Yandex cloud and MikroTik MultiWAN

Greetings readers, in this article I would like to share my experience of setting up an internal Yandex cloud network and routing to the Internet through RouterOS MikroTik.



There is one VPCthat is administered by internal services and distributes external ipinternal VMs through a subnet gateway behind NAT, which is not very convenient for centralized administration.



The scheme of the internal network and getting the external one ipin Yandex cloud looks like this:





ip NAT-instance forward, . / ( VPC Preview).



, IP VPC1





, :





.



:



Internal1-a – 10.1.0.0/24
Internal2-a – 10.1.1.0/24
Internal1-b – 10.1.2.0/24
Internal2-b – 10.1.3.0/24
Internal1-c – 10.1.4.0/24
Internal2-c – 10.1.5.0/24


, . . ip



Gateway – X.X.X.1
Internal DNS – X.X.X.2


RouterOS.



Cloud Marketplace -> -> Cloud Hosted Router ip



RouterOS
Ether1 – 10.1.0.254
Ether2 – 10.1.1.254


ether1 winbox. , admin rsa public key.



CLI. winbox, , ip route ..



,



/ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip,
 b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.1.0.1                  1
 1 ADC  10.1.1.0/24        10.1.1.254      ether2                    0
 2 ADC  10.1.0.0/24        10.1.0.254      ether1                    0


ether1 10.1.0.1 NAT . ip , .



2 , 2 , distance .





/ip route
add dst-address=0.0.0.0/0 gateway=10.1.1.1 distance=2 
add dst-address=10.1.2.0/24 gateway=10.1.0.1 distance=1  
add dst-address=10.1.3.0/24 gateway=10.1.1.1 distance=1  
add dst-address=10.1.5.0/24 gateway=10.1.1.1 distance=1  
add dst-address=10.1.4.0/24 gateway=10.1.0.1 distance=1 


b c a.



firewall.





/ip firewall filter
add chain=input action=accept src-address=10.1.5.0/24 
add chain=input action=accept src-address=10.1.1.0/24 
add chain=input action=accept src-address=10.1.3.0/24 
add chain=input action=accept src-address=10.1.2.0/24 
add chain=input action=accept src-address=10.1.0.0/24 
add chain=input action=accept src-address=10.1.4.0/24 


ping



/ip firewall filter
add chain=input action=accept protocol=icmp 




/ip firewall filter
add chain=forward action=accept src-address=10.1.5.0/24 \
dst-address=0.0.0.0/0 
add chain=forward action=accept src-address=10.1.1.0/24 \
dst-address=0.0.0.0/0 
add chain=forward action=accept src-address=10.1.3.0/24 \
dst-address=0.0.0.0/0 
add chain=forward action=accept src-address=10.1.2.0/24 \
dst-address=0.0.0.0/0 
add chain=forward action=accept src-address=10.1.0.0/24 \
dst-address=0.0.0.0/0 
add chain=forward action=accept src-address=10.1.4.0/24 \
dst-address=0.0.0.0/0 




/ip firewall filter add chain=input action=drop log=no




/ip firewall filter move numbers="[old rule no]" \
destination="[new rule no]"




/ip firewall filter print


ip , MultiWAN. MULTIWAN ( )



WAN , route rules, 2 interface list



/interface list
add name="WAN1"
add name="WAN2"

/interface list member
add list=WAN1 interface=ether1 dynamic=no 
add list=WAN2 interface=ether2 dynamic=no




/ip route
add dst-address=0.0.0.0/0 gateway=10.1.0.1 distance=1 routing-mark=WAN1 
add dst-address=0.0.0.0/0 gateway=10.1.1.1 distance=1 routing-mark=WAN2 


, ether1, ,





/ip route rule
add src-address=10.1.0.0/16 dst-address=10.1.0.0/16 action=lookup-only-in-table table=main
add src-address=10.1.3.0/24 action=lookup-only-in-table table=WAN2 
add src-address=10.1.5.0/24 action=lookup-only-in-table table=WAN2


2 ip , .



