Community discussions

MikroTik App
 
patera
just joined
Topic Author
Posts: 5
Joined: Fri May 17, 2019 5:24 pm

Routing multiple VPN networks same subnet HOW?

Thu Mar 26, 2020 4:36 pm

Hello,
I have situation where we have multiple networks with mikrotik routers(R1,R2etc.) on different locations and each of them is 192.168.1.0/24. I want them all to connect to one ovpn server at company headquarters mikrotik(HQ), that is not a problem. But now I want to access devices behind R1, R2... from the HQ router. Could anyone point me how to setup routing when IPs on R1, R2... networks are the same? I can imagine "something" to substitute R1 network 192.168.1.5 to 192.168.100.5, R2 network 192.168.1.5 to 192.168.101.5 etc. but have no idea how to aproach this. Thank you.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6324
Joined: Mon Jun 08, 2015 12:09 pm

Re: Routing multiple VPN networks same subnet HOW?

Thu Mar 26, 2020 4:58 pm

While it is possible to fix this problem using NAT (network translation), I would advise you to spend your effort on renumbering the networks from 192.168.1.0/24 to a different network at each location.
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing multiple VPN networks same subnet HOW?

Thu Mar 26, 2020 7:24 pm

Definitely think about renumbering, it's correct long-term solution. But it you really can't, NAT is your friend. You need to choose new "virtual" subnets and use netmap for incoming and outgoing traffic. When connecting to remote subnet, use its virtual range. Example:

Site A: 192.168.1.0/24 (real), 192.168.10.0/24 (virtual)
Site A: 192.168.1.0/24 (real), 192.168.20.0/24 (virtual)

On router A:
/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.20.0/24 action=netmap to-addresses=192.168.10.0/24
add chain=dstnat src-address=192.168.20.0/24 dst-address=192.168.10.0/24 action=netmap to-addresses=192.168.0.0/24
On router B:
/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.10.0/24 action=netmap to-addresses=192.168.20.0/24
add chain=dstnat src-address=192.168.10.0/24 dst-address=192.168.20.0/24 action=netmap to-addresses=192.168.0.0/24
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
patera
just joined
Topic Author
Posts: 5
Joined: Fri May 17, 2019 5:24 pm

Re: Routing multiple VPN networks same subnet HOW?

Fri Mar 27, 2020 1:03 pm

Thank you for reply guys, I definitely agree thats better way to renumber those networks, but that's not possible: those networks are maintained by different admins and belong to different customers. We have some our devices attached to those networks and want to manage/monitor them remotely. I will look at netmap, that might be the way. Sob, woud you please suggest config for situation like this:
Site A: 192.168.1.0/24 (real), 192.168.10.0/24 (virtual)
Site B: 192.168.1.0/24 (real), 192.168.20.0/24 (virtual)

OVPNSRV: 56.8.13.7(eth0) 172.16.1.1(ovpn)
VPNCLIENTROUTER A@SITE A: 192.168.1.13(eth0localdhcpclient) 172.16.1.2(ovpn)
VPNCLIENTROUTER B@SITE B: 192.168.1.65(eth0localdhcpclient) 172.16.1.3(ovpn)

DEVICE A1@SITE A 192.168.1.110
DEVICE A2@SITE A 192.168.1.111

DEVICE B1@SITE B 192.168.1.110
DEVICE B2@SITE B 192.168.1.111
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing multiple VPN networks same subnet HOW?

Fri Mar 27, 2020 6:48 pm

If I understand it correctly:

- Your own HQ network is not 192.168.1.0/24
- Remote routers are not main routers (default gateway) for remote sites, they are just devices in their LAN, connected behind another router

Then what exactly you need?

- Connect from HQ to remote networks - yes
- Connect from remote networks to HQ - ???

If my understanding is correct, then route 192.168.10.0/24 to client A and 192.168.20.0/24 to client B (see Routes in PPP secret) and on client routers do (example for first one):
/ip firewall nat
add chain=dstnat dst-address=192.168.10.0/24 action=netmap to-addresses=192.168.1.0/24
If ??? is "no", then:
/ip firewall nat
add chain=srcnat out-interface=<LAN interface> action=masquerade
If ??? is "yes", then:
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=<your HQ network> action=netmap to-addresses=192.168.10.0/24
But for this you'd also need help from site's main router, which would need to have route to <your HQ network> via 192.168.1.13. In any case, to connect to device A1, you'd use 192.168.10.110, for A2 192.168.10.111, for B1 192.168.20.110, etc.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 46 guests