Protecting machine/process network + Site-To-Site VPN

RouterOS General
1

HI All, long time, no see.

After a while I’m involved in network design again. I have been assigned to find a solution that would isolate/protect process machine network,
companys process network, serve Site-to-Site VPN to process machine network and log accesses to VPN / machine local network.

Current state:

  • Switched network L2
  • A process network connects machines(PLC) and/or machine internal networks
  • For remote access, machine vendors use Secomea/eWon IoT gateways
  • With IoT gateways, I have no control, monitoring or loging of remote maintanence, accessing the machine internal network,
    as IoT gateways makes tunnel with gateway manufactuers cloud over https.
  • IoT gateway needs internet connection, so i have to pull another UTP from network that has access to internet, which process network doesn’t have.
  • Machine vendors see/can connect on any machine, even on other vendors machine, beacause of L2 switched network.

My Idea:

  • Ditch the IoT gateways
  • Setup new entry/edge point, e.g. RB1100AHx4 Dude edition, with public IP
  • add RB450Gx4 as process machine router, entry point
  • connect those two RBs on the same process network
  • configure VLAN RB1100 ↔ RB450 per machine
  • Setup L2TP/IPsec VPN server on RB1100, for vendors machine remote maintanence,
  • bridge L2TP/IPsec with process machine VLAN/network, as remote maintanence, have to be on the same network (L2), one user account per machine

At this point I have some doubts, or lets say, do not possess knowlege:

  • Is it possible to manage which user account connets/bridges to dedicated VLAN / process machine network? VPN user A shoud only be able to connect to machine A.
  • There is AD domain controller with user base. I would like to share that user base with RouterOS PPP Auth&Accountin. Is it possible?
  • What are posibilities of logging remote connections, VPN user accesses, connection time, time of access (logg on/off),
    transfered bytes, VPN user comm. protocols accessing process machine network?
  • Log DB on router board, or use dedicated logging server?
  • RB monitoring with e.g. Nagios? Disk space, temperatures, availability, etc.?
  • What software, service is optimal for logg browsing/reviewing? I’m aiming at localhosted web based solution.
  • Possibility of adding One Time Password feature. Lets say, user gets OTP every single time he wants to connect to VPN?

Please share your opinion or concerns/doubts on this. Thank you.

Rough mockups of current setup and my idea: