I have a VLAN configured on my MikroTik with the address 192.168.20.1 and network 192.168.20.0. I use this address pool to manage my EPON VSOL OLTs in my field area. Currently, I have 10 OLTs, and I can access them with local IPs, such as 192.168.20.20, when I’m connected to my local network. However, when I’m out of my city, I’m unable to reach these OLTs because they are on local addresses that are not accessible from outside my network.
I do not have a public IP address; I only have one shared IP that is used by my MikroTik router, which serves all my 2000 clients. I can’t use a Dynamic DNS (DDNS) service, and my MikroTik CHR does not support ZeroTier.
I am looking for a solution that allows me to access the web interfaces of my OLTs from another city over the internet using my MikroTik router. I would like to know if it’s possible to set up a VPN on my MikroTik so that I can connect to it remotely and access the OLTs as if I were within the local network.
Could you please provide a detailed step-by-step guide on how to configure the VPN on MikroTik and how I can access my local OLTs remotely?
What do you mean Mikrotik CHR?
Do you have a licensed CHR in the cloud?
If so you can setup wireguard on the CHR, and tne access all devices locally.
One creates a peer to peer connection from the Main Router to CHR and from any remote devices to the CHR.
With proper routing rules and firewall rules, any remote device can connect to any device on the Main router.
post both configs
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc. )
Thank you for the reply! Just to clarify, I don’t have a MikroTik Cloud Hosted Router (CHR). I’m running MikroTik on a machine with a level 6 license, not on a RouterBOARD or in the cloud.
Could you still guide me on how to set up a VPN (like WireGuard or any other supported VPN) on this MikroTik so that I can access my local network and OLTs remotely from another city?
@Plink4; it’s a bit hard to follow your network setup because, in your first post, you said “my MikroTik CHR does not support ZeroTier,” and then later you mentioned, “Just to clarify, I don’t have a MikroTik Cloud Hosted Router (CHR).”
A few questions just to clear things up:
Are you running ROS directly (“bare metal”) on an x86_64 machine on-prem, or something else?
Do you have a public IPv4 address (not to be confused with a dynamic IP address) or CGNAT?
Why can’t you use a Dynamic DNS (DDNS) service, like the built-in ROS IP Cloud?
I am running RouterOS directly (bare metal) on an x86_64 machine on-premise. It’s not a MikroTik Cloud Hosted Router (CHR), but rather a machine where RouterOS is installed with a level 6 license. I don’t have any public IP. The one I have is connected to my MikroTik
Are you kidding, what do you mean by “I don’t have any public IP. The one I have is connected to my MikroTik” ???
Before we move forward, please provide a complete network topology. It doesn’t need to be an advanced diagram, but it should include all the relevant network components, from your local network to your internet connection.
I apologize for any confusion. To clarify, my upstream provider has given me a public IP and a gateway that allows internet access for all of my clients. However, I don’t have a static public IP; I only have this single dynamic public IP assigned to my MikroTik for client access.
So, you do have a public IP after all, but it’s dynamic and connected to another Mikrotik router?? To be honest, I’m not sure I fully understand what you’re trying to explain!
Before we go any further, could you provide a full network topology? It doesn’t have to be a super detailed diagram, just a text explanation of all the key components, from your local network to your internet connection.
Thank you for your patience. Here’s a brief overview of my network topology:
My upstream provider has assigned me a public IP address (e.g., 119.x.x.205) and a corresponding network (e.g., 119.x.x.204) on a VLAN, which I have configured in my MikroTik to access the internet.
I created a PPPoE server on my MikroTik to connect all of my clients. In my network area, I have 10 V-SOL EPON OLTs. To manage these OLTs, I created VLAN 20 with the IP address 192.168.20.1 and network 192.168.20.0, assigning VLAN 20 to the interface.
I also configured each OLT with local IP addresses starting from 192.168.20.20. This setup allows me to access all of the OLTs locally while I am in my office.
However, since I am currently out of the city, I cannot access the OLTs remotely. My upstream provider has not provided any additional public IP addresses, and I’m unsure whether the existing public IP is dynamic.
I hope this clarifies my setup. Please let me know if you need any further details!
Its getting clearer thanks!
Suggesting either a wireguard VPN connection or a zerotier connection (LARSA can help with), that will allow you to securely access your resources behind the mikrotik router while away.
I suppose which is readily available on the CHR would be a starting point.
@anav, since this is a ROS installation directly on x86_64 (PC) hardware, there’s no ZeroTier or BTH. But WireGuard should probably work fine with a public IP and external access using IP Cloud.
Sure, turn on IP cloud and get the dyndns address…
This is the endpoint address you will need on any client peers to connect to your wireguard VPN on the router.
Identify the subnet you wish to be able to access over wireguard.
Gives you the rough idea of how to start.
When you create the wireguard interface on the mikrotik router, it will generate a private key and a public key.
This public-key is what you need to put in the settings of allowed IPs on your devices used remotely (their wireguard settings).
On the devices used remotely (their wireguard settings), they will also generate a private and public key.
This public-key is used on the client peer settings on the Mikrotik router.
Sometimes ip routes need tweaking and for sure firewall rules will need tweaking, but since there is no config to work with, cannot help with that at the moment.
On the devices used remotely the Allowed IP settings typically look like: add allowed-ips=172.16.0.0/24 endpoint-address=mynetname.net endpoint-port=53477 interface=wgMT public-key=“******” persistent-keep-alive=35s
If there are specific subnets you wish to also reach add them as well. add allowed-ips=172.16.0.0/24**,subnetA** endpoint-address=mynetname.net endpoint-port=53477 interface=wgMT
public-key=“******” persistent-keep-alive=35s
If the client peer requirement also has or solely has requirement for internet through MT router then it would look like: add allowed-ips=0.0.0.0/0 endpoint-address=mynetname.net endpoint-port=53477 interface=wgMT
public-key=“******” persistent-keep-alive=35s
However, after connecting, I’m unable to access the internet or reach the local OLTs’ IP addresses (e.g., 192.168.20.20) from my remote PC. It seems like something might be missing in the configuration. Could this be a routing or firewall issue?
