, since it is still on the 88 range?

ConnyMercier · Sat Oct 30, 2021 3:17 pm

Problem 1: SSH on Home-Router
Can you please add this Firewall Rule and reboot the Home-Router.
and then try again to connect via SSH

/ip firewall filter
add action=accept chain=input comment="Accept: SSH (!WAN --> Router)" dst-port=22 in-interface-list=!WAN protocol=tcp place-before=5

Problem 2: Network Cottage

Quick-Test / Temporary fix:
If, for exemple, you assign ether8 to "bridge1" insteed of "bridge"
and you connect your PC to ether8 you should receive an IP form the Home-Network

To solve this problem permanently, you will have to finish the Configuration on the Cottage-Router

hahnhell · Sat Oct 30, 2021 3:33 pm

The SSH issue persists, but it seems it is with a particular host. I'll have to contact them and see. I can ssh just fine into other hosts. We'll leave that one there.

Ref the Cottage IP range. Do I need to create a pool of IP anywhere? As soon as I assign bridge1 to a port and then connect to it, I have no IP/connectivity from laptop to cottage device.

ConnyMercier · Sat Oct 30, 2021 3:58 pm

Cottage-Network
To do the Quick-Test :

/interface bridge port set [find where interface=ether8] bridge=bridge1

hahnhell · Sat Oct 30, 2021 4:24 pm

Cottage-Network
To do the Quick-Test :
Code: Select all
/interface bridge port set [find where interface=ether8] bridge=bridge1

Yes, and as soon as I connect the laptop to ether8, I cannot connect to the cottageRB4011 nor get a valid IP (unidentified network).

ConnyMercier · Sat Oct 30, 2021 4:44 pm

There's your Problem !

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

Solution A:
Change Firewall-Rule to

/ip firewall filter
add action=drop chain=input comment="Drop: Everything else (WAN --> Router)" in-interface-list=WAN

Solution B:
Assign Interfaces to interface-list "LAN"

hahnhell · Sat Oct 30, 2021 4:57 pm

Sorry, that's just a bit confusing.

Do you want me to remove the drop all not coming from LAN and replace it with Drop: Everything Else(same spot)? Or do you mean something else.

When I assigned the interface lists now I can connect to the Cottage from ether8, however no IP address yet, and no internet connectivity.

ConnyMercier · Sat Oct 30, 2021 5:01 pm

Do you want me to remove the drop all not coming from LAN and replace it with Drop: Everything Else(same spot)?

Yes please !

anav · Sat Oct 30, 2021 5:09 pm

HOME ROUTER

1. Add to interface list (add interface="1 - WAN" list=WAN) ?? is that the name.............??
add interface=OLD_VIRGIN_PPPOE list-WAN seems more accurate!

2. Remove this
add comment=defconf interface=Home_Bridge list=LAN
change the vlan list membership from internet to LAN.
and change forward filter rule for internet to in-interface-list=LAN

(in your case there is no difference between LAN users and VLAN users), no need to create internet here for rules etc........

3. ON this ruleset just want to confirm that you need traffic both ways. By that I mean allowing either side to Initiate traffic. For example if vlan15 is allowed access to the IOT vlan to get information, this rule will permit return traffic from IOT devices as repsponese are permitted. YOu do not need to allow iot access to vlan15 for those responses.
Typically one doenst let IOT traffic initiate connections to other vlans unless one has a valid reason.

add action=accept chain=forward comment="Server Access" in-interface=\
Home_Devices_VLAN15 out-interface=IoT_VLAN50 src-address=192.168.15.10
add action=accept chain=forward comment="VLAN IoT Access" dst-address=\
192.168.15.10 in-interface=IoT_VLAN50

3. these ipsec rules need to be places like after drop invalid traffic in the input chain and not at the bottom of the forward chain!!
add action=accept chain=input comment="Accept: IPSec UDP (Internet->Router)" \
connection-state=established,related,new dst-port=500,4500 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment=\
"Accept: IPSec-Traffic (Cottage->Router)" dst-address=192.168.77.200 \
in-interface-list=WAN ipsec-policy=in,ipsec src-address=192.168.77.100

4. Why do you have upnp enabled??
Since this is a router service one would need to allow access for a user/device to the router for upnp as well by the way!!

anav · Sat Oct 30, 2021 5:18 pm

Hmm that might have been an old config.........
Okay try 29 October then. above comments still mostly apply!!!

