Community discussions

 
Garcia
just joined
Topic Author
Posts: 2
Joined: Wed Jun 12, 2019 11:42 am

How to connect branch LAN behind ISP NAT to HQ LAN?

Wed Jun 12, 2019 12:57 pm

Hello,
I need to connect small branch LAN to the HQ LAN.

HQ LAN is connected to the internet using Mikrotik router with public static IP.

Branch LAN is connected to the internet via 4G LTE Router (TP-Link Archer MR200).
Router is IPSec capable and PPTP/L2TP/IPsec pass through (NAT forwarding) + other features.
Router IP assigned by ISP is private from range 10.xxx.xxx.xxx. It means it is behind ISP router with NAT.
Public IP of ISP router is changing each time the 4G LTE Router is disconnected/reconnected to the 4G network.
Lan2Lan.png
So question is: How can I connect these two LANs (how to configure the routers) ? Faster solution is better.
Is the IPsec VPN possible when branch router is behind ISP NAT and ISP public IP is dynamic?

In case of needed I can use in branch LAN another Mikrotik router (hAP lite).

Thanks for any hints.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 3287
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to connect branch LAN behind ISP NAT to HQ LAN?

Wed Jun 12, 2019 6:12 pm

This is your starting point for pure IPsec, this one is for IPsec-encrypted L2TP where most of the IPsec configuration is automagically created by Mikrotik itself and routing behaves the "normal" way, so it is simpler and thus faster to set up at Mikrotik side than pure IPsec. The price to pay is more overhead bytes in the packets so less space for payload.

I cannot tell you how to set up either variant on the TP-link end so you may have to experiment (logging of ipsec and l2tp events at Mikrotik side will help you identify and resolve eventual issues) or you may disable VPN handling at TP-link side completely and let the hAP mini behind it do the job if you need to have it up and running really fast. Multiple NATs along the way do not matter, just don't expect too much bandwidth if you run encryption on hAP mini (no idea what Mikrotik model you use at the HQ end, though).

Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Garcia
just joined
Topic Author
Posts: 2
Joined: Wed Jun 12, 2019 11:42 am

Re: How to connect branch LAN behind ISP NAT to HQ LAN?

Wed Jun 12, 2019 7:32 pm

Thanks for reply. Will try to setup second option.

Who is online

Users browsing this forum: Bing [Bot] and 20 guests