Hello, first time poster here. I apologize in advance, this will be a bit long with lots of info, and will have some god awful practices being applied which I hope to correct. Hoping to get some help here so I can learn to do things right. Started using Mikrotik devices recently and they are very good but much more complicated for an average guy who is used to consumer grade routers, so here I am. I need a bit of help with the following :
Setting up a LAN to LAN VPN connection. I have followed the guides available, and managed to get it to work, though not in the exact way that I need to. First of all, I have 3 locations (sites/branches), Site A, Site B and Site C. I need to open up a LAN to LAN VPN Connection from Site A to Site B and from Site A to Site C (Site B and C do not need to communicate with each other). All sites are using RB951G-2HnD. For testing and troubleshooting, I have instead gone ahead and tried to create a VPN connection from Site B to Site C (Site A has another device in the way from the Mikrotik router, so I wanted to make sure if this other device is causing any issues in VPN connectivity).
The guides I have followed showed me what to do (IPSec Peer, IPSec Policy, NAT), and it does work. HOWEVER, Site A has a Dynamic WAN IP from the ISP, Site B has a Static WAN IP from the ISP and Site C has a Dynamic WAN IP from the ISP. So I need to use DDNS to have a host name that follows the IP and updates whenever it changes.
I have decided to use the built-in feature in the MikroTik (IP > Cloud > DDNS Enabled), and this has given me fairly randomized hostnames that do work and follow the IP whenever it changes, and I even want to use it on the Static IP (no reason to but still).
Now here is the issue, in IPSec > Policies, you need to enable "Tunnel" and enter "SA Src. Address" and "SA Dst. Address", and these fields do not accept the DDNS hostnames, only IP addresses. If I go and enter the current public WAN IP addresses on both sites, phase 2 gets established and everything is ok, but these WAN IP's will change after a day or so, so I need to use the DDNS hostnames here. I have updated to 6.43.11 firmware, as IPSec > Peer > Address would not accept DDNS hostnames in older versions, so once updated, it accepted it there, but not in the SA Src/Dst addresses.
What can be done here?
Additionally, I have the following questions/issues. :
1) I have set up the device on Site C, and it had the "Firewall" option enabled in quick set. Once WAN connectivity was established over PPPoE, the router got internet connectivity but would not allow anything on the WiFi or LAN ports to use it. I Had to disable Firewall to get it to work. Looking at the before and after in IP > Firewall > Filter Rules, a bunch of rules get added or removed depending on the setting. Additionally, Site B router was set up with "Firewall" enabled, and did not have this issue (but the WAN connection method was static IP). Is there any issue if the Firewall option is disabled? Disabling Firewall also allows me to connect to the Mikrotik devices via WinBox.
2) Using IP > Cloud > DDNS is viable as an alternative for something like DynDNS or No-IP? Are there any issues with using this in the long term?
3) Finally, this is probably a very newbie thing to do or to have it happen to you but, after all the above was done and the firewalls were disabled, I have started seeing an increased number of brute force attempts to log into the Mikrotik routers from Russia/Singapore/Brazil/France/Islands/Vietnam etc. I am getting alot of red messages from login failures in the logs for both devices in Site B and Site C. After this, I went ahead and improved my password across all the devices to ensure no one can log in (24 character randomized passwords). Site B is on Static IP, and for some reason I can access the router by going to the WAN IP in the browser but Site C is on Dynamic IP, I cannot access the router by going to the WAN IP in the browser. Additionally, Site C logs show login attempts via telnet and Site B logs show login attempts via ssh with the occasional auth timeout message (dont know if its related to the login attempts, Site C does not show these messages). How can I ensure security here? Having the router page accessible via WAN IP is not ideal, but what can I do here? Can I limit login attempts to something like 1 login attempt per 10 minutes?
4) Final Final, once VPN was established between sites B and C, the guide said that the new rule in NAT should be set as first in the order to ensure both sides can ping each other, but I have noticed that it does not matter on any of the sides in what order the NAT rule is in the list. + I have a default NAT rule for masquerade set already, as per the guide the new rule should be above this masquerade, but i can put it in any order on both sides and it works. Any reason for this?
5) Terminal within the Mikrotik router do not succesfully ping the opposing router, but CMD pings do work + I can open Site C router via its local IP from Site B network. Any issue here?