Hi there, I have three home LAN’s,three Mikrotik RB951G-2HnD with Router OS 6.1 and a few experince with lans.
Tasks I want to solve:
Could you help me with roadmap I should use to perform this tasks? (for example, use L2TP for VPN server, may be use bridges etc.)
If I were trying to connect three locations and did not have really high security concerns then I would setup each location with its own subnet and create a VPN ring where each router knew how to reach each network directly. If you don’t separate the three locations by subnet then you will likely end up sending a lot of traffic across the VPN’s that is not necessary like broadcast traffic. The simple solution would be to create PPTP tunnels between the locations and not to have them set for dial-on-demand which will mean they will attempt to be always connected. You’ll need to be sure that you have a route to each of the other subnets from each router that uses the PPTP interface as the gateway.
Three VPN tunnels and two routes in each of the routers is all that is required to have full unicast connectivity between the devices. If you need layer2 connectivity between the locations then EoIP may be what you need. Also, if you end up establishing a layer 2 network between three locations be careful that you don’t end up with a network loop. You don’t want site A broadcasting to sites B & C and sites B & C broadcasting to each other then also back to site A which then broadcasts again to B & C…
joshaven, thank you for reply.
Can you suggest something with strongest security?
I have to use one subnet for sync porposes (iOS devices with iTunes). Could I customize router to broadcast traffic within this subnet only for local addresses (to prevent a lot of traffic)?
If your security concerns are high (like millions of dollars of liability high) then I would recommend creating an IPSEC VPN tunnel. However, an IPSEC VPN is an order of magnitude more complicated to setup.
As I understand, the main security concern with a PPTP VPN is that the initial connection (if captured during authentication) can be used to exploit the VPN because the authentication procedure is not encrypted. The data that is passed through the VPN tunnel however is secure. Unless your seriously concerned about someone actively setting in the path of your traffic and targeting your VPN connection then you will realistically have all the security you need for personal or most professional use. I understand that PPTP is able to be secure it is just that not all installations are inherently secure. If you do a good job with firewall rules etc then I believe you can compensate for any security flaws. If you are consider PPTP then I would recommend reading up on the flaws.
In regards to bridging only the sync data…
You can setup an EoIP tunnel between the sites through the VPN tunnel to bridge the traffic. Then you can setup a bridge filter to accept bridged traffic across the EoIP bridge when the source mac address matches any of the devices that want using apple’s sync. I would consider using a mac address match that matches any MAC in apples range. Finally setup a bridge filter to drop any other broadcast traffic. This will in effect create a layer2 bridge between the devices that you want to sync but not bridge anything else.
As I understand you can actually have the devices on unique subnets as long as you can pass mDNS messages between the subnets. I believe the only layer2 requirement is mDNS traffic which uses broadcast traffic to resolve the IP so as long as you are on the same layer2 network (EoIP) you should be able to be on different subnets where all needed layer3 traffic is being fully routed.