I am new to Mikrotik and started off by playing around with the cheapest box I could find. The model was RB750
Admittedly this model was very cheap so I didn’t hold much hope for its functionality. After setting up 1 site to site VPN tunnel the CPU hit 100% and didn’t drop until I disabled the tunnel.
I would like to use Mikrotik at a bunch of small offices we have but to do this I need a model that can do the following:
Wireless
Site to site Tunnels without killing the CPU(GRE would be nice)
OSPF
Would be nice to have 3g but this is not a show stopper.
I plan to connect the Mikrotiks back to our HQ Cisco router. Does anyone know if I would be able to configure the GRE tunnels to have a dynamic Public IP address on the Mikrotik routers as they will not have static public IP addresses.
RouterBoard 411USB L4 would be the one that you are after, it supports every thing u want ( u will just need the correct radio card/antenna and the correct 3g card and antenna.)
Look into your config, there is no reason that you should be hitting 100% unless you moving huge amounts of data. I run so many vpn’s on 750’s and none of them have that issue.
If you don’t mind me asking, what encryption are you using on your VPN tunnels?
Also, is anyone able to answer the 2nd part of my question relating to:
I plan to connect the Mikrotiks back to our HQ Cisco router. Does anyone know if I would be able to configure the GRE tunnels to have a dynamic Public IP address on the Mikrotik routers as they will not have static public IP addresses.
On encryption i just normally use l2tp tunnels and let them use def encryption, i am not the paranoid type, any software package that sends sensitive data encrypts it itself. << i know this is a hugely debatable topic >>
IM not sure about your question,
I use a script that i modified like the following on the mikrotik.
if getdns $yourtunnelEnd != $yourdevicetunnel end then
set yourdevicetunnel address = getdns yourtunnelend
if that makes sense, if you need help with the code i can give you mine, but since ive gone to an static endpoint ip i havent had much issues.
thats from the mikrotik side, obv dyndns is used extensively. you going to have to reearch it, but im sure its easy as eating pie. and that its been done before.
I am not sure the 411 is what you want. It only has 1 ethernet port. I would go with the 2011UAS-2HnD and you can use a USB 3G modem with it. It is also much more powerful.
Could be a better solution. i think this model just takes usb 3g, and to be honest, the internal (laptop 3g) cards can be hard to source for the 411usb from time to time.
I should of stated in my original post that I will need at least 1 WAN and 1 LAN port. I would love it if the 3G SIM card could be internally housed as we have had USB modems gone missing in the passed.
CyberT I’m not sure I will be able to use DynDNS as my small site offices normally have a 3G connection. When I set DynDNS up before it updates with the Internal network address of my mobile provider.
Essentially what I am trying to archive is a hub a spoke network using ipsec/gre tunnels back to the HQ. I plan on using OSPF for the routing. This is made harder by the fact I have to use 3G connections, so no static IPs on the “spokes”.
I have read up on how to archive this using 100% Cisco routers but this adds a lot more to the price! It can be done using DMVPN.
We operate both Mikrotik boards with USB modems internally to the enclosure and RouterOS running on third party embedded X86 boxes which have internal PCIe mini plus several gigabit ethernet interfaces.
VPN from dynamic / private addresses at the remote Mikrotik end to a central Cisco unit can be done - best option depends on the further details.
Incidentally, depending on the network/plan it is possible to get static/public IPs on most networks.
What sort of speed/throughput are you looking for? Preferred network?
Which models of Mikrotik boards do you use? I would really love to have every internal on one router to users running off with USB dongles.
Incidentally, depending on the network/plan it is possible to get static/public IPs on most networks.
Very few. The HQ router will have a static public IP address but about 95% of the routers we have at our small site office are done using 3G.
What sort of speed/throughput are you looking for? Preferred network?
In terms of throughput from HQ to the site routers we do not need a great deal. Normally due to the mobile signal in the middle of field the Internet on sites is less then 1-2meg down and less then 1meg up. We normal use the VPN tunnels to sites from VNC access to users laptops.
The 433UAH and 433UAHL have 3 ethernet, USB and some PCI mini slots of you want to add WiFi. There are cases available which have enough space to allow the dongle to be internal and run the external antenna connection to the back of the case for connection of an external antenna.
I think I will go with the RouterBOARD 2011UAS-2HnD and live without the internet SIM.
As for connecting the Mikrotiks back to our HQ Cisco router would I have to create a “loopback” address on the mikrotik to use as a source address on the GRE tunnel?
Also, does anyone know of any good configuration examples for GRE/IPSEC tunnels when one of the routers effectively does not have a public IP address (due to being on a 3G connection).