I have the latest OS on an office router. It’s internal address is 192.168.0.1 and it uses 192.168.0.100-150 for its local DHCP pool. I’ve added an L2TP/Ipsec server, and in the profile, I used 192.168.0.1 as the server address and have tried two DCHP pools, one at 192.168.1.xxx and the other as 192.168.0.151-200, and they both seem to work. I was thinking the server address should be in the same subnet as the pool, but it doesn’t seem to care. When I look at a client, it shows 0.0.0.0 as the default gateway for the VPN - there’s obviously something special going on.
I’m about to add an OpenVPN server, as well, mainly to overcome the lack of multiple L2TP clients on the same remote subnet (our entire town shares a CallerID). Couple of questions:
Any problem running both protocols?
Would they both have the same server address (192.168.0.1)?
Does it hurt if the pools are just in different ranges of the same subnet (e.g. 192.168.0.201-250)?
I’m a relative novice, retired hardware designer, as the router replaces a Cisco ASA5505 which was always handled by a consultant. I’m so much happier with the Mikrotik!
It doesn’t have to be. VPNs are point-to-point tunnels with a /32 address at either end, they can be pretty much anything.
I’m about to add an OpenVPN server, as well, mainly to overcome the lack of multiple L2TP clients on the same remote subnet (our entire town shares a CallerID). Couple of questions:
Any problem running both protocols?
No. The Mikrotik OpenVPN implementation only supports TCP transport so can suffer from TCP meltdown, as can SSTP.
Would they both have the same server address (192.168.0.1)?
Up to you, there is no problem in using the same IP address.
Does it hurt if the pools are just in different ranges of the same subnet (e.g. 192.168.0.201-250)?
If the VPN uses addresses which are part of a subnet presented on a real ethernet interface you have to use proxy-arp if you wish devices on that subnet to communicate with the VPN client(s). The VPN is still an layer 3 connection so layer 2 discovery protocols will not be passed, even though the devices appear to be part of the same subnet.
The Mikrotik implementation only supports TCP for the VPN client to server connection itself (I believe UDP has been added in RouterOS 7), the VPN tunnel handles any layer 3 payload in IP / TUN mode.
If the VPN is for remote access rather than shifting large amounts of data you should be OK, there are plenty of articles covering the issue on the internet if you search for ‘tcp meltdown’ or ‘tcp over tcp problem’.
We have a number of Mikrotiks running L2TP/IPsec (permanent site-to-site with static WAN IPs), OpenVPN (remote access from Android/Apple devices) & SSTP (remote access from Windows devices) servers simultaneously.
All but one users are RDP users. My use is to do nightly backup, which is sometimes as large at as a 5gb pre-compressed file. My office ISP has a 2mbs upload throttle, so I’m not sure if the encryption of OpenVPN will cost me or not.