I have a requirement to be able to place Mikrotik routers behind 3rd party routers (that I have no control over) and be able to access these routers and any devices behind them. So I effectively have a remote double NAT situation going on.
After a bit of research and trial and error I do have a working solution that works but just wondering if there are any tweaks I can make to make the routing etc more elegant or better. I have the remote Mikrotik routers connect home (PPTP client) then have an EOIP tunnel connect over that PPTP VPN. When I open Winbox at home I can then see all the remote routers and can then connect to the router or of any devices behind those remote routers.
Everything is working fine but I do get the odd DHCP allocation coming across the EOIP tunnel but I statically assign the devices I need to control. I was going to use different subnets for each router but ended up using the same subnet across all routers.
I have a total of 5 remote Mikrotik routers. These routers are not in any single place permanently and can move around and could be placed behind 3rd party routers with dynamically assigned public IP addresses. I want to be able to connect them behind these routers and they just connect home (which they currently do at the moment)
Is there anything else I can do or do I have best solution already in configured? (Below is a rough diagram of my current solution)
Thanks in advance for any suggestions or advice.
Well there are many ways you can implement this…
Personally i wouldnt use PPTP and probably not EoIP too…
Either i would setup an SSTP server to my home router and configure the remote routers to connect to my SSTP server or in case Layer2 connectivity is important i would implement SSTP with BCP ( Bridge control Protocol ) instead of EOIP..
More information about BCP : https://wiki.mikrotik.com/wiki/Manual:BCP_bridging_(PPP_tunnel_bridging)
Hmm interesting thanks - I’ll set this up on a test router.
What would be the IP/Subnet on both sides with this configuration? Would they need to be different or same?
As the previous poster said, you should use a single tunnel and BCP instead of using 2 tunnels.
I would however recommend against SSTP since it is a TCP-based tunnel.
You will run into TCP windowing issues when running TCP sessions inside of a TCP tunnel.
I personally would recommend L2TP over IPSec, with BCP on the L2TP session.
What kind of TCP window issues ? Can you give an example ?
This paper gives you a full image on what is going on:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.78.5815&rep=rep1&type=pdf
- CONCLUSIONS AND FUTURE WORKS
… First, this paper has clearly shown that using a TCP tunnel usually degrades the goodput of the end-to-end TCP flow … We have also shown that when the socket buffer size of the end-to-end TCP or the tunnel TCP is not large, the goodput of the end-to-end TCP flow degrades.
Btw, this is the first Google result when searching for “tcp in tcp tunnel” 