Community discussions

MUM Europe 2020
 
zalexp
just joined
Topic Author
Posts: 10
Joined: Thu Jul 19, 2012 12:47 pm
Location: Russia, Stavropol

need advice on multi-wan multi-office vpn

Tue Sep 03, 2013 3:03 pm

Hi All!
I've implemented subject setup as follows
mikrotik-office1 --- [2 x eoip over ipsec = bonding1] ---
                                                               \
                                                               [bridge-central] --- mikrotik-main-office
                                                               /
mikrotik-office2 --- [2 x eoip over ipsec = bonding2] ---                        
....

Offices could have several ISPs. I am using static routing
I am not satisfied with this setup, because of rare failures and manual work to restore from it.
Router needs to reboot or play with eoip on/off. Failures take place on provider failures, but only seldom. I think that this is a bug with bonding eoip (or bridging, forgot which one), because it just disappeared once after turning on and off eoip. I have to recreate another one instance, it didn't help and after reboot there were 2 instances.

But question is how you would implement that connection using mikrotiks? best practices ...
You can give me the right way, not precise configs
Thanks!
 
 
zalexp
just joined
Topic Author
Posts: 10
Joined: Thu Jul 19, 2012 12:47 pm
Location: Russia, Stavropol

Re: need advice on multi-wan multi-office vpn

Mon Sep 09, 2013 3:22 pm

You recommend to read about pcc and load-balancing. read it many times ))), so pcc already working.
My question is more about routing and vpn based on mikrotik
 
alex_rhys-hurn
Member
Member
Posts: 319
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Re: need advice on multi-wan multi-office vpn

Thu Dec 05, 2013 9:53 am

Hello,

I would suggest that you remove the bonding and move over to OSPF ECMP (Equal cost multipathing).

I dont tend to use the EOIP Tunnels because they are proprietary to Mikrotik, and so we do this with IPIP Tunnels.

So;

step 1, build IPIP Tunnel between the offices, two tunnels each branch office via each separate ISP.
step 2, encrypt the tunnel with IPSec
step 3, configure OSPF to run INSIDE the IPIP Tunnels and set the interfaces to be point-to-point and have an equal cost (say 10) to each of them)

THat should work well, giving both load balancing and failover, as well as dealing with the static routes that are a pain to manage.

Greg Sowell has a great video on this, that can help you.

Alex
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: need advice on multi-wan multi-office vpn

Thu Dec 05, 2013 12:23 pm

I would also advise using standartized VPN methods (L2TP/IPSec) and using OSPF for L3 load-balancing and failover.

There is a presentation in my sig regarding L2TP/IPSec setup which should tell you all you need to know.

Then just setup OSPF correctly, and it will work.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
alex_rhys-hurn
Member
Member
Posts: 319
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Re: need advice on multi-wan multi-office vpn

Thu Dec 05, 2013 2:03 pm

Tomaskir,

We meet again!. Yes, I have looked at your video and am in the process of trialling it, as it should solve some of the complexity of rolling out new sites. Very nice design.

We are currently doing this on 75 Branches, and your solution addresses a number of scalability problems.

Best,

Alex
 
zalexp
just joined
Topic Author
Posts: 10
Joined: Thu Jul 19, 2012 12:47 pm
Location: Russia, Stavropol

Re: need advice on multi-wan multi-office vpn

Thu Dec 05, 2013 4:04 pm

Thanks for your answers guys.

Just couple of days i've decided to revise my network config in first post. And made eoip over ipsec but without bonding like you suggest :D
I did 2 different eoips from one end and made them bridged on the other end (/24 network), but they show error in ospf log about locally originated packets. And the idea was to make them point to pont (/30).

Tomaskir, i've tried to make l2tp server about a year, but it listens only on one of several ISP interfaces. Am I wrong?
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: need advice on multi-wan multi-office vpn

Thu Dec 05, 2013 4:30 pm

If you bridge them, that will create an L2 loop (as EOIP are L2 interfaces). That is why OSPF was complaining about receiving locally originated packets.
Also, watch for the MTU on the EOIP interfaces, to avoid fragmentation.

All in all, I really recommend L2TP/IPSec with OSPF for all routing needs.

Yes, L2TP has a bug with replying from a wrong address, but its easily solved with NAT.
Look here for a solution: http://forum.mikrotik.com/viewtopic.php ... 43#p373945
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!

Who is online

Users browsing this forum: No registered users and 10 guests