You are here

Home » Forums » Tunnels

Routing from WAN through tunnel

7 posts / 0 new
Log in or register to post comments
Last post
Tue, 01/29/2019 - 06:58
#1
wb6tae
Routing from WAN through tunnel

Now that my tunnel is working...

I am using the MikroTik RouterBOARD 952Ui-5ac2nD to provide stand-alone access to a remote mesh. For this purpose I really only need the Mikrotik node to be reachable vie wired ethernet. For simplicity, I'd prefer to just connect to the Mijkrotik on its WAN (Internet) interface which appears on my LAN.  All of this works just fine.

The problem I have run into is connecting to remote mesh nodes through the Mikrotik and the tunnel. I have created a route on my desktop computer (MacOS) that sends all traffic for the 10 network to the Mikrotik's "WAN" address. I can test that with traceroute, and see the route goes to the Mikrotok, but dies there:

$ traceroute to 10.240.37.49 (10.240.37.49), 64 hops max, 52 byte packets
1  192.168.5.77 (192.168.5.77)  0.552 ms  0.439 ms  0.359 ms
2  192.168.5.77 (192.168.5.77)  0.314 ms  0.406 ms  0.502 ms

Similarly, if I ssh into the Mikrotik the same traceroute fails.

$ traceroute 10.240.37.49
traceroute to 10.240.37.49 (10.240.37.49), 30 hops max, 38 byte packets
1  *^C

On the Mikrotik setup -> WAN settings I have entered a static address and a gateway on the local LAN. I have Mesh Gateway checked. I have tried unchecking Mesh Gateway, but  it makes no difference.

FWIW, the routing table shows:

default via 192.168.5.1 dev eth0 
10.0.0.0/8 dev eth1.2 scope link  src 10.219.44.57 
10.0.0.0/8 dev wlan1 scope link  src 10.218.44.57 
10.209.97.200/29 dev eth1.0 scope link  src 10.209.97.201 
172.31.166.16/30 via 172.31.166.18 dev tun60 
172.31.166.16/30 dev tun60 scope link  src 172.31.166.17 
192.168.5.0/24 dev eth0 scope link  src 192.168.5.77 

 
Any ideas?
Top
Tue, 01/29/2019 - 14:43
k1ky
k1ky's picture
MESH Network Access
If you want access to other nodes on the MESH network system that you are "tunneled to", you should just connect your computer to LAN ports 2-4 on your Microtik or connect it to the 5GHz AP via Wi-Fi and you will have access to all of the 10.xxx addy devices on your MESH network - even those on the far side of your funnel.

Did I miss something?
Top
Tue, 01/29/2019 - 15:36
(Reply to #2)
K9CQB
K9CQB's picture
Thank you - great advice
K1KY, 
Thank you for the 5GHz WiFi AP connection reminder. That fixed another problem I was having.
-Damon K9CQB
Top
Tue, 01/29/2019 - 16:38
(Reply to #3)
wb6tae
Did you miss something?  Well
Did you miss something?  Well actually, yes. That's not what I want to do. First off, with only 3 real channels, I already have problems with Wi-Fi overlap in my home. Also, since my desktop machine is a Mac, I'd lose AirDrop if I used Wi-Fi to join the mesh. I also don't want the MiktoTik device around my desk area, it can site nicely in the cellar. And, yes, I could also run both my internal network AND the 10 network over the same physical cabling and access it with a virtual enet interface. In fact, that is what I am doing now. Oddly enough, when I place the mesh network first in the network order (remember, this is MacOS) I can traceroute from my desktop. But, that isn't really what I wanted to do.  

Also, I would like to not only come up with a solution I like, but I'd like to learn why what I am trying to do does not work.

BTW, note the 5gHz option only seems to work on the nightly builds. At the moment I am on 3.18.9.0 because I was trying to resolve a tunnel problem, though I may switch back.
Top
Wed, 03/20/2019 - 19:14
kd7ppk
routes

deleted for wrongness
 

Top
Wed, 03/20/2019 - 19:38
(Reply to #5)
K6AH
K6AH's picture
Woooo
No need to do any of that.  Read the documentation on Node VLANs:  https://arednmesh.readthedocs.io/en/latest/arednGettingStarted/advanced_...

Make sure you have broken out VLAN 1 for the Internet using a managed Ethernet switch, then plug your LAN (which is assumed to have Internet access on it) into the managed switch on the port you configured.  Switch configuration info is provided under the Software tab.

Andre, K6AH
 
Top
Wed, 03/20/2019 - 20:18
AE6XE
AE6XE's picture
"I'd like to learn why what I
"I'd like to learn why what I am trying to do does not work."  

It doesn't work because the node's firewall and routing tables do not have entries that do this.    The are multiple firewall rules/chains  and multiple routing tables on the node.  The firewall rules and routing tables order are different depending if the traffic comes from a process on the node or traffic coming in over a given interface (WAN, LAN, DTDLink, wifi, tunnel).   Traffic coming in over the WAN interface, by design, is intended to block and not allow intrusion or attack -- it's a common NAT Masquerade boundary.   It's working as intended to interface with a foreign un-trusted network.    Your purpose is very different.

Joe AE6XE 
Top

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer