7

I use Mikrotik RouterOS as the NAT router. Some hosts behind the router also have a direct connection to the Internet and these hosts have a default route to the ISP's gateway instead of RouterOS. I set up a OpenVPN server in tun mode on one of these hosts with public ip. The problem is that VPN clients cannot communicate with hosts that have a public IP because they have a default route to the ISP. I can put a static route on RouterOS but I have no control over my ISP's router. So packets sent to the VPN client are sent to WAN link instead of the VPN server. What options do I have?

private DHCP pool 172.16.10.0/24, gateway 172.16.10.1 (RouterOS)

OpenVPN pool 172.16.11.0/24

  1. tap mode, a lot of overhead
  2. tun mode, VPN pool inside DHCP pool and OpenVPN server proxy-ARP for the VPN pool in the LAN
  3. tun mode, add a static route for OpenVPN pool on every host with a public IP. This does not scale well, too much work in a mixed environment
  4. IPv6. The problem is that a lot of Windows applications (for example VMware products) have poor support for IPv6. All hosts do have IPv6 connectivity but VPN clients might have a hard time getting IPv6.

I know I probably should put everything behind the firewall. I will do that after I get a Juniper SRX. I don't have enough public IPs for every host. And RouterOS/pfSense is not well suited for an environment with mixed public/private IPs. I have to admit this is a poor design to begin with, any migration path without breaking the bank? It's not production, just a bit complicated home network.

I appreciate your input.

Edit1 (Response to JelmerS's answer): This is doable but does not scale really well as I mentioned in OP. In the environment I have different flavors of BSD, Linux, Windows and standalone appliances without shell (e.g. printer, network monitoring devices, phone). I will try DHCP option 33 and option 121, not sure how well they are supported on different devices.

Edit2 (Response to Joseph Drane's answer): 1. Currently hosts with a public IP have a link to RouterOS LAN and another link to the ISP (bypass RouterOS)

  1. Is there any justification for doing static NAT? It seems unnecessary (heavy performance penalty)

  2. The firewall I am looking for can work well in transparent mode. DHCP/NAT can totally be done by another box. But most firewalls I have used don't support/work well in transparent mode and are difficult to troubleshoot (lack of visibility)

Edit3: RouterOS runs inside ESXi. There are some other guest OSes. The environment is mixed with physical/virtual hosts. I do have enough NIC interfaces on ESXi box. I want the flexibility to allow hosts to easily switch between public/private address.

sdaffa23fdsf
  • 1,281
  • 3
  • 20
  • 24

2 Answers2

3

Routes are always chosen in order of specificity. Say a host has a route to 10.0.0.0/8 via router A and 10.0.1.0/24 via router B. As soon as it wants to send a packet to 10.0.1.1, it will prefer router B over router A. A default route is the least specific route you can have. Any other route you add will be preferred over a default route. So the answer is simple: add a specific route to the VPN DHCP pool via the Mikrotik router. Don't forget to make the routes persistent, so they will survive a reboot. Asuming your DHCP pool is 10.0.1.0/24 and your Mikrotik has IP 1.1.1.1 and is connected on eth0, Here is the command for Windows:

route add -p 10.0.1.0 MASK 255.255.255.0 1.1.1.1

For Linux, a persistant route is added by editing the /etc/sysconfig/network-scripts/route-eth0 file to define static routes for eth0 interface. 

GATEWAY0=1.1.1.1
NETMASK0=255.255.255.0 
ADDRESS0=10.0.1.0
YLearn
  • 27,141
  • 5
  • 59
  • 128
JelmerS
  • 1,383
  • 1
  • 10
  • 27
2

So, like you know already, hosts with public IP addresses assigned is not good. I'm referencing your comment about putting a firewall in front.

I would use your router, add another interface for a DMZ network. This DMZ network would use private ip addresses not public.

Then, inside your router, just NAT the public to that private IP address.

So current config: [internet]---->RouterOS----->Host w/ public IP

New config/setup: [Internet]--->RouterOS<--->NAT public IP 60.70.80.90 <--to--> 192.168.100.90---->Host w/ Private IP 192.168.100.90

So now you can just put in a route to the 192.168.100.90 subnet/network which will be the DMZ subnet/network.

You can do some cool stuff with IP Tables in regards to having a "make-shift" firewall but I am not the guy to help with that. I'm a Cisco guy.

Joseph Drane
  • 509
  • 3
  • 7