MikroTik

Folks:

New guy here.

I’ve got a RB750Gr3 and it’s working great for my work from home office. I’m primarily using it to keep my work and home networks isolated from each other.

The back to home vpn offering is very intriguing, but my current router doesn’t support it.

Can anyone recommend a router comparable to the RB750Gr3 that supports BTH?

Thanks,

David

What's wrong using wireguard in the normal way ?
In essence, bth is the same.

If you REALLY want to change devices, AX Lite is the lowest budget alternative.
But 1 port less.

Sure the 750 supports wireguard what seems to be the issue?

Sure the 750 supports wireguard what seems to be the issue?

Back to Home (BTH) is only on ARM, ARM64, and TILE. Just because a device supports WG, doesn't mean it support BTH (e.g. all the MIPS things, like the '750).

BTH is not the only way to apply wireguard parameters silly ammo!

BTH is not the only way to apply wireguard parameters silly ammo!

Well, true enough. Unless the router is behind CGNAT...

@fallingrock does your ISP provide you with public IP on the router?

Dont forget the other question,
a. do you have a public IP
b. IF NOT, can you forward a port from your ISP modem/router to your ROUTER.

Well, true enough. Unless the router is behind CGNAT...

Why not ?
You only go out then towards a device with public IP (dynamic or static) but it will still work.
Same with Zerotier BTW when it's behind CGNAT.

BTH is nice if both devices are behind NAT.

True but what's the rationale to limit to arm/arm64/Tile only ?

Dear Sir Holvoe, I have written many times of MTs unwritten agenda to move all users to newer ARM products, its called the 'obsolescence - death by 1000 cuts product strategy'

Just so I can get this straight the difference then between BTH and normal wireguard, and the power/allure of BTH, is that Mikrotik is providing a FREE CHR in the cloud for this service??? I dont mean anything the user can see/touch but a virtual server in the cloud is used/provided by MT to connect two ends of a WG tunnel where neither has a public IP and neither can port forward from their upstream router/modem to their MT device? IPSO FACTOR cloudflare type of service? and thus reliance on a third party?

You don't seem to get BTH idea at all, sorry about that.

- BTH is free of charge if you have one of the supported devices (all new / currently manufactured mikrotik devices)
- There is no middleman with access to your data, as opposed to traditional VPN providers
- Data goes directly between mobile device and home router, Relay only helps to establish connection (with holepunching method)
- Setting up BTH takes only a few steps in a mobile app, you do not have to open winbox or computer
- Giving friend or family access to your VPN service is a one click operation, no need to even see RouterOS
- If the ISP set up your device, or maybe you just use the default config and don't want to learn RouterOS, it sets up a modern and very secure VPN with 2-3 taps of your phone
- Of course, many other nice features are planned for the app

Much thanks Normis, its slowly getting clearer.
Basically the process is

a. at home or office router setup BTH.
b. then any user can connect to this VPN
c. if the BTH is using a public IP, no relay service is used
d. If the BTH is used behind a cgnat or non port forwarding capable ISP, then relay service is used.

It is not clear how this relay service works?
What is the throughput of this relay service?

Clearly the BTH goes out on a specific port from the home or office router and talks to something on a server somewhere.......
How transparent is this? Is it based on RouterID??

From the user APP perspective, how does the app differentiate between going directly to public IP or to Relay Server.
(assuming admin gives credentials/setup to user and that determines the above)

There is all kinds of smart technology involved, I can't share details.
MikroTik knows nothing about the connections. Like I said, relay helps to establish hole-punched connections, but from then, the connection goes direct between users, not over relay.

About use cases, one example I like is this:

1) I go to my parents house, they have a mikrotik router. They need some help with it. I don't want to waste time there, so I open the BTH app on the phone, connect to the router with it, make a BTH tunnel. It takes 5 seconds to do this. Then I go home, when I have time, connect to my parents router, now I can even make another shared tunnel, and send pure wireguard config file to my computer and continue work there. So you can use it to make very quick management access for yourself.

2) of course all the basic stuff too. I can connect to my home device where my DNS is a PiHole. Now my phone no longer has ads. Or I can watch netflix via friends router, who is in another country etc.

3) get arrested because someone who you give access to BTH VPN has done some illegal activities on the internet over your connection (this doesn't need to be directly by someone who you give access if client device is compromised)

share responsibly

P.S: how is this specific aspect different from VPN options any router has had for 30 years?

Usually was not so easy to share VPN connection for reckless/technically non skilled people who usually don't know setup VPN manually

I personally think this is more an imaginary problem, than reality. Maybe I just don't know as many digital criminals

It's digital criminals heaven when can compromise someones VPN connection

Hi Normis,
1. As an admin or helper admin, I can go to the local site and quickly setup a vpn connection which I can use later when remote.
2. What about the opposite, I want to send my brother the ability to connect to my MT wireguard router
a. from his device directly (no mt router), be it windows laptop or android/Iphone
b. from his MT router, where he may not be config savvy........... ( and assuming I dont have connectivity to it yet but I suppose the quick answer is teamviewer or anydesk.

There are easier ways to do illegal stuff, than to compromise a family member

Hi Normis,
1. As an admin or helper admin, I can go to the local site and quickly setup a vpn connection which I can use later when remote.
2. What about the opposite, I want to send my brother the ability to connect to my MT wireguard router
a. from his device directly (no mt router), be it windows laptop or android/Iphone
b. from his MT router, where he may not be config savvy........... ( and assuming I dont have connectivity to it yet but I suppose the quick answer is teamviewer or anydesk.

BTH allows also that. You can open BTH and send your brother "Request for access". All he needs is to approve it.