1. add bridge=Home_Bridge interface=eoip-tunnel1 pvid=15
add bridge=Home_Bridge interface=eoip-tunnel2 pvid=50

I am not aware that one can put EOIP tunnels on a bridge???? Then again I dont know much about EOIP.

2. ipsec rules are disabled

3. Do recommend NOT enabling upnp

anav · Sat Oct 30, 2021 5:18 pm

COTTAGE 29 Oct

1. EOIP shit is weird but how can you have two separate eoip tunnels with the same address? 192.168.77.100

2. More EOIP , dont understand the use of dhcp clients for EOIP tunnels.

Oh well obviously dont have the knowledge to make constructive inputs...........

hahnhell · Sat Oct 30, 2021 5:36 pm

Hi @anav. Happy Halloween!

So I've done the filter rule change a @ConnyMercier asked. I still have no IP assignment when I connect to ether8. How does DHCP from Home get to Cottage through the tunnel? Is that a thing?

anav · Sat Oct 30, 2021 5:46 pm

Above my head.
It doesnt look right to me at all............

hahnhell · Sat Oct 30, 2021 5:47 pm

@anav, you always find these holes in my system.. Thank you! however I don't know how to disable UPnP on Home.

On Cottage it has the 'show dummy rule' checked and not on home..

Below is Home screenshot.

hahnhell · Sat Oct 30, 2021 5:52 pm

Above my head.
It doesnt look right to me at all............

I'm soon gonna call the folks at the NCR helpdesk, haha. Though they don't know squat about Mikrotik, maybe I can just do some DVPNI magic.

That is sort of what I want though, just like my work: login to my work laptop locally, dial up the vpn and connect to work, then everything on the local laptop is now on the work network. Just swap that out for local RB4011(cottage) dialing up to the host RB4011(home). We seem to be making a connection, but I have no dhcp at the cottage. not exactly sure how this works though.

hahnhell · Sat Oct 30, 2021 6:26 pm

Ok, so it's not just SSH that is mucked up. There are webpages(lots..) I can't get loaded either. what exactly in those 2 filters we added in the very beginning would do that?

/ip firewall filter
add action=accept chain=input comment="Accept: IPSec UDP  (Internet -> Router)" connection-state=established,related,new dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Accept: IPSec-Traffic (Cottage --> Router)" dst-address=192.168.77.200 in-interface-list=WAN ipsec-policy=in,ipsec src-address=192.168.77.100

anav · Sat Oct 30, 2021 7:16 pm

The first rule looks fine to me normal ipsec.
The second rule does not and would disable it for now.

sindy · Sun Oct 31, 2021 10:36 pm

@anav has asked me to have a look here. As the newest exports are from Friday and there have been several rounds of updates, I don't go investigating them, and instead just ask - the symptoms you describe (an SSH session authenticates but doesn't continue, some web pages do not load) sound like an MTU issue, which typically occurs when tunneling is involved and path MTU discovery fails for some reason (usually because someone has blocked icmp completely for "security"). So from the cottage, do you access that ssh server and those web pages directly via the cottage's WAN or does all the traffic from the cottage go via the tunnels and then via home's WAN to the internet because you've basically extended the home VLANs to the cottage using the EoIP tunnels and there is no direct routing between cottage LAN and the internet?

hahnhell · Mon Nov 01, 2021 10:29 pm

Hello @sindy,

I haven't even tried any traffic from Cottage at this point. I'm just speaking from my computer sitting within the ADMIN-VLAN at home. When I have enabled what is in the latest exports, I lose access to ssh and web on certain hosts from HOME.

I have some things hosted at mud.morchronium.com which I can no longer access via web or ssh/sftp with that config. However, I also have items hosted at www.thirdhosting.com in which ssh/sftp and web continue to function.

