Hello All!

I have a little problem with (planning as for now) site-to-site VPN between two mikrotik devices. But short story first:

I'm running a small company that produces small CRM-like apps. To be honest the first one is actually getting developed and I have no customers yet At the very begining - the whole company existed on my laptop + my desktop computer that was used as code repo (svn). In a few last months - the company grew a little more, so I decided to prepare for future growing. I've end up with my desktop pc running Windows Hyper-V Server with few VM's that hosts domain controller, Exchange server, SVN, build server etc. I have few developers around the world that are working on code and commits it to my SVN. Almost brilliant (low-cost), but some performance issues started to occur more and more often and I'm starting to run out of hard drive space.

Because of above I ended with three HP Rack servers that will host the VM's. Of course - rack servers are way to loud to keep them at home (plus cooling issues), so I decided to move them to public datacenter. The only problem I get is that the switching a location should be as painless as it can be, so I want not to change anything in the addresses configuration. So the plan came up:
- my home MikroTik router (with 5 IP addresses assigned) has a VPN server set-up,
- my remote servers are connected to remote MikroTik device (RB750 gen. 1) which has a public IP address provided by datacenter but it's connected via VPN to my home router and ALL the traffic is directed via the tunnel, so the devices are visible as they were at my home (no changes to DNS needed, no reverse DNS problems).

At this moment i have 5 public IP addresses, let's say: 1.2.3.1-1.2.3.5. My private network has subnet 10.0.10.0/24. MikroTik is 10.0.10.1. first address is directed to my main WWW server and tools (Jenkins, Test-environment). The second is my VPN server on my Mikrotik, the third is handling mailflow to/from Exchange. The fourth is my public IP that all outgoing traffic from company uses and the fifth is a public address of my home (private) network.

At this moment - my desktop is 10.0.10.4, and VM's are .6, .8, .9, .10.

What I would like to achieve is to move the VM's to the datacenter but to keep their addresses with the same subnet as local, so the only thing that I'll have to modify is to route the traffic to those specific addresses via VPN tunnel.

Is it possible to create a configuration like this?

Thank you in advance and best regards!
Tom

What you need is an L2 tunnel between the sites running inside the VPN tunnel. You can choose between EoIP (a Mikrotik-proprietary one with less overhead) and L2TP in L2 mode (which is not Mikrotik-proprietary but in reality I don't know any other equipment than Mikrotik which would support the L2 mode). To avoid other problems (TCP meltdown in particular), I would recommend an IPsec VPN between the sites.

Thank you for the information.

I'm not a advanced user of MikroTik, so I need a little more explanation Hope you don't mind.

What I understand is that I need to set-up a L2TP server on my home router and L2TP on my remote router. I don't need a dhcp for this connection, as both devices will have static IP address and the remote servers as well. Witll this tunnel handle my needs or do I need to perform some more steps to keep it running?

Thank you in advance.
Tom

It would be better to invest in some knowledge about networking and how to manage addresses in an environment like that.
Especially when you are developing software. We have read before on this forum about users of software they do not control
that makes unreasonable assumptions about network layout. So when you can, make sure you are flexible in the network
layout and do not depend on kludges like an L2 VPN.

I agree with @pe1chl, it seems like you'd rather need a consultant in your neigbourhood than a forum help with minor details you've missed in your attempt Especially as your setup is quite a challenging one.

But if you want to take the adventure:

The basics would be an IPsec tunnel in ESP transport mode between one of your public addresses at home and the single public address of the router in the datacenter, used to encrypt all traffic between these two addresses (so the policy would say protocol=any port=any).

Between the same two addresses, you would establish an EoIP tunnel. When setting up an EoIP tunnel, Mikrotik offers you to just fill in the "IPsec secret" field and if you do that, it creates the IPsec tunnel for you automatically using some default IPsec settings, relieving you from the burden of manually configuring all of them, and choosing on your behalf some parameters like IKE type and encryption strength which you may not like. But it is a good start, you can then copy the automatically generated settings, modify them, and then remove the secret from the EoIP configuration.

