I own two sites that I want to keep connected just like as if it was a single LAN (all devices in site1 can communicate with all devices in site2, maybe even share a single DHCP server and a single DNS server, though this is not necessary in case it’s too much trouble).
I have a few ideas on how to achieve this, but it would mean a lot of testing and probably a lot of deceptions. The thing is, I don’t have the global vision on what would be the best method to achieve what I want. That is why I’m asking before I start working:
What is the best way to connect two mikrotik routers through the internet in order to build a single LAN (or as close as possible to a single LAN)?
Sidenotes:
Both mikrotiks sit behind ISP routers, so, both WAN addresses are private addresses. This can not be circumvented. Both ISP routers allows DMZ, one allows bridge mode.
The traffic at one site should not be all routed through the other. Only the LAN(s) traffic.
I have not been down that road before. Never even installed the package. I might take a look, but I would prefer something more confortable for an “old tech” guy…
If both were behind NAT and otherwise inaccessible due to private IPs, I think you need another server with public IP as a gateway. What kind of traffic passes through the LAN between clients? If its not remarkably high-throughput maybe you can get away with cheap VPS in your region. That way you can use “old-school” solution like OpenVPN, etc or if you’re in the v7 branch, Wireguard/OpenVPN UDP.
Zerotier is (almost) low-configuration, low-management solution so try to look into that first.
When your MikroTiks are behind ISP routers that allow “DMZ” (and where that really works properly), you can enable that feature and use any of the available VPN technologies available in the router.
For LAN-LAN connections I would suggest setting up a GRE tunnel with IPsec encryption (just add a GRE tunnel interface and enter the IPsec secret to auto-configure IPsec), that will be hardware-accelerated on most MikroTik routers (contrary to those other protocols).
Then you add a /30 IP network to the GRE tunnel endpoints (e.g. 10.0.0.1/30 on one end and 10.0.0.2/30 on the other end) and you add a static route towards the other end’s LAN range “via” the other end’s GRE endpoint address.
This way it will work without fiddling with NAT exceptions and it will be fully transparent for any traffic routed between the sites.
Wireguard would have been my first response but based on the OPs post “as if it was a single LAN (all devices in site1 can communicate with all devices in site2,” I thought he was looking for a more EOIP over wireguard solution as in able to conduct traffic at layer 2 like broadcasting not just layer3.
Different subnets can also reside in one single LAN.
But yes, if discovery, broadcast, etc is needed, EOIP needs to be added on top.
Otherwise wireguard on itself would be enough.
The (rudimentary) testing I did with AX Lite for various VPN protocols, showed zerotier underperforms immensely comparing to WG.
Thanks to all answers.
Been checking zerotier and I think it’s not for me. Signing up? Closed source software to install on my devices? Relaying packets through some site? Warnings of slowness? The f__k?
I’m leaning on wireguard (been using it as RW for my laptop and my phone), maybe I’ll try EOIP over it later to better tune it as a single LAN, but anyway, I can live with 2 LANs…
Will get back to you to tell you of my success or to ask for further help in setting it up.
I also use a GRE + IPSec for a L2 tunnel.
Wireguard + IPoE is more CPU intensive, this is what I see using two hEX.
Maybe without IPoE the Wireguard tunnel is lighter, I have to check…
Well, what if the Warehouse was natted? Couldn’t it be done? I think it could…
Anyway, one of my ISP routers allows mode bridge. That, as far as I understand, means I can have the mikrotik behind that ISP router with a public address on its WAN. I’ve tried it and it shows a public WAN address.
The other allows DMZ. Not really as a DMZ server, as far as I understand. It “kind of” works as a bridge. The mikrotik has a natted WAN private address, but the all the ISP router (no firewall, no NAT port rules, no nothing) is doing is driving all traffic to the mikrotik WAN port. It’s just replacing 1 public/1 private IP. There’s nothing else connected to the ISP router, I’m using it as a fiber/ethernet converter. I’ve been long using my RW wireguard server precisely on this mikrotik (RB5009) without caring about the fact that it stands behind the ISP router and has a private IP on its WAN interface. I just forget about that and everything works fine, just like I had the RB5009 with the public IP on its WAN interface.
