0

I am trying to solve a seemingly simple problem. Can I use L2TP connection in parallel to my main connection?

Let me explain:

I have a debian home server that I need to ssh into. My home LTE router (MikroTik) is behind multiple NAT routers as the external address as determined by services like whatismyip is different from the external interface (lte1) address. This is confirmed by traceroute. Therefore a dynamic DNS solution + port forwarding will not work.

Apparently I could get an L2TP service from AA and that would provide me with a static IP address. I imagine this as an encrypted tunnel from AA to my router that would probably create a virtual interface in the router. I think I could then ssh to that static IP address which would lead to my router through the tunnel. The router then should port forward the packets to my debian server.

But is this L2TP an all or nothing approach? Will then all my traffic have to go through that L2TP connection? I would rather that my home network continues as is and I use L2TP only to ssh into my home network (or some other connection later on, if I find use for that). Reason: my connection is unlimited, but the L2TP connection would be metered. And from the common sense viewpoint too I would rather things are simple.

I have added a picture of how I would want the setup to be. Normal traffic (N) keeps passing between LAN - MT router - Internet as before; only SSH connections that I initiate when I am in the "Internet" - from outside go through L2TP tunnel.

Enter image description here

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
r0berts
  • 842
  • 1
  • 13
  • 27

1 Answers1

1

There are several ways of setting up tunnels similar to the one that you mentioned. But each one of them will mean that

  1. Your home server (or MikroTik) needs to initiate a connection from behind the NAT to bring up the tunnel.
  2. All your SSH traffic will go through the tunnel so it will inevitably be subjected to their bandwidth limitation and usage fees.

There are some providers that offer some amount of free traffic, but they also have certain drawbacks and limitations.

In order to connect directly from the internet to your home server you would need to have a static IP on the outermost NAT router and a port mapping on each of the routers between you and the internet.

If you can get an IPv6 you might also consider it since IPv6 reqiures no NAT. You would, however, still need to configure it on all the routers.

jurez
  • 4,436
  • 2
  • 12
  • 20
  • Thanks! I think I have not been very precise in what I tried to explain. I think that the mapping would happen on the AA ISP side - if I connect to the static IP they provide me with, they would make sure that it reaches my router. i.e. that static IP would behave as if it is my router. I added a schematic drawing to my post to illustrate what I mean. – r0berts Jun 18 '23 at 10:42
  • 1
    Any connection initiated in your LAN can reach hosts on the internet directly. Any connection initiated by a host on the internet ("you") must pass through the tunnel and use tunnel provider's IP. It does not matter if connections are SSH or anything else. This is the fundamental limitation of how NAT works, so the only way around it would be to get a static IP assigned by your ISP and then to configure port mapping on your router (MikroTik). – jurez Jun 18 '23 at 13:21
  • Thanks, I understand. My ISP does not offer static IP for home mobile networks. I probably need to get someone from AA to ask those questions. It would be perfectly alright for me if me connecting from outside would pass through the tunnel provider's IP (and then reach my router, where I can do port forwarding from router to debian server). What I do not want is that the usual traffic from my LAN would go through the tunnel as well. It should go through my ISP's system. – r0berts Jun 18 '23 at 13:56
  • 1
    Like I said, that shouldn't be an issue. It'll be like that by default, unless you explicitly configure default route via the tunnel interface. – jurez Jun 19 '23 at 04:29