Hi
Most of the installs we do are small hotspot solutions which we are now switching over to Mikrotik (roll on 2.4 Groove and Omnitik) and I would like to simplify the whole remote management.
Previously we had to open firewall ports on the ADSL router, set up port forwarding which was a no go if the client was installing themselves.
The extra functionality in the MT means I could either have the remote units create a PPTP VPN into our server, or an IPSEC VPN. What would scale better?
We have been using pptp with good results. We have the same problem as you do. Trying to open ports through
existing routers like ADSL, cable modems, or FIOS modems that we don’t own or control is a problem.
Each MT router we ship out initiates a pptp connection back to our HQ MT router. We give each remote router its own pptp client username and the HQ router assigns a unique IP address to the remote based on that username. We use a private subnet like 192.168.80.0/24 just for this purpose.
Once we see the pptp link is up from a remote site, we can tunnel in and put our local computer on the remote’s subnet and then access the “foreign” router as if we were local. Our customers usually know their own password, but are not able to open ports. Also, the carrier-provided devices usually all have the same username and password available when accessed from the local lan.
I only use ipsec to link remote sites that already use ipsec for other purposes.
Hope this helps. I’d like to hear what others think about this.
Thanks for the reply - thats exactly what Im planning to do.
Ive sent out a couple of demo systems, so will see how it goes before planning the network. I only have a 450G in the office, tempted to stick an 1100ah into the colo and seting it up that way - or running a virtual ROS if possible on vmware
I saw something on the WiKi that sets the remote route at time of connection which may save you a step in that process.