And now the problems have began. In the second site (new site) I connected an hexS router that I had lying around. I managed to setup the ISP router in bridge mode and I obtained a public address on the mikrotik’s WAN address. Since I was going away on vacation, I first wanted to make sure I could connect to this second site as easily as I connect to the first one (RB5009), so I could work on the site-to-site link during the vacation dead time. Therefore I decided to setup a RW (for my laptop) wireguard interface on the hexS, thinking I would deal with the site-to-site wireguard interface later. I just could not do it. After making sure I had not done any mistakes for 1000 times, I searched the internet and came up with this post which mirrors my problem:
The issue (same as mine, including logs) was not solved.
So, my new question is: Do I have to buy another RB5009 for the second site? Is there an insurmountable problem with wireguard and hexS?
I ran out of time to even setup an ovpn to the hexS. So, I’m away of both sites until September, I can’t run any tests on site 2 now.
As long as one end always has a public IP, normal WG is fine for Layer 3. To make it one LAN, you’d need to use GRE, EoIP (without IPSec) or VXLAN interface too to carry the Layer-2 ethernet traffic between the sites.
Now if both sides have private/NAT address and without some DMZ option enabled…(and assuming the ARM-based router) …that’s when you’d need to use ZeroTier for the tunnel… OR the brand-new BTH WG feature (also need a GRE/EoIP/VXLAN L2 tunnel too). The later BTH feature will tunnel encrypted WG traffic via servers at Mikrotik. But depending on your location, BTH may actually be even slower than ZeroTier. Why it’s important to get a public IP if you can…as y’all have both more and faster options…than these ones.
And, for completeness…if BOTH sides had a public IP… just EoIP with IPSec enabled is dirt simple and efficient (e.g. you set the pre-shared key, put remote public IP as dest on both, bridge EoIP to desired LAN). But EoIP with IPSec requires BOTH side have public IP. (While EoIP using WG doesn’t need public IP, since EoIP uses the WG address as the tunnel dest IP)
I see now what you meant. Never crossed my mind that an ISP would assign you a private IP…
In my Country people call bad names to ISP’s that don’t provide bridge mode on their routers. I guess we don’t know how lucky we are…
I always have a public IP everywhere. The worst it can get to me is when I have to do NAT on the ISP router.
I knew I could do it with IPSec. And it would fit since both routers (RB5009 and hexS) have hardware for it. But I had a bad experience a few years ago with my IKEv2 RW. It worked for a few months, then it stopped working and I spent too much time trying to figure it out. Gave up and settled for an ovpn, and later to wireguard, which is quite good. So, I wanted to do it using WG, at least for a start (just layer 3). But the hexS must have a problem with WG… I did find it strange when I first connected it (it was laying around without use for 2 years) showing v6.49 as the latest version…
Hear you about IPSec, but for a Layer-2 tunnel the nice part about EoIP is that the IPSec stuff is really just a checkbox and setting a pre-shared key. Since you’d already need another protocol with WG to get ethernet. But WG + GRE is another option if you want keep wireguard but bridge a layer-2 LAN. But EoIP for layer is dirt simple, it deals with all the IPSec config for you.
If just layer-3 IP routing is all that’s need, well then it’s just WG
And on the hEX is the channel set to “upgrade”, that’s how you get from V6 to V7. Once at V7, you can switch the /system/package channel back to stable or testing.
Heard you all. Read a few things. I will try the route GRE + IPSEC, since it seems to fit better what I want and also my hardware. I’m ready for the IPSEC headache, though you say it will be easy.
So, since I’m locked out of the hexS till September, now it’s time to enjoy vacationing.
Thanks to all!
Well, I’ll buy the aspirin. Do think the secret is, well, ipsec-secret= set (either EoIP or WG) if Layer2 tunnel is what’s needed and you have public IP at both ends. If only Layer3/IP, no argument with WG there
