Community discussions

MikroTik App
 
drasko
just joined
Topic Author
Posts: 7
Joined: Wed Apr 14, 2021 11:36 pm

Connect locations with mikrotik

Thu Apr 15, 2021 11:14 pm

Hi all,

At our company with three location we want to connect three LAN networks by using IPSec tunnels. My idea is to use three RB2011UiAS-2HnD-IN routers. From ISP we can get static public IP addresses only if we set mikrotik as pppoe client. ISP will provide us with ADSL modem in bridge mode and my Mikrotik must have pppoe interface where public IP address will be obtained. My question is if I can create IPSec tunnels by using pppoe interfaces with public addresses? I do not expect ipsec bandwidth more than few Mbs(up to 5 Mbs). It will be very valuable for me if anybody have experience with this type of VPN and also if there some manual how to configure this on Mikrotik.

Thank you in advance!
Best regards,
Drasko
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: Connect locations with mikrotik

Thu Apr 15, 2021 11:43 pm

ppoe is just the local point-to-point protocol between your RB and your ISP.
When the link is established your RB will have a normal WAN interface for use.
Creating a site-2-site link should not impose a problem, especially with a static IP on each site/connection.

My advice for linking the three networks would be to use GRE-tunnels( two for each site, one for up- and downstream each)..
If you want to use IPSec for these links, this is easy as it it only a parameter to enable this in the GRE link setup - however the RB2011 does not come with hardware acceleration, so running a set of links across all sites could impose some stress.
Last edited by Hominidae on Thu Apr 15, 2021 11:44 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connect locations with mikrotik

Thu Apr 15, 2021 11:43 pm

If this is for a business suggest it be done by somebody knowledgeable in IPSEC VPN and in MT devices.
https://mikrotik.com/consultants
 
drasko
just joined
Topic Author
Posts: 7
Joined: Wed Apr 14, 2021 11:36 pm

Re: Connect locations with mikrotik

Fri Apr 16, 2021 12:13 am

Thank you very much for response Hominidae, first I will try with encription as my traffic should not be more than 5mbs max betwen locations, I expect that it should be supported by rb2011. But in case it will be much for it I will migrate to GRE :)
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: Connect locations with mikrotik

Fri Apr 16, 2021 12:41 am

....I actually suggested the other way around.
Use GRE, as you can use GRE with or without IPSSec encryption....in case there is a performance issue, just disable IPSec für the GRE Tunnel...no migration of concepts needed.
 
drasko
just joined
Topic Author
Posts: 7
Joined: Wed Apr 14, 2021 11:36 pm

Re: Connect locations with mikrotik

Fri Apr 16, 2021 9:42 am

yes, understood, but I am concerned about many overheads at packets(pppoe+gre+ipsec). Anyway I will try first GRE+Ipsec as I also mean that it is best method and will see how it will work.

Best regards,
Drasko
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: Connect locations with mikrotik

Fri Apr 16, 2021 1:59 pm

pppoe overhead, you cannot overcome, but this is only the short path between your local WAN interface and your ISP.
You can try and optimize MTU on that interface.
AFAIK, these are the defaults:
  • TCP: 20 Byte (MTU 1452 Byte)
  • IP: 20 Byte (MTU 1472 Byte)
  • GRE: 24 Byte (MTU 1476 Byte)
  • PPP+PPPoE: 8 Byte (MTU 1492 Byte)
  • Ethernet: 26 Byte Header and CRC (MTU 1500 Byte)
  • ATM: 5 Byte Header (total cell 53 Byte)
So adding GRE over your PPPOE is a significant overhead, but only if you have a very small bandwidth....not a big deal, if you plan for 5Mbps throughput.
Is your ISP line symetric or asymetric?
 
drasko
just joined
Topic Author
Posts: 7
Joined: Wed Apr 14, 2021 11:36 pm

Re: Connect locations with mikrotik

Fri Apr 16, 2021 4:57 pm

I have 50/8Mbs at central location and 10/1 at remote.

Best regards,
Draško
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Connect locations with mikrotik

Fri Apr 16, 2021 5:29 pm

Unless you already have the RB2011 routers I would recommend using RB750Gr3 as these are much better suited for GRE/IPsec.

Don't bother trying to setup direct IPsec tunnels, it is a waste of effort to get that all working correctly.
Setup GRE/IPsec and set a /30 address on each of the tunnel endpoints.
Then configure static routes or setup BGP (very easy!) to get the routing.
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: Connect locations with mikrotik

Fri Apr 16, 2021 10:35 pm

I have 50/8Mbs at central location and 10/1 at remote.
...so each remote site will have a max download of 8Mbps, while central will see a max download from each site of 1Mbps each.
I can see while you are worried of some overhead.
Nevertheless, using GRE is your best option....just don*t try to run a SMB service accoss ;-)
 
drasko
just joined
Topic Author
Posts: 7
Joined: Wed Apr 14, 2021 11:36 pm

Re: Connect locations with mikrotik

Sat Apr 17, 2021 12:31 am

My concept is that I will have core bussines app at central location and remote location will connect to server and download data from it, but data is numeric and string values and it will not generate such huge traffic. But I also will have SMB storage at cental location from which remote will download data but it will be some word and excel files and I hope that it will not big deal for GRE connection without IPSec.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Connect locations with mikrotik

Sat Apr 17, 2021 12:44 am

When you indeed have numerical and text data you could consider looking at "/ip packing" (compression). Normally it will not be useful as today usually data is encrypted or already compressed.
When you have only certain files that you need to access read-only then you can consider using some form of mirroring (rsync, robocopy etc) to copy the files to a local server.

I have worked for a long time with a network like that. We had servers on all sites and used such methods to e.g. sync large directories during the night.
Fortunately, our company now has less locations, the links are faster, and we don't have that many local files anymore.

Who is online

Users browsing this forum: cdblue, CJWW, GoogleOther [Bot], sybadi, Valerio5000 and 49 guests