Hello,
I am trying to create a configuration that will have the following characteristics but I am unsure if I am on the right way.
Server-side:
The point is to allow my clients use my web service (HOST MACHINE), strictly only via the established tunnel (CHR), and any other traffic should be routed through their ISP router regardless of their network setup (DHCP / Static). A sort of "buy my router to use my free service" thing.
I've done some things so far with a kind of success, but as a noob on networking stuff and Mikrotik in general, I would like some help to complete it because the only thing that works for now is the IPIP over Wireguard. My mangle rules are marking the packets correctly when I ping from within the Mikrotik itself (output), but they do not work at all when connecting my laptop with a cable and try to ping my server's public IP from my laptop (prerouting???).
*** The reason I'm trying IPIP over Wireguard is to test the stability of my connections. If I use only Wireguard, I get disconnections on each re-key and it does not comply with my short keepalive. It keeps disconnecting my client's web browser's websocket connection each time. ***
Below is my configuration for a DHCP setup (there might be some input/accept rules that don't matter for now, they're left-overs of some tests I'm doing).
Any help will be appreciated.
If anything is missing, I can provide it right away.
I am trying to create a configuration that will have the following characteristics but I am unsure if I am on the right way.
Server-side:
- I have a CHR in KVM on a remote dedicated server.
- The dedicated server hosts a web service of mine.
- The dedicated server has iptables firewall that allow traffic from the internet only to Winbox and Wireguard ports and forwards it to the CHR.
- A hEX Mikrotik router will be shipped to each of my clients.
- The hEX Mikrotik router must be a transparent bridge (I guess?), due to lack of knowledge of my clients' networks. The only difference between clients is for DHCP/Static network. They will be provided with a pre-configured hEX router according to their network setup.
- The hEX Mikrotik will have a IPIP-over-Wireguard with my CHR.
- The hEX Mikrotik router will be placed between their ISP router and their switch, so all traffic passes through it.
- Now for the tricky part, I need it to mark the connections/packets to my server (excluding the Winbox & Wireguard ports), so that when the router catches traffic to my server's IP address, it will route it through the IPIP tunnel.
The point is to allow my clients use my web service (HOST MACHINE), strictly only via the established tunnel (CHR), and any other traffic should be routed through their ISP router regardless of their network setup (DHCP / Static). A sort of "buy my router to use my free service" thing.
I've done some things so far with a kind of success, but as a noob on networking stuff and Mikrotik in general, I would like some help to complete it because the only thing that works for now is the IPIP over Wireguard. My mangle rules are marking the packets correctly when I ping from within the Mikrotik itself (output), but they do not work at all when connecting my laptop with a cable and try to ping my server's public IP from my laptop (prerouting???).
*** The reason I'm trying IPIP over Wireguard is to test the stability of my connections. If I use only Wireguard, I get disconnections on each re-key and it does not comply with my short keepalive. It keeps disconnecting my client's web browser's websocket connection each time. ***
Below is my configuration for a DHCP setup (there might be some input/accept rules that don't matter for now, they're left-overs of some tests I'm doing).
Any help will be appreciated.
If anything is missing, I can provide it right away.
Code:
/interface bridgeadd name=bridge1/interface ipipadd local-address=10.10.10.2 name=ipip-tunnel-client remote-address=10.10.10.1/interface wireguardadd listen-port=13231 mtu=1420 name=wireguard-client/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/interface bridge portadd bridge=bridge1 interface=ether1add bridge=bridge1 interface=ether2add bridge=bridge1 interface=ether3add bridge=bridge1 interface=ether4add bridge=bridge1 interface=ether5/interface bridge settingsset use-ip-firewall=yes use-ip-firewall-for-vlan=yes/interface wireguard peersadd allowed-address=0.0.0.0/0 endpoint-address=SERVER_IP_ADDRESS_HERE endpoint-port=13231 interface=wireguard-client public-key=\ "MY_PUBLIC_KEY_HERE"/ip hotspot profileset [ find default=yes ] html-directory=hotspot/ip addressadd address=10.10.10.2/24 interface=wireguard-client network=10.10.10.0add address=10.10.11.2/24 interface=ipip-tunnel-client network=10.10.11.0/ip dhcp-client# DHCP client can not run on slave or passthrough interface!add interface=ether1/ip neighbor discovery-settingsset discover-interface-list=!dynamic/ip firewall filteradd action=accept chain=input in-interface=wireguard-clientadd action=accept chain=input dst-port=8291 protocol=tcpadd action=accept chain=input protocol=icmp/ip firewall mangleadd action=mark-connection chain=prerouting dst-address=SERVER_IP_ADDRESS_HERE dst-port=!5182,8291 new-connection-mark=conn_to_server_non_wg_wb passthrough=yes \ protocol=tcpadd action=mark-connection chain=output dst-address=SERVER_IP_ADDRESS_HERE dst-port=!5182,8291 new-connection-mark=conn_to_server_non_wg_wb passthrough=yes \ protocol=tcpadd action=mark-connection chain=output log=yes new-connection-mark=conn_to_server_non_wg_wb passthrough=yes protocol=icmpadd action=mark-connection chain=prerouting log=yes new-connection-mark=conn_to_server_non_wg_wb passthrough=yes protocol=icmpadd action=mark-connection chain=prerouting dst-address=SERVER_IP_ADDRESS_HERE dst-port=!5182,8291 new-connection-mark=conn_to_server_non_wg_wb passthrough=yes \ protocol=udpadd action=mark-connection chain=output dst-address=SERVER_IP_ADDRESS_HERE dst-port=!5182,8291 new-connection-mark=conn_to_server_non_wg_wb passthrough=yes \ protocol=udpadd action=mark-routing chain=prerouting new-routing-mark=TUNNEL-ROUTE passthrough=yes/ip firewall natadd action=masquerade chain=srcnat dst-address=10.10.10.0/24 out-interface=wireguard-client src-address=10.10.10.0/24add action=masquerade chain=srcnat dst-address=10.10.11.0/24 out-interface=ipip-tunnel-client src-address=10.10.11.0/24add action=masquerade chain=srcnat connection-mark=conn_to_SERVER_IP_ADDRESS_HERE packet-mark=pkt_to_SERVER_IP_ADDRESS_HERE/ip routeadd disabled=no distance=1 dst-address=SERVER_IP_ADDRESS_HERE/32 gateway=ipip-tunnel-client pref-src="" routing-table=TUNNEL-ROUTE scope=30 suppress-hw-offload=\ no target-scope=10 /routing tableadd fib name=TUNNEL-ROUTEStatistics: Posted by cdoc — Thu Feb 29, 2024 12:04 am