I would like to ask you to suggest best practices for this:
Office router is RB3011 and I would like to setup VPN access
with different "access layers" based on user names / groups.
At this moment I have OpenVPN server, each user is assigned
to one of remote address pools (range of few IPs) acting as "group",
where particular IP range is filtered to access only allowed services.
I bet there is better solution. Is it e.g. possible to put group of VPN clients
to separate VLANs, together with other group of LAN hosts?
E.g. remote user X, remote user Y and local user A will be in VLAN 100,
remote user Z and local users B and C will be in VLAN 200, etc.? Is it possible
to put one user to more VLANs at same time?
I also would like to extend VPN access to have one "group" for remote VoIP access.
It should be used for SW phones on users' systems + some other mikrotik boards will
connect and over that VPN will be EOIP, so remote HW phones will be able to act same
way as directly connected at office.
Idea is to setup VPN connection from remote board to main RB3011, EOIP over that VPN
and bridge it with ETH ports dedicated to HW Phones, so all traffic from HW phone (including
DHCP) will reach main RB3011. Will it work this way?
Thank you in advance for any suggestions.