Community discussions

MikroTik App
 
JoaoS
just joined
Topic Author
Posts: 6
Joined: Thu May 14, 2020 9:18 pm

Ideas for S2S with internet centralization

Thu May 21, 2020 7:32 pm

Hi guys.

I would like the help of the experts.

I am planning a central structure for the internet navigation of the network, where I have the headquarters and the branch.

I would like to force all the internet output of the branch either through the headquarters. Without losing external access to the branch's RB.

For this I am studying and analyzing which methods and tools I would use.

I wanted your opinion.

For now I think about closing an IPsec VPN between the two units and by mangle rules redirect navigation to the headquarters router.

That way, you would not lose access to RB from the outside for any maintenance emergency, without the need to change the default route and the ipsec vpn as it is perfect and safe.

However, I don't know if this would be an intelligent use or better management. There may be other more dynamic vpn or routing protocols that would help me in the future to manage more branches.

My main idea is not to manage the branch office firewalls with too many rules, centralizing the navigation in a firewall that would allow me a single point of maintenance.

I thank you in advance for understanding and time for reading and help.

Forgive my English.
 
solar77
Long time Member
Long time Member
Posts: 531
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Ideas for S2S with internet centralization  [SOLVED]

Fri May 22, 2020 1:04 pm

your plan is do-able and might be easier than you think.
lets assume few things:
site A (HQ) and site B (Branch) both has static IP and good internet connection, not just download but also upload bandwidth as well. What is good? depending on your application.
also to do IPSec you need good performance on both routers on each site. what is good? depending on your application. but in general this is not the place you want to cut corners. you safe a penny here, it will cost you a pound in long term.

now the configuration
setup VPN with ipsec, you can search for tutorias for this

Also on site B router:
what you want is setup mangle rule for mark routing, mark winbox traffic first (as Winbox_traffic) , with no pass-through, then mark the rest (as Office_traffic, for example). so that you can add rules in your routing table (this is on the router at site B) for Winbox_traffic to goto your default internet gateway and only office_traffic to go through VPN connection.

hope this helps you.
MTCNA MTCTCE UEWA
 
JoaoS
just joined
Topic Author
Posts: 6
Joined: Thu May 14, 2020 9:18 pm

Re: Ideas for S2S with internet centralization

Fri May 22, 2020 5:20 pm

your plan is do-able and might be easier than you think.
lets assume few things:

site A (HQ) and site B (Branch) both has static IP and good internet connection, not just download but also upload bandwidth as well. What is good? depending on your application.

My application consumes little and runs on top of terminals. My links are good, my HQ has a 50Mbps link. The Branch will have 10Mbps. The branch will not have many users, it will have 5 or 6.


also to do IPSec you need good performance on both routers on each site. what is good? depending on your application. but in general this is not the place you want to cut corners. you safe a penny here, it will cost you a pound in long term.

I'm on Site A with RB1100AHx4 and on Site B I intend to use the RB760iGS, both of which I found to have support for IPsec HW, I believe this qualifies the good performance on VPN with less use of RB. I just don't know if I only activate IPSEC that the hardware encryption will work, or do I need some extra steps?


now the configuration
setup VPN with ipsec, you can search for tutorias for this

Configuring IPsec I am already aware and in the lab I was able to reproduce


Also on site B router:
what you want is setup mangle rule for mark routing, mark winbox traffic first (as Winbox_traffic) , with no pass-through, then mark the rest (as Office_traffic, for example). so that you can add rules in your routing table (this is on the router at site B) for Winbox_traffic to goto your default internet gateway and only office_traffic to go through VPN connection.

In the laboratory, my mangle rules marked only the traffic on the B site network, I will review and apply it according to your suggestion. It's more organized.
So the way I intend to apply is the best way? Can you imagine any other method of connecting and routing the internet from site B to A in another way?


hope this helps you.

It is helping a lot, thanks for your patience.
 
JoaoS
just joined
Topic Author
Posts: 6
Joined: Thu May 14, 2020 9:18 pm

Re: Ideas for S2S with internet centralization

Fri May 22, 2020 6:55 pm

where could i learn more about mangle? With examples.
 
solar77
Long time Member
Long time Member
Posts: 531
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Ideas for S2S with internet centralization

Fri May 22, 2020 9:00 pm

what is the upload capacity at HQ? as this will also limit the download capacity for your Branch. assuming it's more than 10 Mbps.
hardware looks fine to me but other experts feel free to comment.

as for mangle, you could look at
https://wiki.mikrotik.com/wiki/Per-Traf ... ic_traffic

this would be a good starting point.
MTCNA MTCTCE UEWA
 
JoaoS
just joined
Topic Author
Posts: 6
Joined: Thu May 14, 2020 9:18 pm

Re: Ideas for S2S with internet centralization

Sun May 24, 2020 6:06 pm

what is the upload capacity at HQ? as this will also limit the download capacity for your Branch. assuming it's more than 10 Mbps.
hardware looks fine to me but other experts feel free to comment.

as for mangle, you could look at
https://wiki.mikrotik.com/wiki/Per-Traf ... ic_traffic

this would be a good starting point.
Speeds are 50/50 and 10/10.

Thank you very much for sharing your knowledge.

I appreciate your time, you took my doubts. Now I must walk alone. Thankful.

Who is online

Users browsing this forum: AidasA and 40 guests