Multiple VPN dyndns

dakky21 · February 14, 2008, 3:34pm

Intro

I have like 10 locations, all have adsl with dynamic IP. ADSL “modems” are in router mode, and MT’s on those locations are set to use those routers as default gateway. Each MT gets a IP from the ADSL router by DHCP (and in most cases it is in 192.168.1.0/24 network). The routers are set to “Always on”. But they will still reconnect every 24 hours. ISP has the policy to disconnect a connection after 24 hours (so that IP changes).

I have one more location, where the “central” MT is located. It is also connected to the Internet over ADSL but - modem is in bridge mode - MT itself raises a connection to the ISP (by PPPoE). After 24 hours, again, the connection will be terminated and reconnected in a few seconds.

I will have like 100 locations to group together.

RB’s are 133, with 3 LAN ports, no Wireless added.

Connection to port1 - adsl router
Connection to port2 - wireless AP (gets IP from local MT)
Connection to port3 - wireless AP (gets IP from local MT)

Already done

I’ve setup VPN PPTP on every MT, using dyndns hostname (changeip) on “central” location. I also found a script which resolves hostname to IP every 5 mins (scheduled). Every MT can ping any internet IP.

That part works fine.

Now the problem

Let’s say we use 192.168.2.0/24 network at central location.
The problem is that MT’s on every other location will get same subnet, probably different IP.
Like: 192.168.1.4 in location1, 192.168.1.8 in location2 etc.

And I am not allowed to alter DHCP settings on adsl routers. Will that be a problem?

And now the main part

I want that every MT on every location except central one, raise a VPN connection to a central MT. After that, the following must work - Wireless AP must have connectivity to Central location over VPN, either by DNS name or by IP.

the scheme

The only thing I can configure in this scenario is MT.
The WLAN AP’s get IP from MT.
MT gets IP from ADSL router.
ADSL router gets IP from ISP.

WLAN AP’s don’t need to communicate with each other.

So as you can see, the point is that every ADSL router gets unique IP from ISP every 24 hours. The router is a DHCP server also, so it assigns an IP to the MT. As all the routers are the same model, with same configuration, they will give MT same or slightly different IP.

the final question

And now, the question is, how to configure MT’s on every location to assign IP to the Wlan AP (from which subnet), how to route between dynamic IP’s…

Last but not the least important - ADSL routers can pass the VPN through.

If you need to know anything else, please ask.

I really need to setup such a configuration and I am pretty stuck…

Thanks in advance,
Dakky

smurphy · February 14, 2008, 7:19pm

actually - you will have a problem when using same subnets on all remote locations - connecting to the VPN concentrator.
Back in time - we used a trick by actually natting the traffic on each router at the gateway-level - e.g. on te interface doing the VPN.

Using DynDNS - we were able to connect the sites - but we had an average of 30Minutes/Downtime on all connected nodes in the beginning as the cut was not done everywhere at the same time.
If the VPN Server went down without notice to the clients - the clients didn’t expect to rekeying as time is not come yet. It took several timeoute periods until situation was normalized again.

After syncing time using NTP on all links, and using a timed VPN cut pon the clients, then the master would get disconnected, and then the slaves connect again, checking the master is up of course - then we had a downtime of 3 Minutes / Day overall - which was acceptable.

If you are using RouterOS running devices, I bet there is a possibility to sync the VPN shutdown and power cycle the boxes to maintain the downtime to a minimum.
The routing - we configured the systems using OSPF on the Internet-Facing interface. We did not propagate the LAN 192.168.1.x/24 networks though.

I would urge you to actually use a different Subnet on each Client side. It would ease it drastically.

dakky21 · February 14, 2008, 9:49pm

The client side will be setup like this:
RB133 : 3 LAN ports

LAN port → ADSL router
LAN port → 1st node
LAN port → 2nd node

Both nodes MUST get an IP from the MT (on ports 2 & 3). So, which subnet to use for both of devices? The nodes must get a default gateway & DNS server IP also.

The MT itself MUST get an IP from ADSL router (on port 1), including default gateway, internet DNS servers etc.

I can assign different pools for DHCP server but I can not assign different IP for the Internet Interface itself.

Thank you very much
Dakky