Thanks.

sindy · Mon Nov 01, 2021 11:20 pm

OK, still not willing to go through those configs as they got modified, but there's a catch that is not obvious and is likely related:

if you keep the mtu parameter of an EoIP interface on the default value auto, RouterOS finds the gateway interface for the EoIP transport packets, reduces the MTU of that interface by the size of the EoIP overhead, and makes that the MTU value for the EoIP interface
the MTU of a bridge interface automatically adjusts to the smallest one of the MTUs of member ports of that bridge (which is logical as there can only be a single MTU on an L3 interface, so it must be the smallest one).

So once you make that EoIP interface a member port of a bridge hosting your home LAN subnets (directly via VLANs attached to that bridge), the MTU of that bridge gets reduced to the EoIP's one.

So see what the MTU of the bridge is when the EoIP is made a member port and when it is not.

You can force the MTU of the EoIP to 1500 manually, which will inevitably cause IP fragmentation of EoIP transport packets carrying payload packets larger than the MTU calculated in the auto mode, but it will prevent those MTU-related issues from happening. It depends on the network path between your home and cottage whether the EoIP tunnels will be able to work with such settings, as some ISPs handle fragmented packets "suboptimally". If you are lucky, you are lucky. If you are not, you'll have to switch from EoIP (which can support multiple VLANs in the same tunnel with vlan-filtering set to yes on the bridge) to L2TP in BCP mode (which doesn't support VLAN-filtering so you'd need a dedicated bridge per each VLAN you want to forward between the house and the cottage). The advantage of L2TP is that it can split the payload packets into multiple transport packets not exceeding the MTU of the gateway interface, so the transport packets themselves are not fragmented.

hahnhell · Tue Nov 02, 2021 2:47 pm

Sindy,
Thank you for the awesome explanation! I did understand it, though I'm not savvy enough to do any modifications on my own.

WRT EoIP: I haven't a clue about this until it was suggested here. I'm honestly just going from the experience being given from this forum. Once it is setup, I will most likely never touch it again.

That being said, since VLAN over tunnels (be it EoIP, L2TP, Wireguard, or otherwise) I'm going to perhaps simplify things a bit until the services become a bit more widespread. If @anav is any indication, Wireguard ought to be able to do this in a more simplified manner, I just have to wait until that is in a stable release of RouterOS.

So, I prefer not to take the MTU modifying 'tweak' and rather that my network run as smoothly as I can without hiccups.

If I remove one of the VLANs from this equation, will that simplify things a whole lot more? The most important part of the network that I want to get pushed through the tunnel is VLAN15. If I can get all devices at Cottage to have full access to what my devices on VLAN15(home) do, I'd be happy with that until Wireguard is up and ready.

Thanks and please feel free to throw frying pans or wtv at me for changing my mind halfway through this process. I will post (in due time) my clean configs of both Home and Cottage with what I want to happen.

sindy · Tue Nov 02, 2021 6:15 pm

since VLAN over tunnels (be it EoIP, L2TP, Wireguard, or otherwise) I'm going to perhaps simplify things a bit until the services become a bit more widespread. If @anav is any indication, Wireguard ought to be able to do this in a more simplified manner, I just have to wait until that is in a stable release of RouterOS.

To extend a LAN from one site to another while the connected devices at both sites feel like being on the same switch, you do need an L2 tunneling protocol. On the current RouterOS version (6.x), you can choose only between EoIP and L2TP with BCP. What kind of encryption protocol you use to cipher the transport packets of the tunneling protocol (IPsec, Wireguard) is a separate decision. Again, in RouterOS 6.x, the only choice that makes sense is IPsec.

SSTP and OpenVPN stand a bit aside as both cover both the L2 tunneling task as well as the encryption one, but both use TCP as transport, which is an issue of its own as TCP payload over TCP transport causes trouble as soon as you get some packet loss. OpenVPN can use UDP as transport but, surprise surprise, not in RouterOS v6.x.

The real question here is whether you actually need that the devices at the cottage feel as if they were at home, or whether you can simply route between the sites, which makes things a bit simpler - L2 tunneling consumes more bandwidth than L3 tunneling plus you may bump into some timing issues. There is not much positive about L2 transparency between the site, except some discovery protocols need the devices to be on the same L2 segment.

So, I prefer not to take the MTU modifying 'tweak' and rather that my network run as smoothly as I can without hiccups.

