Hi,
I’m trying to setup a VPN connection between two remote sites.
I have Mikrotik routers at both locations.
My problem is all examples I see on the internet, use Public IPs on the Mikrotik.
However both of my Mikrotik routers are behind a NAT Homegateway.
Is this possible to configure?
What kind of VPN should I use?
Thanks in advance.
make your modems in bridge mode and make the pppoe connection in your mikrotik routers, so your mt will get the internet ip.
then with a script you can update your internet ip to a ddns server site like : no-ip.com, so you will always have access to your rotuers.
then you can use pptp, to make your VPN connection
Hi,
Thanks for the reply.
I can’t however change the mode on the modem.
It needs to work on routed mode as it has other services running on top of it that depend on the routed mode.
Is there any way I can set this up with Routed mode / NAT?
i haven’t use it in that mode (nat) but the only i can think, is to make a port forward to your modem, the TCP port 1723, that pptp uses and check if you can make the pptp connection to your mt router like that.
I wouldn’t want to use PPTP. I would prefer L2TP or SSTP.
I configured a L2TP following what is on Mikrotik Wiki, Site-to-Site L2TP Example.
I can see the packets reaching the mikrotik interface on port 1701 coming from the client but there is no reply.
How can I troubleshoot this to understand what is wrong in my configuration?
you can use any protocol you want, pptp is just the most common.
can you post you config?
Below is the design of the architecture used:
The configs from the Mikrotik routers are:
Main Office:
[admin@MikroTik] > /ppp secret print
Flags: X - disabled
1 name=“Home” service=l2tp caller-id=“” password=“123” profile=default local-address=172.16.1.1 remote-address=172.16.1.2 routes=“192.168.41.0/24 172.16.1.2 1”
limit-bytes-in=0 limit-bytes-out=0
[admin@MikroTik] > /interface l2tp-server server print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap1,mschap2
keepalive-timeout: 30
default-profile: default-encryption
Branch Office:
[admin@Mikrotik] /interface l2tp-client> print
Flags: X - disabled, R - running
0 R name=“l2tp-out1” max-mtu=1460 max-mru=1460 mrru=disabled connect-to=85.1.1.1 user=“Home”
password=“123” profile=default-encryption add-default-route=no dial-on-demand=no
allow=pap,chap,mschap1,mschap2
[admin@Mikrotik] /ip route> add dst-address=192.168.98.0/24 gateway=l2tp-out1
I also forwarded Port 1701, 500 and 4500 on the Gateway.
Can you tell what is wrong?
How are your firewall filter rules on the Main office MikroTik?
Maybe your traffic is dropped there.
And if you are using L2Tp I suppose you should setup ipsec too.
Please i had the same problem and i want use ddns to solve it .
i had the ddns script based on no-ip.com but i dont know how to use it. andy help please??
I disbanded every configuration where I had Mikrotik acting as VPN endpoint behind a NAT. You can get a connection, but stability is another issue compared to non-NAT VPN’s. In these cases I was always using PPTP type and always Mikrotik behind Mikrotik.
Mikrotik VPN Endpoint —> Mikrotik Gateway —> Internet <— Mikrotik Gateway <— Mikrotik VPN Client
Internal IP External IP External IP Internal IP
I have a similar problem where I want to put a Mikrotik domestic hotspot using NAT behind existing PPP connected routers, but I want to be able to get admin access to the Mikrotik Hotspot.
ie. Internet – Existing PPP router → NAT – Mikrotik Hotspot.
Yes, theoretically, you could configure port forwarding on the existing PPP router, but that relies upon getting admin access to the existing PPP router, which I want to avoid if possible.
Regards
Mark
IPv4 can be tunneled over an IPv6 based VPN. I think it’s a great alternative to NAT traversal and the associated issues. I can edit this post later with a link another post but I have confirmed L2TP/IPsec can be used this way for site to site. I prefer GRE (gre6 in MikroTik) with IPSec. It’s just cleaner to me and supports things like dynamic routing and multicast. IPv6 only needs to be deployed as far as the MikroTik doing the VPN. You can also use tunneled IPv6 from a tunnel broker like Hurricane Electric. This would give you a static prefix and IP as well.