I’ve got around 100+ RB450G all connected to the Internet via a single public IP address.
Right now it is impossible to apply any changes, updates etc.
I like to remotely access these routers to apply changes, updates if required using e.g. winbox (or http browser).
But I do not have any access to the ‘transport network’ and therefore cannot set up port forwarding for e.g. Winbox.
The only way so far to access the routers is via e.g. GotoAssist, LogMeIn, Teamviewer etc. to the connected client PCs.
But that means I need to have assistance from somebody at the router location and they are quite in a different timezone.
Ideally RouterOS would have some form of a support agent which reports to a primary central server and I can establish a remote support session via the primary or secondary central server (e.g. Winbox via VPN to the central server and then to the selected router).
I could imagine that the following scenario could kind of work:
RB450G sends at a certain frequency a request to the central server
Central server responds with either ‘No action’ or ‘Remote Support Request Initiated’ (/tool fetch …)
Once the fetch results with a ‘Remote Support Request Initiated’, the RB450G then initiates a VPN connection to the primary or secondary central server.
Once the VPN connection is activated remote access via Winbox etc. should be possible.
RB450G would send notification about successful or failed VPN connection.
Is such a tool maybe already available? And is there maybe a better approach for this?
Port forwarding is not a option.
You can make a tunnel from one of the distant devices (or from more of them) to the network you are normally connected. Than you can access all the distant devices. Of course you have to set the routing in appropriate way.
A PPTP tunnel would be perfect for that.
Set up a PPTP server on the edge RB450G, the one that has the public address.
Set up a PPP secret on that RB and a PPTP-client connection on your windows or linux computer.
Launch the pptp client, and as jarda said, add a route to the private address space behind the NAT.
edit: Another way to gain ad-hoc access to certain nodes in the private address space would be port forwarding using dst-nat rules on the firewall of the edge routerboad.
Thanks for the replies. Guess I have to implement it the way I described it. Just thought that there was maybe something already available which would work as easy as the Teamviewer, GotoAssist. LogMeIn etc solution. Any hacker these days can plant a trojan on a Windows computer. The ‘remote support agent’ within the RB450G could work in a very similar way using a client/server set up.
Part of my solution should be that not all RB450Gs are connected at the same time. Just one or maybe two at a time for a remote support session. This means the RB450G has to initiate the e.g. PPTP tunnel after the RB450G received the command to do this (via the fetch command).
I guess you’re making it overly complicated for no particular reason.
I advise making it in a more simple way, a way that just works and is used by a lot of people.
If you’re worried about the safety of PPTP, you can secure it with a “port knocking” technique.
Not sure what I am doing differently? I am going to use a PPTP tunnel.
I just don’t see that I should have all RB450G connected via PPTP at all times.
My complication is the establishing of the PPTP connection. Is that what you mean?
Thanks!
Yes, this is also what I mean.
Firstly - you don’t need a tunnel for each RB. You just need to set up a tunnel server on the edge router and just dial the vpn tunnel when you need it. Other RB’s will be accessible by simple routing through the tunnel.
Or otherwise, in case the edge router isn’t a RB or any other PPTP-capable system, you can set up a pptp-client on a RB inside of your network an dial out to a PPTP server in your office or on a hosted server, really whatever. This will be possible only if the private address pool of your RB’s is being masquaraded by the edge router.
Well, I do not have any access to the edge router, backbone etc. I only have initially access (during set up) to the RB450G which is connected to a NAT router, then satellite and then somewhere via same public IP to the Internet.
Once the RB450G is in operation I do not have any access anymore … hence I need a remote support access solution.
Once I have a solution I then schedule remote access to each RB450G to add the PPTP-Client configuration.
Since the Internet connection is via satellite, I do not really think a permanent tunnel is something desirable.
Each RB450G already sends a status update to a central server. I could just add some commands in the return result which could then initiate the PPTP connection.
So, I still believe that I have to set up a ‘temporary’ tunnel for each RB450G.
It would be a PPTP-Client on the RB450G and OpenVPN on a CentOS server side.
Thanks!