Community discussions

MikroTik App
 
lorsungcu
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sat Jul 09, 2011 11:11 pm

Suggestions for hub/spoke routing

Wed Sep 17, 2014 6:41 am

Hello
I have ~15 remote locations with subnets similar to the following:

Location A:
10.0.0.0/29
10.0.1.0/29
192.168.0.0/25
192.168.0.128/25

Location n:
10.0.0.8/29
10.0.1.8/29
192.168.1.0/25
192.168.1.128/25

All locations would be connecting back to location A.

Currently we're bridging a single subnet between locations for voice, and other networks are not routed. I'd like to change that to something like the above, and do away with the bridging. Is something like IPSec + OSPF over GRE or IPIP the best way to go? Looking for as little overhead as possible with some amount of security.

Second question is less relevant to this forum, but is there a good way to automate deployment of this?


Thanks!
 
User avatar
NAB
Trainer
Trainer
Posts: 542
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: Suggestions for hub/spoke routing

Wed Sep 17, 2014 11:20 am

When you say 'connecting back to A', how is this done? Physical cable/VPN/ISP?
 
DLNoah
Member Candidate
Member Candidate
Posts: 144
Joined: Fri Nov 12, 2010 5:33 pm

Re: Suggestions for hub/spoke routing

Thu Sep 18, 2014 3:21 pm

We do something similar for one of our customers, using OpenVPN Server on the MT at the main office ("A"), and OpenVPN clients at the satellite locations. We find that OVPN is a much lower setup overhead than IPSec (once you have the initial certificates made for OVPN), and the way it handles dynamic IPs at the satellite locations is much more intuitive (in fact, OVPN Clients can even be behind one or more layer of NAT and connect just fine -- the server needs to either have a static IP or a functioning dynamic-DNS IP, and while you can port forward to the OVPN Server, you'll have less headache if the server is what holds the public IP).

Once we have the OVPN tunnel set up, we then use OSPF to handle distributing the routes. In our case, we want a "split tunnel" configuration -- Internet bound traffic from the satellite locations should not transit the VPN.

Our customer is not trying to transit voice traffic from the satellite locations, so I can't speak to how well that works compared to an IPSec tunnel or anything. The OVPN tunnels are stable enough for their monitoring equipment to maintain a consistent connection (at least until the underlying Internet service at the satellite location goes down :p).
 
lorsungcu
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sat Jul 09, 2011 11:11 pm

Re: Suggestions for hub/spoke routing

Fri Sep 19, 2014 5:35 am

All the offices have cable or DSL connections, nothing fancy, unfortunately.

I'll look at open VPN, although my understanding is that they dropped support for it, and IPSec seems to be getting better with each release. Has that changed?
 
DLNoah
Member Candidate
Member Candidate
Posts: 144
Joined: Fri Nov 12, 2010 5:33 pm

Re: Suggestions for hub/spoke routing

Fri Sep 19, 2014 3:00 pm

They just added the ability to OVPN to DNS addresses in v6.4, and I haven't seen anything official to indicate that support has been dropped.

In my experience, IPSec does work reliably on MT units; it's just a lot more complicated to configure than OVPN. Also, IPSec does not create a virtual interface (whereas OVPN does on both the client and server sides), meaning you don't have the option to dynamically route using IPSec.

Who is online

Users browsing this forum: No registered users and 21 guests