I am trying to create a configuration that will have the following characteristics but I am unsure if I am on the right way.
Server-side:
- I have a CHR in KVM on a remote dedicated server.
- The dedicated server hosts a web service of mine.
- The dedicated server has iptables firewall that allow traffic from the internet only to Winbox and Wireguard ports and forwards it to the CHR.
- A hEX Mikrotik router will be shipped to each of my clients.
- The hEX Mikrotik router must be a transparent bridge (I guess?), due to lack of knowledge of my clients' networks. The only difference between clients is for DHCP/Static network. They will be provided with a pre-configured hEX router according to their network setup.
- The hEX Mikrotik will have a IPIP-over-Wireguard with my CHR.
- The hEX Mikrotik router will be placed between their ISP router and their switch, so all traffic passes through it.
- Now for the tricky part, I need it to mark the connections/packets to my server (excluding the Winbox & Wireguard ports), so that when the router catches traffic to my server's IP address, it will route it through the IPIP tunnel.
The point is to allow my clients use my web service (HOST MACHINE), strictly only via the established tunnel (CHR), and any other traffic should be routed through their ISP router regardless of their network setup (DHCP / Static). A sort of "buy my router to use my free service" thing.
I've done some things so far with a kind of success, but as a noob on networking stuff and Mikrotik in general, I would like some help to complete it because the only thing that works for now is the IPIP over Wireguard. My mangle rules are marking the packets correctly when I ping from within the Mikrotik itself (output), but they do not work at all when connecting my laptop with a cable and try to ping my server's public IP from my laptop (prerouting???).
*** The reason I'm trying IPIP over Wireguard is to test the stability of my connections. If I use only Wireguard, I get disconnections on each re-key and it does not comply with my short keepalive. It keeps disconnecting my client's web browser's websocket connection each time. ***
Below is my configuration for a DHCP setup (there might be some input/accept rules that don't matter for now, they're left-overs of some tests I'm doing).
Any help will be appreciated.
If anything is missing, I can provide it right away.
Code: Select all
/interface bridge
add name=bridge1
/interface ipip
add local-address=10.10.10.2 name=ipip-tunnel-client remote-address=10.10.10.1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-client
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=SERVER_IP_ADDRESS_HERE endpoint-port=13231 interface=wireguard-client public-key=\
"MY_PUBLIC_KEY_HERE"
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip address
add address=10.10.10.2/24 interface=wireguard-client network=10.10.10.0
add address=10.10.11.2/24 interface=ipip-tunnel-client network=10.10.11.0
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip firewall filter
add action=accept chain=input in-interface=wireguard-client
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input protocol=icmp
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=SERVER_IP_ADDRESS_HERE dst-port=!5182,8291 new-connection-mark=conn_to_server_non_wg_wb passthrough=yes \
protocol=tcp
add action=mark-connection chain=output dst-address=SERVER_IP_ADDRESS_HERE dst-port=!5182,8291 new-connection-mark=conn_to_server_non_wg_wb passthrough=yes \
protocol=tcp
add action=mark-connection chain=output log=yes new-connection-mark=conn_to_server_non_wg_wb passthrough=yes protocol=icmp
add action=mark-connection chain=prerouting log=yes new-connection-mark=conn_to_server_non_wg_wb passthrough=yes protocol=icmp
add action=mark-connection chain=prerouting dst-address=SERVER_IP_ADDRESS_HERE dst-port=!5182,8291 new-connection-mark=conn_to_server_non_wg_wb passthrough=yes \
protocol=udp
add action=mark-connection chain=output dst-address=SERVER_IP_ADDRESS_HERE dst-port=!5182,8291 new-connection-mark=conn_to_server_non_wg_wb passthrough=yes \
protocol=udp
add action=mark-routing chain=prerouting new-routing-mark=TUNNEL-ROUTE passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.10.10.0/24 out-interface=wireguard-client src-address=10.10.10.0/24
add action=masquerade chain=srcnat dst-address=10.10.11.0/24 out-interface=ipip-tunnel-client src-address=10.10.11.0/24
add action=masquerade chain=srcnat connection-mark=conn_to_SERVER_IP_ADDRESS_HERE packet-mark=pkt_to_SERVER_IP_ADDRESS_HERE
/ip route
add disabled=no distance=1 dst-address=SERVER_IP_ADDRESS_HERE/32 gateway=ipip-tunnel-client pref-src="" routing-table=TUNNEL-ROUTE scope=30 suppress-hw-offload=\
no target-scope=10
/routing table
add fib name=TUNNEL-ROUTE