Cross network routing

Stoolbend · March 19, 2015, 3:19pm

Hi all,

I am “new” to the world of routing but I am learning fast .
I have 2 RB750’s and 2 sites. Both sites have different networks as you can see.
Our ISP has kindly made a VPN tunnel between our 2 ISP routers, which comes out a hole separate to the main WAN connection and then into the RB750 (so the VPN tunnel is not ending at each RB750, its starting and ending on the ISP equipment).

When the VPN was tested, we could communicate from 10.55.97.242 to 10.55.97.226 alright and the other way around, but the gateway for each end had to be either .241 or .225 which is what the ISP setup.

Today I got my RB750’s, and configured the one for our end (after a couple of resets due to stupidity). After setting up source NAT I was able to ping and remote into the test RouterOS laptop that’s currently at the other site (which is playing the role of an RB750 until I get chance to go there) from site 1’s internal subnet of 172.16.0.0/16 (which is a good start). The dashed green line shows this.

Now, here is the question part…
What I would like to happen as an endgame is for a device on 172.16.0.0/16 to be able to talk to a device on 10.3.0.0/16 for stuff like AD, The Dude and other fun things. Attached is the current routes set on Site 1 RB750 (along with masquerade NAT being enabled on the eth2-vlan0 interface). My question to you all is what other config do I need to do to for both Site 1’s RB750 and the other RB750 before I put it in?
help1.png
help2.PNG

ZeroByte · March 19, 2015, 4:40pm

You have two options to make lan<>lan connectivity:

Get your ISP to route your LAN subnets across the VPN
Depending on how they’re set up, this could lead to interesting things, or maybe even IP conflicts, since this is private IP addressing…
Make a tunnel from Site1 to Site2
If the VPN by the ISP is encrypted, then you can just make a simple GRE tunnel between the routers, and create a static route across the tunnel to reach the remote LAN. This is a clean solution because it doesn’t require your ISP to make any changes or include your private addressing in their routing table. If the ISP’s vpn is not encrypted, then you’ll want to do this with IPSec in stead. The tunnel version is very easy to set up:

Site1:
/interface gre add name=GREsite2 local-address=10.55.97.242 remote-address=10.55.97.226
/ip route add dst-address=10.3.0.0/16 gateway=GREsite2

Site2:
/interface gre add name=GREsite1 local-address=10.55.97.226 remote-address=10.55.97.242
/ip route add dst-address=172.16.0.0/16 gateway=GREsite1

Then make sure that your firewall configuration will allow traffic between the tunnel interface and the Internal network interface, and that it will not do NAT such traffic.

Stoolbend · March 20, 2015, 12:54pm

Thanks for your response. I will try it out as soon as I get a chance to go up to Site 2 and install the RB750.

Cheers!