Mikrotik VPN with IPsec and Portforwarding for different Home offices and rules

RouterOS Beginner Basics
1

Hi there
so i am new here and also a newbe to mikrotik (and also not so experienced to networks), so don’t be too hard on me… :slight_smile:
Bought these Mikrotik routers and tried to make a small network with different rights, rules and groups in it for days and weeks already.
But i can not configure it the way it has to be and i am getting mad about this.. :cry:
Really need some big help!

So here is my situation:

Having a RB2011 with routerOS 6.32.2 in the office, lets say WAN-IP = 1.1.1.1
internal IP = 10.10.10.0/24
There is also a Server with different VM’s (Virtual machines) on it like:
Asterix on 10.10.10.2
CRM on 10.10.10.3
Magento on 10.10.10.4
and last but not least having a NAS (not on the VM)
NAS = 10.10.10.5 (Standalone and homemade)

Home Office 1 with RB951 and routerOS 6.32.2 - WAN = 2.2.2.2
internal IP = 20.20.20.0/24

Home Office 2 with RB750 and routerOS 6.32.2 - WAN = 3.3.3.3
internal IP = 30.30.30.0/24

Home Office 3 with RB 951 and routerOS 6.32.2 - WAN = 4.4.4.4
internal IP = 40.40.40.0/24

Home Office 4 with RB 951 and routerOS 6.32.2 - WAN = 5.5.5.5
internal IP = 50.50.50.0/24

Home Office 5 = no router board, only cellphone, needs to have access to VOIP-System via apps like "join"coming from different IP’s, WIFI or hotspots - very important here is SECURITY !

Thing is this:
Home office 1 needs to have FULL access to the whole network so that i can access and see the Server, all the VM’s and the NAS and the Asterisk-System from home office 1 - same access like i am in the office

Home office 2 must have only access to the Asterisk-System and to the CRM - but must not be allowed to all other things like NAS, Server or the VM’s

Home office 3 & home office 4 need to have only access to the NAS on special Folders (one folder for every mikrotik router) - (Portforwarding / restricting or so?) and must not be allowed to get access anywhere else.
In these folders on the NAS i want only to put some backups via Cronjob all 24 hours.

Home office 5 (Road Warrior) - like i said above - is only a cell phone who needs access to the Asterisk-system so that it can make and receive calls. - But security is the first priority here - want not get hacked… (had this problem already before…)

Important is, that all these clients must have access at the same time to the “BIG Mikrotik RB2011” - This is the center of all.

Can someone please help me with this configuration?
Maybe a script with all IP’s inside from above? So i can copy-paste and try it out? :bulb:

Hoping for a good reply
Thanks to all who can help
Carmen