Ideas for S2S with internet centralization

JoaoS · May 21, 2020, 4:32pm

Hi guys.

I would like the help of the experts.

I am planning a central structure for the internet navigation of the network, where I have the headquarters and the branch.

I would like to force all the internet output of the branch either through the headquarters. Without losing external access to the branch’s RB.

For this I am studying and analyzing which methods and tools I would use.

I wanted your opinion.

For now I think about closing an IPsec VPN between the two units and by mangle rules redirect navigation to the headquarters router.

That way, you would not lose access to RB from the outside for any maintenance emergency, without the need to change the default route and the ipsec vpn as it is perfect and safe.

However, I don’t know if this would be an intelligent use or better management. There may be other more dynamic vpn or routing protocols that would help me in the future to manage more branches.

My main idea is not to manage the branch office firewalls with too many rules, centralizing the navigation in a firewall that would allow me a single point of maintenance.

I thank you in advance for understanding and time for reading and help.

Forgive my English.

solar77 · May 22, 2020, 10:04am

your plan is do-able and might be easier than you think.
lets assume few things:
site A (HQ) and site B (Branch) both has static IP and good internet connection, not just download but also upload bandwidth as well. What is good? depending on your application.
also to do IPSec you need good performance on both routers on each site. what is good? depending on your application. but in general this is not the place you want to cut corners. you safe a penny here, it will cost you a pound in long term.

now the configuration
setup VPN with ipsec, you can search for tutorias for this

Also on site B router:
what you want is setup mangle rule for mark routing, mark winbox traffic first (as Winbox_traffic) , with no pass-through, then mark the rest (as Office_traffic, for example). so that you can add rules in your routing table (this is on the router at site B) for Winbox_traffic to goto your default internet gateway and only office_traffic to go through VPN connection.

hope this helps you.

JoaoS · May 22, 2020, 2:20pm

your plan is do-able and might be easier than you think.
lets assume few things:

site A (HQ) and site B (Branch) both has static IP and good internet connection, not just download but also upload bandwidth as well. What is good? depending on your application.

My application consumes little and runs on top of terminals. My links are good, my HQ has a 50Mbps link. The Branch will have 10Mbps. The branch will not have many users, it will have 5 or 6.

also to do IPSec you need good performance on both routers on each site. what is good? depending on your application. but in general this is not the place you want to cut corners. you safe a penny here, it will cost you a pound in long term.

I’m on Site A with RB1100AHx4 and on Site B I intend to use the RB760iGS, both of which I found to have support for IPsec HW, I believe this qualifies the good performance on VPN with less use of RB. I just don’t know if I only activate IPSEC that the hardware encryption will work, or do I need some extra steps?

now the configuration
setup VPN with ipsec, you can search for tutorias for this

Configuring IPsec I am already aware and in the lab I was able to reproduce

Also on site B router:
what you want is setup mangle rule for mark routing, mark winbox traffic first (as Winbox_traffic) , with no pass-through, then mark the rest (as Office_traffic, for example). so that you can add rules in your routing table (this is on the router at site B) for Winbox_traffic to goto your default internet gateway and only office_traffic to go through VPN connection.

In the laboratory, my mangle rules marked only the traffic on the B site network, I will review and apply it according to your suggestion. It’s more organized.
So the way I intend to apply is the best way? Can you imagine any other method of connecting and routing the internet from site B to A in another way?

hope this helps you.

It is helping a lot, thanks for your patience.

JoaoS · May 22, 2020, 3:55pm

where could i learn more about mangle? With examples.

solar77 · May 22, 2020, 6:00pm

what is the upload capacity at HQ? as this will also limit the download capacity for your Branch. assuming it’s more than 10 Mbps.
hardware looks fine to me but other experts feel free to comment.

as for mangle, you could look at
https://wiki.mikrotik.com/wiki/Per-Traffic_Load_Balancing#Step_3_-_Using_RouterOS.27s_Mangle_Tool_to_mark_specific_traffic

this would be a good starting point.

JoaoS · May 24, 2020, 3:06pm

Speeds are 50/50 and 10/10.

Thank you very much for sharing your knowledge.

I appreciate your time, you took my doubts. Now I must walk alone. Thankful.