MikroTik

I am trying to solve a seemingly simple problem.

Can I use L2TP connection in parallel to my main ISP connection? So that only inbound SSH uses L2TP but traffic from LAN goes its normal way as before. Let me explain. I have an ISP that has multiple NAT in front of me (CGNAT, I think).

At home I have a debian server that I need to ssh into. My home LTE router (Mikrotik Chateau LTE) is behind this multiple NAT as the external address as determined by services like "whatismyip" is different from the external interface (lte1) address. This is confirmed by traceroute showing several private IPs after router address (which itself is 10.0.0.0range). Therefore a dynamic dns solution + port forwarding will not work.

Apparently I could get a L2TP service from AA (https://www.aa.net.uk/broadband/l2tp-service/) and that should provide me with a static IP. I imagine this as an encrypted tunnel from AA to my router that would probably create a virtual interface in the router. I think I should then be able ssh to that static IP address from AA which would lead to my router through the L2TP tunnel. The router then should port forward the packets to my debian server and so I should be able to ssh in.

But is this L2TP an all or nothing approach? Will then all my home LAN traffic have to go through that L2TP connection? I would rather that my home network continues as is and I use L2TP only to ssh into my home network (or some other connection type later on, if I find use for that). Reason: my connection is unlimited, but L2TP connection would be metered. And from the common sense viewpoint too I would rather that things are simple and understandable.

I have a picture of how I would want the setup to be. Normal traffic (N) keeps passing between LAN - MT router - Internet as before; only inbound SSH connections that I initiate when I am in the "internet" - from outside go through L2TP tunnel.



Should this work? How should I proceed?

Many thanks!

I think ZeroTier might solve that problem;

https://help.mikrotik.com/docs/display/ROS/ZeroTier

hello ruberts,

i like your drawing - very artistic

btw, about your 3rd party cloud based l2tp vpn server for your cgnat pass through.. i am afraid it won't work - because there should be other routing to be made on the server to connect your home and office net.

if they offer that auto paired routing on their server - that would be great

Thanks @wiseroute,

I think I will better verify it for sure with them (AA). My understanding was that they would provide me with just an external IP address (static IP) and when I connect to that address, it would be tunnelled to my router and it would appear as if my router's l2tp-client-interface has that external IP. So I could port forward connections incoming to that interface. But I will make sure with their tech-support that it is in fact what they offer. I think that would be what you call 'auto-paired routing' (my knowledge of terms is quite limited at this stage).

I think I will also need to put some routes in in mikrotik chateau, to make sure traffic originating in my LAN goes through the standard external interface (lte1) and not through the l2tp client interface.

As regards to routing to my LAN - my primitive understanding was that if there is l2tp client on my router that is connected to their AA l2tp server, it is like a wire that is open. A bit like a virtual ethernet cable connecting me to the AA server, that is kept alive all the time. So that "wire" would be where I would connect to when I am out and about.

think I will better verify it for sure with them (AA).

yup

My understanding was that they would provide me with just an external IP address (static IP) and when I connect to that address, it would be tunnelled to my router and it would appear as if my router's l2tp-client-interface has that external IP.

yes - there are 2 terms of public ip in public vpn server context ie. one that can be used for your office net to go out to the internet using another ip other than isp supplied (ie. private dhcp etc).
two, one that can be used to provide access to natted (cgnat) network such as to connect your home net to the office behind cgnat. this has to be made on their vpn server.

Thanks @wiseroute, could you please have a look at the post viewtopic.php?t=197388

I have nearly got the setup working, but I have a problem with how the ssh server connects back to the ssh client. My default route is through the regular lte interface and I am coming up short on how to make replies from the ssh server to go via l2tp interface on the router.