Each end of the EoIP tunnel is a virtual L2 interface which you can add to a bridge. So you'd create (or use an already existing) bridge, called e.g. bridge-lan, on each Mikrotik, and make all the Ethernet ports to which the various devices in your 10.x.x.x subnet are connected member ports of that bridge (again, it's probably already done by default). And you would add the EoIP interface another member port of that bridge. However, if you use a DHCP server to assign addresses to the LAN devices, you have to disable it at one end. Also the LAN IP addresses of the two routers must not be the same.

The rest depends on how you use the other public IP addresses. If you use port forwarding from the public addresses to private ones, you don't need to do anything else; if you want to use the public addresses directly on the servers in the datacenter (via the tunnel), you'll have to create another EoIP tunnel between the same addresses (they are numbered so several EoIP tunnels with different IDs can coexist inside the same IPsec tunnel) and use it to interconnect another two bridges between the sites, this time hosting the public subnet of yours.

To describe your current setup at home, follow my automatic signature.

The problem is in this: The only problem I get is that the switching a location should be as painless as it can be, so I want not to change anything in the addresses configuration.

Don't do that. Change the server addresses to a different subnet like 10.0.11.0/24 and make a routed VPN between the servers and your home/office.
Or, when more convenient, change the subnet of your home/office and keep the server addresses as they are now.

Thank you Sindy for the reply. It look way more difficult than I thought till now... I'll try to set this up thanks to your post.

Just to clarify:
yes - I use DHCP at my home router (company-bridge) as there are DHCP-assigned devices running (printer with WSD, my laptop, another desktop etc..). At the remote side DHCP won't be needed as no DHCP-assigned addresses will be used.

yes - I'm aware of addressing the routers. My main is .1, my remote will be .254. Remote devices will still use .1 as gateway and .1 will be added in remote router's routing table pointing to the tunnel.

If I get this right - I need to create L2 interface on both sides - home and remote and add them to each router's bridge. Mikrotik's will do the magic by it self and I'll need to tune a little bit those default settings?

Don't do that. Change the server addresses to a different subnet like 10.0.11.0/24 and make a routed VPN between the servers and your home/office.

I thought about that, but I'm afraid of problems with connectivity between my local computers and the domain controller. I've seen few times configurations that had a DC in a different subnet and it always caused some problems...

Tuning of the default IPsec settings is recommended regardless whether you'll use the IPsec to transport/tunnel L2 or L3.

As for the domain controller issues, the network in our company has several subnets with routing between them and there are no issues related to communication between workstations and the DC. Of course before splitting the network physically between sites, you should check that first at your kitchen table, but if this hypothetical DC problem should be the only reason to keep both ends in the same subnet, I agree with @pe1chl even more

Hmm, I'm confused a little bit...

But OK, I'll try to set this up as you said - on my kitchen table, where I'll connect my "remote" router VIA mobile Internet (so it will be completely separated from my home ISP) and I'll test it for a while (probably it will be a very short 'while', before my wife will kill me because of the server's noise ).

Let me ask you one more time (as a noob) - to set the remote network as different subnet - will I still need a L2 transmission between sites, or will a simple VPN be good enough?

Please, bear in mind, that I don't have any mission-critical or confidential data here, so a completely-secur line isn't needed. If my company will grow and we'll start selling the product (especially the cloud service) then I'll put some money on a table to assign public addresses to my remote location and whole traffic will be directed there and handled by remote router, and my home network will be... just a home network

Best regards
Tom

When you want to setup a routed VPN with MikroTik routers at both ends, an easy setup is this:
- create GRE interfaces at each end, with the public IP of the remote end configured, and an IPsec key (say 32 random characters) the same at each end
- set a network address on these interfaces, e.g. 10.0.0.1/30 and 10.0.0.2/30
- set a static route to the remote subnet via the remote 10.0.0.x address in your route table

Now you should have a basic 2-network VPN setup that you can easily extend or modify later and that does not require
complicated firewall and NAT rules like a "plain" IPsec tunnel.

... probably it will be a very short 'while', before my wife will kill me because of the server's noise ...
...
... then I'll put some money on a table ...

I assume that from the two points above one can deduce that at the very moment you put some money on a table, your wife will find a better purpose for them than a public address?

Let me ask you one more time (as a noob) - to set the remote network as different subnet - will I still need a L2 transmission between sites, or will a simple VPN be good enough?

