Im currently working on a wifi-marketing small company, we provide captive portals with publicity, and we use mikrotik APs. The topology would be something like ISP router–>MikrotikAP–>client. We want to get remote access (from the internet) to every Mikrotik router (AP) we use. Whats the best way if I cant redirect the traffic from the ISP router? can we create a vpn server in our company and create a vpn client on every ap?
Thanks to anyone who can help me.
Yes - you can use vpn clients on the AP routers to connect back to your office. I do this for my clients as their offices often have dynamic IPs. My own office also has a dynamic IP, but the VPN client in the Mikrotik supports using a hostname, so my office uses a dynamic IP service.
I’d recommend SSTP for your VPN since SSTP uses a single TCP port. Where as PPTP use the GRE protocol, some ISP routers may not support GRE. Also I think you can only have a single PPTP between two public IPs, so you wouldn’t be able to have two APs behind one router.
Since you only want access to the Mikrotiks (and not devices past the Mikrotiks) then it should be relatively easy.
Your Office must have a different subnet than all other client networks. It is OK if all client networks have the same subnet. When the AP connects to your office, it’ll obtain an IP from your network. You’d then use that IP to connect to the Mikrotik. This may work in reverse though, a user on the client side can connect to your office Mikrotik. Use a firewall rule to block this.