There are easier ways to do illegal stuff, than to compromise a family member

I agree, just with this feature you have social engineering vector more feasible due to its simplicity.

Well, the OP's issue is RB750 doesn't run back to home (BTH). It does run WG, so a "manual" process may be possible if one side has a static IP. But @normis is right, being able to "convert" a RouterOS login into a WG client in a couple taps in an app is pretty handy.

But if you have static IP, it really should just be a multi-step process as described in docs or @anav's WG compendium post.

FWIW there was a recent discussion on the RB750 vs. hAPaxLite (later of which does support BTH) here if the OP wanted to swap routers:
viewtopic.php?t=202248

There are easier ways to do illegal stuff, than to compromise a family member

I agree, just with this feature you have social engineering vector more feasible due to its simplicity.

Well, in that case, we should all stop using internet as there is always possibility that someone get hacked. Or use some of the VPN providers that "keeps your data safe".

Mikrotik provided nice tool for all of us that don't have access to public IP. And as always there will be some people that will exploit that feature.

Problem with a lot of people is that they want single button magic... They don't want to learn how something works, they want fancy UI, wizards etc.

Problem with a lot of people is that they want single button magic... They don't want to learn how something works, they want fancy UI, wizards etc.

Thats was my point, to mitigate that maybe some option can be added for BTH to turn on connection logging (VPN->WAN) for forensic investigations or just warning text in app that if someone else is using your connection it can be used for illegal traffic on which you can have consequences.

Yea, but both of us know what will people do with this disclaimer

That would be only good for Mikrotik, if some customer gets hacked or get charges for illegal activities on the Internet and they try to involve Mikrotik, Mikrotik can simply say that they had disclaimer.

The security topic is bit overtime here. But I guess I'm not see how the threat profile changes much from using BTH. If you have the RouterOS password, lots of bad stuff is possible.

And, you cannot set it up WITHOUT a RouterOS login via the winbox protocol (even if the app hides this detail). So unless winbox is open to internet, you have to be on the LAN to setup (and need the router password).

Now whether RouterOS should have better logging, that seems like a good feature request report at help.mikrotik.com...

My post for security (and legal) concern is related to sharing internet connection with others in such simple way for people who are not aware of potential consequences, not securing router or other devices in network from which you can access over LAN/VPN, that's another thing.

@fallingrock does your ISP provide you with public IP on the router?

Yes, my Orbi router gets that. The Mikrotik router gets a private ip inside my home network.

Internet -> cable modem -> Orbi router -> Mikrotik router -> wfh network

I’m interested in bth because it can traverse through my home router (at lease that what I gathered from my reading).

David

FWIW there was a recent discussion on the RB750 vs. hAPaxLite (later of which does support BTH) here if the OP wanted to swap routers:
viewtopic.php?t=202248

Thanks, checking that out now.

Thanks for all the input folks.

I ordered a hap ax2 from Amazon that should arrive Friday. I’ll give it a try and see how it works for me.

David

I ordered a hap ax2 from Amazon that should arrive Friday. I’ll give it a try and see how it works for me.

That be a nice upgrade. One note on ax2, all new Mikrotik come with a non-empty password – it's printed on the label on the bottom of unit.

I ordered a hap ax2 from Amazon that should arrive Friday. I’ll give it a try and see how it works for me.

That be a nice upgrade. One note on ax2, all new Mikrotik come with a non-empty password – it's printed on the label on the bottom of unit.

Yes- the new complex password is printed in almost microscopic size in smeary ink and in some cases very difficut to make out even with magnification... i.e., can't tell the difference between 8 , B, O, 0, 1, l, etc. PLEASE try to do better on this Mikrotik..as a tech who sets up many of these for clients, my eyes and what's left of my sanity will be most appreciative. Thanks

You don't seem to get BTH idea at all, sorry about that.

- BTH is free of charge if you have one of the supported devices (all new / currently manufactured mikrotik devices)
- There is no middleman with access to your data, as opposed to traditional VPN providers
- Data goes directly between mobile device and home router, Relay only helps to establish connection (with holepunching method)
- Setting up BTH takes only a few steps in a mobile app, you do not have to open winbox or computer
- Giving friend or family access to your VPN service is a one click operation, no need to even see RouterOS
- If the ISP set up your device, or maybe you just use the default config and don't want to learn RouterOS, it sets up a modern and very secure VPN with 2-3 taps of your phone
- Of course, many other nice features are planned for the app

"BTH is free of charge if you have one of the supported devices (all new / currently manufactured mikrotik devices)"

So is there a list of what exactly is supported by BTH? Finding details has proven to be almost impossible... I see posts that ARM devices are only one's supported, but not even all of those. But here you, official Mikrotik representative from what I can make out of your avatar, indicates "all new / currently manufactured mikrotik devices")-- does that now mean that 3011? 4011? All items in the HEX range, ie Hex Lite? Thanks.

"all new / currently manufactured mikrotik devices"

The tricky part is finding that list.

If it exists, it surely is on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard' (together with a lot of other documentation).

"all new / currently manufactured mikrotik devices"

The tricky part is finding that list.

If it exists, it surely is on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard' (together with a lot of other documentation).

Or perhaps just their website... There is a sortable product matrix: https://mikrotik.com/products/matrix

If you filter that by architecture, look for ARM, ARM64, or TILE there, which is what's required BTH support.

Or perhaps just their website... There is a sortable product matrix: https://mikrotik.com/products/matrix

If you filter that by architecture, look for ARM, ARM64, or TILE there, which is what's required BTH support.

TILE?

Cannot find it on that page, probably it belongs to products that are not (anymore) "new / currently manufactured".