VPN 3 sites 2xMT + 1xDraytek Vigor 2860 (no static IP)

RouterOS General
1

Hello again.
My goal is to connect 2 small offices using some low-budget RB (I’m thinking of RB951G-2HnD) with HQ. There should be no internet traffic going through VPN tunnels. Each site shall use it’s own ISP for internet usage.

Here’s some details:
HQ has Draytek Vigor 2860 with Lan-to-Lan IPsec VPN basically configured. Main WAN has dynamic IP (dyndns configured).
Remote offices - each office has ca 5-8 LAN devices. Both have static IP.

Each site has it’s own subnet - lets say:
HQ: 192.168.1.0
office1: 192.168.2.0
office2: 192.168.3.0

HQ has 2 WANs (WAN1 - faster with dynamicIP only, secondary WAN2 with static IP but relatively slow speed).

Now… HQ must have access to offices camera surveillance systems, shared folders etc. No need for offices to see each other, but each office must have access for example HQ servers RDP services through VPN tunnels.

For now I’ve tested lan-to-lan using my own RB951Ui-2HnD. Connection seems to work fine with IPSec encryption but only for Draytek connecting to Mikrotik vpn host, not otherwise (it seems MT must have destination VPN IP specified - dyndns name won’t work?). In the end it shouldn’t matter what way the VPN connections are established, but some preffer that office MT’s are connecting to Draytek not Draytek connecting to offices MTs :confused:
So is there a chance to establish VPN with Draytek being a VPN host with dynamicIP? The static IP on secondary WAN is too slow for lets say IP camera streaming etc. so I woouldn’t recommend using that WAN for VPN anyway…

BTW: Both mikrotiks should be relatively cheap, but must have:

  • some gigabit eth ports, since offices might have 100Mbit+ WAN speed
  • Wifi (b/g/n is enough),
  • usb port (perhapse for spare 3G/LTE modem as backup WAN);
  • PoE not required.
  • office MTs will work as main routers

I choose RB951G with decent CPU, RAM and Flash. I’d personally preffer RB2011UiAS-2HnD-IN but termporary not avail. from my suppliers. Not familiar with hAP or hEX branch but some might do the job aswell (like this one for example https://mikrotik.com/product/RB962UiGS-5HacT2HnT )?