The MTU issue needs to be addressed no matter whether you finally opt to use L2 tunneling or L3 tunneling. As you say you want to work from cottage the same way as if you were at home, it is not enough to prevent EoIP from breaking the SSH and HTTP(S) access from home, you need that there is no MTU trouble also when working from the cottage.

Since some ssh peers work and some don't, it is clear that there is some issue outside your home setup that prevents some of them to accept the notifications about smaller MTU sent by your router. As these issues are outside your own network, you cannot fix them, so the only remedy is to configure the tunnel in such a way that the MTU visible to the outside world is made the standard 1500 bytes, which either means fragmentation at IP level if you use EoIP (L2) or IPIP or GRE (L3) tunnel, or packet splitting at PPP level if you use L2TP. The latter way is better because it always performs the same no matter how the ISPs along the path treat packet fragments.

If I remove one of the VLANs from this equation, will that simplify things a whole lot more? The most important part of the network that I want to get pushed through the tunnel is VLAN15. If I can get all devices at Cottage to have full access to what my devices on VLAN15(home) do, I'd be happy with that until Wireguard is up and ready.

The real simplification would be to use an L3 (routed) VPN rather than an L2 (bridged) one. So repeating the question, what is the reason why VLAN 15 from home should be extended via an L2 tunnel to the cottage? Do you need that Apple devices can autodiscover each other, or something similar?

anav · Tue Nov 02, 2021 6:27 pm

The question being asked here is do you need to be "on the same LAN" with all its complexities and difficulties (EOIP tunnel and encryption) to access services from either end.

But now I would like to be able to start working from the cottage, have access to my home network (NAS, home server, Plex server, home automation server extension) to make it feel like I'm still at home.
I continue to want WiFi in the cottage, be able to use my streaming services, add the cottage printer to the network.

So, how would the above be accomplished by routing?
Cottage to Home ( NAS )
Cottage to Home ( Plex Server - watch a movie I presume )

So streaming services from home (assuming from home servers only)
Be able to print to the cottage printer while at home? That one puzzles me LOL.

What else that is missing ??
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Can routing and/or other methods accomplish the above with
a. less complexity
b. same or better throughput

hahnhell · Tue Nov 02, 2021 6:47 pm

Can I insert a nice rainbow here yet? "The more you know!"

Thanks to @anav for pulling together the ask. I want to be able to have access to my home network from the cottage to do the following tasks:

- Watch movies, play music through my Home Plex server;
- Access file storage on my Synology NAS (as a local device not through synology cloud access);
- Local network printer at Cottage (no anav, i don't need to print to cottage from home);

This gives me much more respect for how my work enables me to have access to all this crap at home!

sindy · Tue Nov 02, 2021 7:51 pm

- Watch movies, play music through my Home Plex server;

I could not find any "under the hood" info regarding what this means in terms of protocols, but since Plex allows sending the media over the internet, there is no reason why it should require L2 transparency, i.e. an L3 (routed) VPN should be sufficient.

- Access file storage on my Synology NAS (as a local device not through synology cloud access);

Also here, a Synology NAS can be accesses using L3 VPN, you manually configure the IP address of the NAS on the client device and that is enough to connect there directly, i.e. not via cloud.

- Local network printer at Cottage (no anav, i don't need to print to cottage from home);

A network printer can normally be accessed via L3 as well; some devices don't ask you for its IP address if it can be found using autodiscovery, which in turn requires L2 transparency between the printer and the device trying to auto-discover it. So if your software allows you to manually specify the address of the printer, you again don't need L2 tunneling.

On top of the above - if you need to access some service internet from the IP of your home (this is typically the case when the service is geographically restricted and you want to watch your Canadian programmes from a cottage in Mexico), you need to route traffic to that service via VPN from the cottage. And if the service uses multiple IP addresses at their end, it may turn out simpler to route all traffic from the cottage to internet via the VPN, but you may e.g. do so only for traffic from a particular device at the cottage (the smart TV) while the other devices use the local WAN.