In this case you wouldn't need an L2 VPN between sites, so you could use an L3 VPN. You don't need any dynamic routing protocols, so you could use plain IPsec for that, thus saving some bandwidth on your home connection, but as you are a beginner, I would strongly recommend to use an IPIP or GRE tunnel through the IPsec one, as a site-to-site tunnel using plain IPsec is a separate can of worms (and very specific ones). So again I am in line with @Rob here

... I'll connect my "remote" router VIA mobile Internet ...

If one of the IPsec peers' addresses is a dynamically changing one, the IPsec settings must anticipate that, and the automatically created ones don't. So better create a "fake public" subnet like 100.64.0.0/30 between the two boxes on one Ethernet of each and try it this way.

Please, bear in mind, that I don't have any mission-critical or confidential data here, so a completely-secure line isn't needed.

Well... I have seen so many attacks coming from devices or networks which "didn't need a completely secure line" that I dare to disagree with you. You may not care about your data, and you may not care about your machine DDoSing someone else, but if someone is mining bitcoins on your hardware and on your electricity bill, it should be you, or?

your wife will find a better purpose for them than a public address?

Oh no - I will have a public, static address at the destination in DC. But only one. At this moment - I work daily at some company, and - in a meantime - I try to run my own business. And more than one public IP address will be way too expensive for me as for now. The DC that i'm going to put my servers to is my friend's company server room, so the cost will be low (participating in electricity bill, and bandwith), but to set up more IP addresses I'd have to buy them from his ISP and the cost is hudge (c.a. 40 euros per address) that I can't handle at this time...

If one of the IPsec peers' addresses is a dynamically changing one, the IPsec settings must anticipate that, and the automatically created ones don't. So better create a "fake public" subnet like 100.64.0.0/30 between the two boxes on one Ethernet of each and try it this way.

I'll find another way to do it - mobile internet rarely has a public IP. In the worst scenario - I'll go to the DC, where I'll connect my router and try to set this up remotely...

Anyway - thank you all for responses! You're very helpful. And BTW sindy - I admire your patience for a noob like me

mobile internet rarely has a public IP

It depends on country and operator, but even if you do get a public IP on the mobile device, if it is changing, the ipsec setup on the opposite side must reflect that. And if you get a private address on the mobile device, there must be a NAT to a public address somewhere on the way, which requires even more specific IPsec settings. (A gem in this regard is T-Mobile USA which assigns public addresses to mobile devices but then NATs them anyway).

So knowing that the final setup will be a static public address at either end, I've suggested to imitate your own tiny internet using a single Ethernet cable, as it is closest to the final deployment scenario.

When you want to connect between a dynamic and a static IP you can use L2TP/IPsec with the server on the
static IP and the client on the dynamic IP. You can configure the address of the client in the "PPP secrets" and
you will have a fixed (local, like 10.0.0.x) IP on the L2TP client interface, and also on the L2TP server. Then you
can again use a static route for your 2 subnets over that connection. Or you can configure BGP to do the routing.
This is the simplest well-working option, simpler when compared to GRE tunnels. The GRE tunnels require a
fixed IP unless tricks are used.

The reason why I suggest to imitate the final state rather than find soultions for IPsec with dynamic/NATed remote IP is that in the long-term setup, Tom is going to roll every single packet between the internet and the data center server through his home WAN forth and back, so my opinion is he shouldn't use L2TP as the final setup. IPIP wastes least bandwidth, followed by GRE, and only then comes L2TP.

It depends on country and operator, but even if you do get a public IP on the mobile device, if it is changing

Here, in Poland every mobile Internet client has private, dynamic IP. If you want public IP - you have to pay. If you want static - you have to pay even more...

But don't worry - as I said, I'll try to set this up at the destination as soon as.. I'll find some time to go there

When you want to connect between a dynamic and a static IP you can use L2TP/IPsec with the server on the
static IP and the client on the dynamic IP

That's what I've been thinking anyway - my remote side will be the client, that's connecting to my home router.

I know it's quite odd configuration I try to set up, but at this moment - I can't afford anything else. When the times will be better - I'll spend some money on it so it will be done fully pro