:

Virtual Private Cloud -> -> NAT -> -> , -> : 0.0.0.0/0, Next hop: 10.1.0.1/10.1.1.1 -> .

( api kubernetes) ipsec, 2



 : 10.1.0.0/16, Next hop: 10.1.0.1/10.1.1.1
 : <_>, Next hop: 10.1.0.1/10.1.1.1


, , IP , srcnat . masquerade



/ip firewall nat
add chain=srcnat action=accept src-address=10.1.0.0/16 dst-address=10.1.0.0/16
add chain=srcnat action=masquerade src-address=10.1.0.0/24 dst-address=0.0.0.0/0 
add chain=srcnat action=masquerade src-address=10.1.1.0/24 dst-address=0.0.0.0/0 
add chain=srcnat action=masquerade src-address=10.1.2.0/24 dst-address=0.0.0.0/0 
add chain=srcnat action=masquerade src-address=10.1.3.0/24 dst-address=0.0.0.0/0 
add chain=srcnat action=masquerade src-address=10.1.4.0/24 dst-address=0.0.0.0/0 
add chain=srcnat action=masquerade src-address=10.1.5.0/24 dst-address=0.0.0.0/0


ip . .



:





// ip :



/ip firewall nat
add chain=dstnat action=netmap to-addresses=10.1.5.20 \
to-ports=10050 protocol=tcp src-address=7.7.7.1 in-interface-list=WAN2 port=10055 
add chain=dstnat action=netmap to-addresses=10.1.0.5 \
to-ports=3306 protocol=tcp src-address=7.7.7.2 in-interface-list=WAN1 port=11050


7.7.7.1/7.7.7.2 ip .



, ipsec, , .



: ipsec



, ipsec ip



, psk, . . ip NAT, peer mikrotik, identity IP



/ip ipsec profile
add name="office" hash-algorithm=sha512 enc-algorithm=des dh-group=modp1536 \
lifetime=8h proposal-check=obey nat-traversal=no \
dpd-interval=2m dpd-maximum-failures=5

/ip ipsec peer
add  name="peer_office" address=9.9.9.1/32 local-address=10.1.1.0 \
profile=office exchange-mode=aggressive send-initial-contact=yes

/ip ipsec identity
add peer=peer_office auth-method=pre-shared-key notrack-chain="prerouting" \
secret="123123123" generate-policy=no policy-template-group=office \
my-id=address:<cloud_ext_ip_address>

/ip ipsec proposal
add name="office" auth-algorithms=sha256 \
enc-algorithms=des lifetime=1h pfs-group=modp1536




/ip ipsec policy 
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=10.7.0.0/16 \
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office


, peer level unique, 12.1.0.0/24 12.10.0.0/24



/ip ipsec policy 
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=12.1.0.0/24 \
dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office

add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=12.10.0.0/24 \
dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office


firewall β€” fillter rules, NAT, raw, NAT



/ip firewall filter 
add chain=input action=accept src-address=10.7.0.0/16 
add chain=input action=accept protocol=ipsec-esp src-address=9.9.9.1 
add chain=input action=accept protocol=udp src-address=9.9.9.1 port=500 
add chain=forward action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16 
add chain=forward action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16 

/ip firewall nat 
add chain=srcnat action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16 
add chain=srcnat action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16 

/ip firewall raw  
add chain=prerouting action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16 
add chain=prerouting action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16


10.7.0.0/16 β€” , 9.9.9.1 β€” ip



.



A license MikroTik RouterOSmust be purchased for, otherwise the port speed will be 1 Gbps and functional restrictions

https://wiki.mikrotik.com/wiki/Manual:License



Thank you for attention!



Sources used:



MULTIWAN



UPD

Based on comments and remarks, added the article, added a descriptionipsec




All Articles