Regarding wireless, you can use the same SSID(s) and passphrase(s) in the cottage like you use at home, linked to a different IP subnet, your wireless clients won't complain about getting an IP address from another subnet than at home. So again no need for L2 transparency.

anav · Tue Nov 02, 2021 8:17 pm

So how are you proposing to achieve the desired functionality without EOIP tunnels.
(standard ipsec VPN? and Ip routes)
(other?)

sindy · Tue Nov 02, 2021 8:26 pm

Given the path MTU discovery issue encountered, L2TP over IPsec, with max-mtu and max-mru set to something like 1400 (depending on the encryption/authentication algorithms used) and mrru set to 1504 would be my choice.

Even bare IPsec reduces MTU and therefore requires PMTUD to work, which is clearly not the case here for some servers. So you need a PPP-based protocol with MLPPP support, that can split large payload packets rather than fragment the transport ones; out of these, SSTP is not the way to go due to its use of TCP as transport, and PPTP is a little bit more complex to set up than L2TP regarding firewall rules.

And whether you encrypt the L2TP using IPsec or using Wireguard doesn't matter.

If not for the PMTUD issues, I'd choose bare IPsec or Wireguard.

hahnhell · Tue Nov 02, 2021 11:02 pm

I don't require to have all traffic from Cottage routed through Home. They are only a few hours down the road from each other. If I wanted to watch something geo-locked, I would probably just cast it from my cell or something.

There are a lot of big acronyms now being thrown around that have now went over my knowledge base.

If not for the PMTUD issues, I'd choose bare IPsec or Wireguard.

Soo.... what then?

sindy · Tue Nov 02, 2021 11:55 pm

There are a lot of big acronyms now being thrown around that have now went over my knowledge base.

PMTUD = Path MTU Discovery, a process using which the endpoints discover the smallest MTU on the path through the network between them (and subsequently adjust the size of packets they send to each other so that they wouldn't exceed that MTU).

Google will tell you the details, the problem is that when people who don't understand networking enough configure firewalls, they may break this from working, so you have to use some bandaid tools to overcome that, resulting in suboptimal settings.

If not for the PMTUD issues, I'd choose bare IPsec or Wireguard.
Soo.... what then?

As you've stated that you don't want to use experimental software (which is an approach I fully second for normal production purposes), it's IPsec to be used for encryption, as it is the only encryption protocol using UDP as transport that is available in ROS 6.x (since the encryption of bare L2TP without IPsec is not considered strong enough any more).

So I'd say post the current exports, and we shall suggest how to modify them to replace EoIP by L2TP in L3 mode and how to reconfigure the IP settings at the cottage machine.

hahnhell · Wed Nov 03, 2021 12:55 am

I am not opposed to experimental software, it just didn't sound like it even worked on my RB4011 from what @anav stated a few days ago.

Yeah I had a read through I would wait until rc5 comes out too many notes of RB4011s crashing.

hahnhell · Wed Nov 03, 2021 1:31 am

So maybe I'm a few days late on that previous comment. Seems that RC5 'is' out already. Would someone care to comment on if I should try it or not?

sindy · Wed Nov 03, 2021 3:49 pm

Read the corresponding thread regarding issues related to your hardware models. But normally the experimental software is used by people who want to actively test it and provide qualified feedback to the developers. In your case, the only reason would be to use wireguard, which I don't consider important enough for systems I use in production. But I'm not scared to death by IPsec configuration complexity like @anav, so your preferences may differ.

anav · Wed Nov 03, 2021 4:03 pm

Read the corresponding thread regarding issues related to your hardware models. But normally the experimental software is used by people who want to actively test it and provide qualified feedback to the developers. In your case, the only reason would be to use wireguard, which I don't consider important enough for systems I use in production. But I'm not scared to death by IPsec configuration complexity like @anav, so your preferences may differ.

Well not to death but certainly I like avoiding complications...........
I think that ipsec without EOIP at the same time will be far more palatable.

sindy · Wed Nov 03, 2021 6:03 pm

I think that ipsec without EOIP at the same time will be far more palatable.

Since the attempt with EoIP has highlighted the MTU issue, bare IPsec would not be sufficient. One way is to circumvent the failing PMTUD using mangle rules, which. would either affect all connections or be a never-ending iterative process of adding destinations to an address list, the other one is to use L2TP with MLPPP, which I prefer.

anav · Wed Nov 03, 2021 6:10 pm

At this point I would just take the NAS server with me to the cottage, or lots of books and forgo the movies