Double WAN + Ipsec - Need advice

RouterOS General
1

Hi,

First of all I present myself, my name is Dominic and I’m an IT working for a small business. I’ve been using Mikrotik for different settings now and then but I recently had to setup something a bit more complicated. There’s a attached PDF showing in details all network and routeur addresses.

Main setup

  • 3 differents location.
  • Each location has it’s own Internet connection from ISP1 (Videotron)
  • All 3 location are connected together with a private fiber network from ISP2, using site-to-site VPN.
  • Server is at the Main Location. Location 2 and 3 use VPN from the private network to communication with the main location’s local network.

My goal
There is currently no Mikrotik installed at these locations, we have some old Netgear which will be replaced by Mikrotik routers. I would like to replicate the actual setup with some RB1100Hx2 router.

Goal: Allow SITE2 and SITE3 to reach the local network of the MAIN SITE using the WAN2

Problem
For now, here’s the things I’m not sure about:

  • WAN1 is plug-and-play when using port1, however I will have to configure an interface in order to communication with the private fiber network, as far as I know, I think I would have to configure a second WAN port ? That I’m not sure about

  • Considering “WAN2” will be using a private network, would VPN be necessary ? Could I only configure some NAT and routing rules to route incoming traffic from the private network to the local network ?.

This is pretty much it for now, I can’t provide the actual Firmware and version of the Mikrotik since we will install different Mikrotik from the one I’m running the tests on.

If any of you could guide me to what I should be doing, or any recommendation, that would be of great help. Thank you. As I said, there’s a PDF attachment of my setup. Thank you

2

If the fiber running from main site to “satellite” sites is leased line(used only by your company) and you do not need to encrypt the traffic, there is no need for a vpn. As i understand, you will have L2 connectivity between main site and any satellite site (fiber running directly from main to other two locations) If this is the case, you can just use static routing to rout traffic among all three locations.

3

Hi Ageofice,

Thank you for your reply. What you say is correct, this fiber link is dedicated and routed by our provider directly between the sites, so the routes setup would be appropriate in this case as I understand.

However I am not really familiar with this kind of setup, like my main questioning, am I supposed to create a second WAN port in order to setup the fiber interface ? I understand that ports 2-3-4-5 are binded to the switch1 and can’t be removed, but I can unslave them. That being done for port 5, will it allow me to bind an IP address to it and use it as WAN port ?

Thank you

Dominic

4

Here's the configuration for Site1 to reach Site2 from the FIBER interface, it seems that my ping are routed to the right interface, however there are timeout, what kind of rules allow to specifies how incoming packets from the FIBER2 should get routed to the ether2-master ?

/ip address
add address=192.168.0.1/24 comment="default configuration" interface=\
    ether2-master-local network=192.168.0.0
add address=192.168.40.3/24 interface=FIBER network=192.168.40.0




/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    dst-address=192.168.1.0/24 out-interface=FIBER

Here's the configured routes

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 192.168.0.1 1
2 ADC 192.168.0.0/24 192.168.0.1 ether2-master-l... 0
3 ADC 192.168.40.0/24 192.168.40.3 FIBER 0

5

According to the pdf you provided you have fiber interfaces on all three locations on a different networks. Why? I would put all three fiber interfaces on a same network. Example:
fiber (rb 1): 192.168.40.1
fiber (rb 2): 192.168.40.2
fiber (rb 3): 192.168.40.3

since they are directly connected these interfaces will be able to “talk” to each other right of the bat. Secondly, i would not use NAT, because than you will end up with scenario that all traffic that comes from behind router one to main office (for example) has an originating IP of the router 1 (that is what NAT does). I would simply add a route from network behind the router one to network behind a main router (or a second office for that matter) via the fiber interface on main router as a GW. If you would like you can provide me with remote access and i can set it up for you on two routers, you can follow and do it yourself on the third.

6

Hi Ageofice,

You are right, I don’t know why all 3 fiber connections are on a separate network since they are all linked. That was given by our fiber provider.

So i will drop the NAT configuration, I agree routes would be the best thing to do, would you have some idea of how that would be written ? Plus, the Fiber connection is plugged in Port5 which I unslaved and removed master port, is that correct ? I don’t even know how to properly set up a second WAN interface.

