I have some mikrotiks used for internet backups via LTE, but I’d like to be able to connect to them somehow remotely and see the traffic etc - we have problems with dumb users eating bandwidth when using HD youtube as a radio fot the whole day etc, and even for some re-settings I’d love to do this.
But how can I achieve this, with the routers not having public ip? Do some of you guys use something like this? How?
I thought about creating some tunnel to some of my servers/mikrotiks with public ip, but at best I’d like this connection online only when I needed… for example, some script connecting co ftp/http/whatever every maybe 15 minutes, and if there is a special file (lets say tunnel-on.txt), it would initialize the tunnel/connection/something.. but I don’t know if this is possible.
Do you have any suggestions/examples/your solutions?
Just establish the tunnels out and keep them running. They will not significantly consume the bandwidth when no traffic is inside. Try to keep everything as simple as possible.
the connection may drop to gprs, there is a limit for monthly transferred data.. I don’t know what is the vpn overhead traffic consumption for the tunnel itself - keepalive packets etc.. it probably is not much, but the device may be online 24hrs/day for the whole month…
It won’t really be a tunnel since I don’t know the second ip, so the connection would have to be L2TP/OpenVPN vpn client, and route it so no traffic goes through the vpn?
I can and I will have to, although I’d like to hear other people’s experience, this doesn’t seem to me like a very uncommon task, many people must have dealt with something similar to this
As Jarda says, use tunnels, any vpn client of your preference, pptp, sstp, ovpn.. just don’t let them set a default route.
SSTP has the benefit of using port 443 TCP, a port telcos aren’t going to block or deprioritize as it’s the same HTTPS uses.
There isn’t anything else better to do, AFAIK… maybe you could “dial-in” into the device directly but you would need to set it as a modem, not even sure if these devices nowadays will work in that “nineties” way. And possibly it isn’t even worth to try or even capped by the telco.
thanks, both of you. I just wasn’t sure about keeping the vpn all the time running, but I’ll give it a try and write here the results for anybody’s future reference.
I am running sstp tunnels using other than 443 port to keep it for ssl login to the webfig if necessary. Because I have still some traffic both in and out of the tunnels I cannot say what is its consumption when it is idle. Guess that it shouldn’t be noticeable. But it is relative…
I have finally measured the data, I’m posting it so the post is more accurate and finally with the data - for anyone reading it later.
RBs, connected to another RB with public ip, using openvpn, rsa 1024 bit.
tap - approx. 160 kB/10 minutes - 960 kB per hour
tun - approx. 10 kB/10 minutes - 60 kB per hour
The huge broadcast overhead for tap can be seen here, too bad I need to be able to connect to the devices without public ip. I’d like the tun much more, but I’m unable to make it work between clients.. but I’m happy it works anyway
// edit - of course I mean just keeping the connection alive, no data transfers
You should definitely be able to reach site to site with tunnels.
Without seeing your topology / addressing schemes / etc - I can say that you should be able to route the various sites’ tunnel addresses via the tunnel and with some combination of masquerading / routing you should be able to reach site3’s mgmt address from site12.
First idea would be for each client to masquerade when forwarding traffic out of the tunnel. If site3’s Mikrotik can ping site12’s mikrotik, then you should be good to go.
on the openvpn server, I have a bridge - local eth + wifi, and when I add to it my computer with vpn client and all the RB’s openvpn clients (so they all are in one bridge), I can connect via ssh or winbox to any of them.
When i switch it on both sides to tun (called ip in RBs), I can’t connect to any of them.
I tried some masquerade rules, routes etc, but I couldn’t get it working.
In openvpn, the function is called client-to-client, but ros doesn’t have it.
I have a pool for openvpn (192.168.100.10-192.168.10.xx), and in tap mode when openvpn clients are in one bridge, I get ip 192.168.10.11, client RB’s get 192.168.10.12 and I can ping it, winbox it.. in tun mode, it doesn’t work, probably I can’t figure out the correct rules/routes/masquerade…
If you want to use routing (I prefer routing to bridging where possible anyway) then there are a couple of things you probably need to add to your configuration to get it working.
I recommend creating a dedicated IP network just for your VPN endpoints.
Example: 192.168.255.x = VPN endpoints.
On the main site:
Create a default black-hole route for the entire range:
/ip route add dst=192.168.255.0/24 type=blackhole
This keeps things tidy, so if any packets come along whose destination IP is an unused endpoint IP (or one that’s just down right now) then the packet will be discarded.
Next, in the ppp profile that your ovpn connections are using, specify local-address=192.168.255.1 and leave remote-address blank. (you want to assign a specific IP to each site, so no pool is needed)
In each site’s secret, set the Remote Address, e.g. 192.168.255.12 for site 12…
This is all you need to do at the main site.
In each client site:
Create a static route dst=192.168.255.0/24 gateway=ovpn-interface-name
Create a masquerade rule in the NAT table which specifies out-interface=ovpn-interface-name action=masquerade
Done.
Optional: If you want full lan-to-lan reachability, you can static route 192.168.0.0/16 to the ovpn interface at each branch location and disable the masquerade rule. Then at the main site, you would make the black hole route be for 192.168.0.0/16 (instead of 192.168.255.0/24), and then on each individual site’s secret, add the site’s LAN network to the “routes” field, e.g. 192.168.2.0/24 for site 2…
Each site will need unique IP addressing if you do this method… If the only goal is management access to each Mikrotik, then I’d say don’t worry with the full routing solution.
If you just want this just for mikrotik management purposes, you can do it w/o routing: enable and use RoMON.
It doesn’t matter what’s after the remote endpoint, being L2, L3 or a mix, RoMON will “see” all RoMON enabled routers on the remote network, and you’ll be able to remotely winbox to them.
For this however you need ROS > 6.28 on the routers.
I had almost everything set the way you do (except small differences like the pool instead of fixed ips, etc), but the problem was probably the route on clients.. I’d swear I tried this route… strange, maybe I tried it on the server side..
Again, big thanks! It works, I’ll also add the blackhole and fixed ips for clients. This is perfectly enough for me, all I need is remote access, but the devices are moved around my country changing their ip (and it is not public anyway).
pukkita> that’s really interesting, I didn’t even know ROS had such a cool thing.. I’ll take a look how it works, all my routers are 6.30 and up
