I've two networks, and I want them to be joined over the Internet using EoIP over IPsec. I prefer using no Wireguard, OpenVPN or L2TP, because, in my (relatively little, so feel free to correct me) experience, it just complicates things unnecessarily and reduces speeds compared to just EoIP over IPsec. I use hAP ac2 on one side and a hEX on the other.
I have experience setting up a tunnel (i.e. clicking a few buttons, screwing up MTU on bridges and bringing down both networks for a few days and frantically trying to fix it all) with both sides having a real static IP address, assigned directly to the routers at opposite ends of the tunnel. The problem I am facing now is that I want to set up a similar thing, but one side is behind 1:1 NAT set up by my ISP.
Now, if you search for similar topics on this forum, you will find plenty. People are setting up all kinds of stuff (without bothering to post configs). But where this topic differs is... I actually kinda did set it up already, stumbling upon my solution by accident. The problem is, what I did is so dumb, so easy and feels so wrong, I'm not sure if it's the right way to do it.
Let's say side A has a real public IP, and side B is behind 1:1 NAT. Side A's real public IP is X.X.X.X. Side B's real public IP is Y.Y.Y.Y. Side B's fake NATted IP is Z.Z.Z.Z.
On side A I did:
On side B I did:
And it all just magically works. On side A, in IP > IPsec, I see an active peer, local address X.X.X.X, remote Y.Y.Y.Y. On side B, an active peer, local address Z.Z.Z.Z, remote X.X.X.X. On both sides, RX/TX numbers in the active peers tab seem to be in line with my expectations for what they should be (I start downloading a large file through EoIP, number go up quickly, I stop, number stop).
My question is, is this okay to use? This feels wrong for some reason. Like disabling the "drop all not from LAN" rule, "one weird trick that fixes all network problems that sysadmins don't want you to know" that actually just opens up a huge security hole. Surely, if it was that easy, someone would have posted this already. But the only real pieces of information I could find on EoIP behind 1:1 NAT would have you either set up an L2TP connection or do IKE. Other topics don't lead anywhere and leave you with nothing.
I'm leaving this on for now, since everything seems encrypted, and at least relatively secure (only two IPs in the entire world are accepted by the two rules). But I want to hear your thoughts. Am I doing something wrong?
I have experience setting up a tunnel (i.e. clicking a few buttons, screwing up MTU on bridges and bringing down both networks for a few days and frantically trying to fix it all) with both sides having a real static IP address, assigned directly to the routers at opposite ends of the tunnel. The problem I am facing now is that I want to set up a similar thing, but one side is behind 1:1 NAT set up by my ISP.
Now, if you search for similar topics on this forum, you will find plenty. People are setting up all kinds of stuff (without bothering to post configs). But where this topic differs is... I actually kinda did set it up already, stumbling upon my solution by accident. The problem is, what I did is so dumb, so easy and feels so wrong, I'm not sure if it's the right way to do it.
Let's say side A has a real public IP, and side B is behind 1:1 NAT. Side A's real public IP is X.X.X.X. Side B's real public IP is Y.Y.Y.Y. Side B's fake NATted IP is Z.Z.Z.Z.
On side A I did:
Code:
/interface eoipadd allow-fast-path=no ipsec-secret=SECRET name=eoip-on-A remote-address=Y.Y.Y.Y tunnel-id=0/interface bridgeset [find name=bridge] mtu=1500/interface bridge portadd bridge=bridge interface=eoip-on-A/ip firewall filteradd action=accept place-before=1 chain=input ipsec-policy=in,ipsec protocol=greOn side B I did:
Code:
/interface eoipadd allow-fast-path=no ipsec-secret=SECRET name=eoip-on-B remote-address=X.X.X.X tunnel-id=0/interface bridgeset [find name=bridge] mtu=1500/interface bridge portadd bridge=bridge interface=eoip-on-B/ip firewall filteradd action=accept place-before=1 chain=input ipsec-policy=in,ipsec protocol=greAnd it all just magically works. On side A, in IP > IPsec, I see an active peer, local address X.X.X.X, remote Y.Y.Y.Y. On side B, an active peer, local address Z.Z.Z.Z, remote X.X.X.X. On both sides, RX/TX numbers in the active peers tab seem to be in line with my expectations for what they should be (I start downloading a large file through EoIP, number go up quickly, I stop, number stop).
My question is, is this okay to use? This feels wrong for some reason. Like disabling the "drop all not from LAN" rule, "one weird trick that fixes all network problems that sysadmins don't want you to know" that actually just opens up a huge security hole. Surely, if it was that easy, someone would have posted this already. But the only real pieces of information I could find on EoIP behind 1:1 NAT would have you either set up an L2TP connection or do IKE. Other topics don't lead anywhere and leave you with nothing.
I'm leaving this on for now, since everything seems encrypted, and at least relatively secure (only two IPs in the entire world are accepted by the two rules). But I want to hear your thoughts. Am I doing something wrong?
Statistics: Posted by Nullcaller — Tue Jan 30, 2024 10:43 pm