Community discussions

MikroTik App
 
User avatar
a.devecerski
just joined
Topic Author
Posts: 23
Joined: Tue Jan 24, 2006 11:23 pm

Remote sites, dynamic addresses - VPN to HQ LAN

Tue Dec 19, 2017 12:08 pm

Hello everyone,
I would like to ask you for your help

I need to connect company LAN to several remote sites, as I tried to show in the picture. Every remote site contains one industrial unit, controlled via its own web server/interface. To access it by default, PC user logs on locally using web browser, initial page starts plugin which has to be pre-installed on the PC (so it’s not only http traffic, several TCP/UDP ports are involved). Unit IP address is configurable, but only in the private, 192.168.120.0/21 range (default 192.168.123.10).

“Need to connect” I mentioned before specifically means: in order to remotely monitor/control remote units, users need to access their web interface from company LAN.
Internet connection for remote sites is provided via GSM network, using industrial grade high speed, Linux based, GSM routers (not Mikrotik). GSM ISP provides dynamic, private IP addresses only (10.38.0.0/16 range). It seems to me that some kind of VPN tunnel from each GSM router to HQ would be the way to go. These routers have GRE, IPSec, OpenVPN, PPTP and L2TP sections in their VPN options.

I was wondering if anyone here perhaps has situation like this already in operation? And how was it configured?
If not, what would be the best (or easiest) way to implement something like this.

Thank you
Regards
Image
 
poizzon
Member Candidate
Member Candidate
Posts: 113
Joined: Fri Jun 21, 2013 12:53 pm

Re: Remote sites, dynamic addresses - VPN to HQ LAN

Tue Dec 19, 2017 9:41 pm

GSM router, as VPN client connecting to mikrotik WAN static IP VPN server.

I do not really understand the essence of the question.
--
poi
 
User avatar
a.devecerski
just joined
Topic Author
Posts: 23
Joined: Tue Jan 24, 2006 11:23 pm

Re: Remote sites, dynamic addresses - VPN to HQ LAN

Tue Dec 19, 2017 11:07 pm

In the picture above, enable LAN users (located on 192.168.0.0/21 network) to see web interface on remote units (192.168.123.10, 192.168.124.10,...), using GSM routers to provide Internet connectivity for remote sites.
 
poizzon
Member Candidate
Member Candidate
Posts: 113
Joined: Fri Jun 21, 2013 12:53 pm

Re: Remote sites, dynamic addresses - VPN to HQ LAN

Wed Dec 20, 2017 2:21 am

make VPN connection on GSM routers to mikrotik' router, and add route to destination subnet

p.s.: i hope WAN ip address are static and WAN address
--
poi
 
User avatar
a.devecerski
just joined
Topic Author
Posts: 23
Joined: Tue Jan 24, 2006 11:23 pm

Re: Remote sites, dynamic addresses - VPN to HQ LAN

Wed Dec 20, 2017 2:36 am

Sure. GRE? IPSec? GRE over IPSec? etc, etc I've been reading about various scenarios here on the Forum and haven't been able to find one close enough to my case. Some require static (or public/static) addresses at both ends, some do not support non-TCP traffic,...

WAN IP addresses:
- HQ LAN yes -> static, public address
- remote GSM routers, no -> dynamic, private addresses
 
poizzon
Member Candidate
Member Candidate
Posts: 113
Joined: Fri Jun 21, 2013 12:53 pm

Re: Remote sites, dynamic addresses - VPN to HQ LAN

Wed Dec 20, 2017 4:15 am

non-TCP traffic - what traffic you need ?
web interface
?

as I said before, create a VPN between a modem and a mikrotik. (GSM modem will be as client) , i prefered to use openvpn

and add routes between modems and mikrotik know where the subnet.
--
poi
 
User avatar
a.devecerski
just joined
Topic Author
Posts: 23
Joined: Tue Jan 24, 2006 11:23 pm

Re: Remote sites, dynamic addresses - VPN to HQ LAN

Wed Dec 20, 2017 8:43 am

Non-TCP: Not sure. Initial web page (after successful user authentication) starts proprietary plugin, which I'm pretty sure uses UDP as well.
OK, I'll try with OpenVPN.

Thanks Poizzon
 
User avatar
a.devecerski
just joined
Topic Author
Posts: 23
Joined: Tue Jan 24, 2006 11:23 pm

Re: Remote sites, dynamic addresses - VPN to HQ LAN

Thu Dec 21, 2017 1:53 pm

Following Poizzons advice, using mainly „OpenVPN for Dummies“ 1 / 2 and MTs "Open VPN“ wiki I was able to configure HQ router as a VPN server and first (test) GSM router. Reading and searching various steps as I progressed, I was somewhat surprised to see limitations in MT’s Open VPN implementation (no UDP/compression) and, even more, no GUI for OVPN server (my default MT configuration tool is Winbox and this is the first time I’ve stumbled upon such a situation).

Anyway, current situation is: GSM router reports that tunnel is established, my CCRs log displays ovpn, info message "TCP connection established from...“, but I don’t know where to "point“ the route as ovpn-server is not present among interfaces. I tried defining ovpn-server-binding but it does not report established connection.

Help, please

Thanks

Who is online

Users browsing this forum: Bing [Bot] and 90 guests