Multiple incoming VPNs with the same remote subnet?

RouterOS General
1

My company provides hosting/colocation for customer servers. This sometimes requires a VPN for the customers’ main office and their traveling users.

When a customer needs a VPN for direct, secure access to their server we configure it on a VLAN to keep it isolated from the rest of our internal networks.

Right now I’ve got things functioning with a standard PPTP configuration, but this is less than ideal. The hosts on the customer side can contact the server, but the server can not initiate communication the other direction to do things like capture network printers.

I can’t use simple routes for obvious reasons. I wouldn’t want everyone who uses my Mikrotik as a gateway to have a route in every customer’s home office. The second problem is that, typically, the offices tend to use the private subnet 192.168.1.0/24 internally, but I can’t route the same subnet to multiple places in ordinary circumstances.

I have tried marking outgoing traffic from my VLANs using a prerouting Mangle rule, but I can’t assign an IP-based route for the remote subnet.
VPN-Hosting.jpg
chain=prerouting action=mark-routing new-routing-mark=customer1-vpn passthrough=yes dst-address=192.168.1.0/24 in-interface=VLAN10

add comment=“” disabled=no distance=1 dst-address=192.168.1.0/24 gateway= routing-mark=customer1-vpn scope=28 target-scope=24

When I make the gateway for the route an interface, such as , the route works as expected and passes traffic. The problem with this implementation is that when the interface goes down the route on my Mikrotik loses the gateway, when the interface comes back online the route definition does not pick it up, I have to manually edit the route and set the gateway to again for it to work.

add comment=“” disabled=no distance=1 dst-address=192.168.1.0/24 gateway=10.10.10.2 routing-mark=customer1-vpn scope=28 target-scope=24

I configured the VPN so that Customer1-Office always receives the IP 10.10.10.2, I have verified that it receives the correct IP. When I try to configure a route to use that IP as a gateway instead of the interface name the route does not work. My Mikrotik can ping 10.10.10.2 from the terminal, but in the Route List it reports “10.10.10.2 on customer1-vpn unreachable”

I have explored the possibility of using VRF to solve this problem, but have not been able to come up with a configuration that works in this scenario. The examples I’ve found all seem to assume that I have control of at least two routers in between the two end points (for a total of 4 routers). What I need is a solution that will allow me to perform all configuration on my Mikrotik, without touching any routers between it and the customer’s firewall.

I’m sure there’s an elegant solution, but I’m stuck. Does anybody know how to solve this issue?

2

Why don’t you just set the remote IP under the secrets?

Give the local address as the server and the remote a /32.

Am I missing something?

3

I don’t think I’m interpreting your suggestion correctly.

Why don’t you just set the remote IP under the secrets?

Set what remote IP in the secret? I have configured the private IP of 10.10.10.2 in the secret used by the firewall at customer1. The customer1 firewall does receive that IP. My Mikrotik can ping that IP when their interface is active. I can not route their internal, private subnet through that IP for reasons stated in my first post.

Give the local address as the server and the remote a /32.

I am admittedly not a routing god, there is plenty I don’t know, but I’m not understanding this suggestion at all. A 32bit mask tells me that the IP is isolated, there is no other host in its subnet. What am I trying to achieve by giving the remote client an IP outside the VLAN that nothing can get to? Give what local address as the server? My Mikrotik’s private IP on the VLAN (10.10.10.1) or its public IP on the external interface (254.254.1.2)?

Maybe I should have included a bit more of my exported configuration.

IP addresses configured on my Mikrotik pertinent to Customer 1
/ip address
add address=254.254.1.2/30 broadcast=254.254.1.3 comment=“Internet Uplink” disabled=no interface=ether1 network=254.254.1.0
add address=10.10.10.1/28 broadcast=10.10.10.15 comment=“” disabled=no interface=VLAN10 network=10.10.10.0

The VLAN for Customer1
/interface vlan
add arp=enabled comment=“” disabled=no interface=ether2 mtu=1500 name=VLAN10 use-service-tag=no vlan-id=10

The DHCP pool for Customer1
/ip pool
add name=“Customer1 DHCP” ranges=10.10.10.5-10.10.10.14

The profile for Customer1
/ppp profile
add change-tcp-mss=yes comment=“” dns-server=10.10.10.3 local-address=10.10.10.17 name=“EastEnd VPN” only-one=default remote-address=“Customer1 DHCP” use-compression=default use-encryption=required use-vj-compression=default wins-server=10.10.10.3

The secret used by the router/firewall at Customer1, when this link is online it shows up as interface name and has the IP 10.10.10.2
/ppp secret
add caller-id=“” comment=“” disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=10.10.10.1 name=customer-office1 password=********* profile=“Customer1 VPN” remote-address=10.10.10.2 routes=“” service=any

Now I use mangle to identify traffic originating in VLAN10 and destined for the customer’s remote, private subnet.
/ip firewall mangle
add action=mark-routing chain=prerouting comment=“” disabled=no dst-address=192.168.1.0/24 in-interface=VLAN10 new-routing-mark=customer1-vpn passthrough=yes

Now I need to put in a route to send that mangled traffic to the right place. This is where I start running into problems.

While the interface is up I can put in this route and everything works exactly like I want it to. Hosts on VLAN10 can access any host on 192.168.1.0/24 directly, but no other VLAN or interface can get to that subnet.
/ip route
add comment=“” disabled=no distance=1 dst-address=192.168.1.0/24 gateway= routing-mark=customer1-vpn scope=28 target-scope=24
The problem here is that when the interface goes down (power loss, reboot, whatever) the route loses the name of the gateway. When the interface comes back online the route definition is still stuck with “unknown” as the gateway.


The method I’d like to use is a standard route using the IP address I know will always be used for the customer1 firewall. This route never works.
/ip route
add comment=“” disabled=no distance=1 dst-address=192.168.1.0/24 gateway=10.10.10.2 routing-mark=customer1-vpn scope=28 target-scope=24
After putting in this route the “Route List” on my Mikrotik turns blue and says “10.10.10.2 on customer1-vpn unreachable,” but even though it says the IP is unreachable on the route rule I can ping the IP from a terminal session on the Mikrotik.


So, what I’m looking for is a way to make one of those routes work with my current configuration or a completely different way to fulfill these requirements:

  • Allow multiple clients to connect to my firewall, clients may be firewalls or individual computers.
  • Clients should only have access to their VLAN.
  • The VLAN should be able to directly address a private subnet routed through a client’s firewall.
  • My Mikrotik must be able to deal with the fact that many client firewalls will be using the same private subnet on their internal interface.
  • The client’s local(in their office) subnet should be accessible ONLY to the VLAN it is connected to, no other hosts connected to my Mikrotik should be able to get to it.

Thank you for trying to help.