7

Maybe I’ve been unclear of my PDF file is a bit complicated, here’s a short version of it:

Main Office
WAN1 (cable ISP) = 199.168.221.22
WAN2 (fiber ISP) = 192.168.40.1
LAN = 192.168.0.1

Site 2
WAN1 (cable ISP) = 67.43.133.34
WAN2 (fiber ISP) = 192.168.41.1
LAN = 192.168.11.1

I want the Site 2 lan network (192.168.11.0) to be able to reach any computer from the lan of the main office (192.168.0.0) and vice-versa using the dedicated fiber link, which doesn’t required any VPN configuration as we discussed.

We cannot change the WAN2 addresses given by our Fiber Provider which complicates a bit things I guess.

Thank you.

Dominic

8

please post network masks for ip addresses. is 192.168.40.1/24 or maybe /16? Are you sure that your locations are directly connected with fiber? No routers in between? (from telco operator)

9

Hi,

Heres the full fiber IP configuration. I think there are actually some routers between the links. But static routes has been made by our provider, nothing else except our routers are reachable.

Main Office Fiber interace
IP Address: 192.168.40.3
IP Subnet Mask: 255.255.255.0
Gateway IP Address: 192.168.40.2

Site2
IP Address: 192.168.41.3
IP Subnet Mask: 255.255.255.0
Gateway IP Address: 192.168.41.2

Site3
IP Address: 192.168.42.3
IP Subnet Mask: 255.255.255.0
Gateway IP Addeess: 192.168.42.2

10

what are the masks on the fiber interfaces?

11

Masks is as you said 192.168.40.1/24

12

I am little unclear on this setup from the telco side. If they provided you with the following:

site 1: 192.168.40.1/24
site 2: 192.168.41.1/24

Those two nodes can not talk to each other since they are in different networks. Did they provide you with any additional info , gw or something else?

13

Yes, each connection has its gateway:

site 1: 192.168.40.1/24
gw : 192.168.40.2

site 2: 192.168.41.1/24
gw: 192.168.41.2

Routes are made inbetween by the telco router, this is not a physical direct link.

14

OK I started to type this to you:

Site 1 needs a static route to site 2 and site 3 via 192.168.40.2
Site 2 needs a static route to site 1 and site 3 via 192.168.41.2
etc
Disable NAT on the interfaces connected to the private fibre network and it will all just work.

Then it occurred to me that the ISP providing you private fibre network would need routes to the LANs at each site in order for this to work. Is this the case? If not, then I understand why you’ve put the word IPsec in the post title :slight_smile:

15

I know for sure we can reach all 192.168.40 - 41 and 42 from all 3 locations, but the LANs won’t be reached, of course routes need to be made, but since only these 3 locations are on the network all incoming traffics on the fiber interface can be redirected to the LANs.

The idea behind IPsec was to assure some kind of privacy and security to the data but then I just thought it was useless.

Now you think if routes arent made by the provider router I couldn’t reach the LANs without VPNs ? Even with routes made by myself like this one ?

Destination 192.168.11.0/24 - Gateway 192.168.41.2

16

Now you think if routes arent made by the provider router I couldn’t reach the LANs without VPNs ? Even with routes made by myself like this one ?

Destination 192.168.11.0/24 - Gateway 192.168.41.2

192.168.41.2 is a piece of equipment managed by your provider, right? So at site 2, you’re telling your router to reach the destination 192.168.11.0/24, send the packet to 192.168.41.2. So how does 192.168.41.2 know where 192.168.11.0/24 is? It would need either a static route to 192.168.11.0/24 via 192.168.42.3, or 192.168.42.3 would need to announce the routes to the provider. If you aren’t participating in any routing protocols with your provider [trust me, this isn’t something that just happens by mistake :smiley:] or haven’t told your provider what networks lie behind each of your routers, then you will get the symptoms you described earlier: “nothing else except our routers are reachable”.

I think you have at least three choices:

    • Run VPN tunnels between your routers. This should work as your routers can see each other. This will protect your traffic against snooping by the provider


    • Ask your provider to put static routes to each of your LANs via the respective WAN2 address at each site


    • Use dynamic routing to announce each site’s network to the provider. You will have to agree with the provider on what protocol to use [RIP, OSPF, BGP]

Finally, you can set up VPNs between the WAN1s at each site for redundancy [although if WAN1 and WAN2 are from the same provider then it may not gain you any].