:( There are not a whole lot of routers that have OpenVPN servers..... Is there a better way for me to go about establishing a openvpn server? How would you handle this requirement?Several points.
First, it is just a "best current practice" to use a dedicated (V)LAN for each IP subnet, but there is no technical barrier preventing you from using multiple subnets in the same VLAN, and in specific cases, you may need to use the same IP subnet in multiple (V)LANs. Therefore, "I need device A to be in device B's VLAN" is an ambiguous statement. People usually mean they want the two devices to be in the same subnet when saying this, but you can't be sure.
Second, Mikrotik's implementation of OpenVPN in RouterOS 6.x is very limited. On top of not supporting some compression methods, it only supports TCP as transport protocol, which makes it a bad choice for VoIP, where low delay is more important than zero loss, whilst TCP's inevitable retransmissions in case of packet loss increase the delay.
Third, OpenVPN supports both L2 tunneling and L3 tunneling, but for the Mikrotik acting as an OpenVPN server, you can only choose one of the two.
- With L3 tunneling, you cannot place the phones into the IP subnet of the PBX and something (the Mikrotik or the L3 switch) must provide routing between the subnets. Letting the OpenVPN assign addresses from a range overlapping the subnet of the PBX causes more problems than it solves: each such assignment actually constitutes a subnet of its own, and routing between that one and the overlapping larger one is necessary. Plus special measures need to be taken to deliver the packet from the PBX to the phone (as from the perspective of the PBX, the phone's address is inside the same subnet like its own one, so the PBX tries to send it directly rather than via the router).
- With L2 tunneling, you can make the L2 tunnel of each user a member interface of the bridge you want (using the bridge parameter of a /ppp profile row to which the /ppp secret row links), but there is (currently?) no way to make the L2 tunnel directly an access port to a particular VLAN on a multi-VLAN bridge, nor to set any horizon value (so port isolation is not possible). Hence you would need one bridge per each VLAN for the L2 OpenVPN clients, and connect these bridges via /interface vlan rows to the common bridge with vlan-filtering=yes or directly to the Ethernet port to which the Cisco L3 switch is connected. But I don't think you want the phones to talk to each other without any firewall betwen them, so the absence of port isolation is a serious security hole.
The rest seems quite simple to me. If one of the Cisco devices can act as a controller for all the APs, the SSID configuration is a bit simpler.
Hard to answer not knowing the priorities of the requirements. If OpenVPN is a must, I'd use OpenWRT on a device supporting it, but don't expect the L2 setup to be any easier. If L3 is enough, I'd use StrongSwan on the mobile phones, and IKEv2 at the "server" side, which may be Mikrotik or something else. I also don't know your budget, it seems you are not terribly limited as you intend to use Cisco for everything except the VPN gateway functionality.Is there a better way for me to go about establishing a openvpn server? How would you handle this requirement?
The phones are full featured desk ip phones that have openvpn clients built in them.If L3 is enough, I'd use StrongSwan on the mobile phones, and IKEv2 at the "server" side, which may be Mikrotik or something else.
Depends on what you call an issue. ROS 7 supports UDP as OpenVPN's transports protocol, which has an impact on the possible issues with delay (but maybe packet loss is not a problem to consider in your country, so the current OpenVPN over TCP is sufficient for the job). Regarding the other "issues", from what I can see in 7.1beta2, bridge-horizon has been added to /ppp profile, so port isolation for dynamically added ports is intended to work; nothing VLAN-related there which doesn't mean they won't add it before ROS 7 reaches a "stable" stage.The phones are full featured desk ip phones that have openvpn clients built in them.
Do you think Router OS 7 would solve a lot of these issues?
If this means "until ROS 7 becomes at least "stable", let alone "long-term", it may take months to years.If so I can continue using the phones in the fashion they are currently being used
I feel Mikrotik router to be fit as an L4 firewall and VPN gateway provided its CPU is powerful enough to handle the traffic you want it to handle. hEX S is definitely too weak for a 400 Mbit/s downlink even if not for the VPN role; hAP ac² could be at its margin, you haven't specified how many simultaneous phone calls you expect to move through it, nor what is the expected volume of other traffic. One of other issues with Mikrotik's OpenVPN in ROS 6.x is that it cannot use the hardware encryption, no idea whether ROS 7 has changed this.Lets say I shelve the whole OpenVPN requirement..
DO you feel the Mikrotik router is a good fit for the job?
A few months ago tested an OpenVPN Tunnel with the Mikrotik hEX S RB760iGS and did a few speed test.But from this statement I deduce that
a) the only motivation to use OpenVPN is that the phones support it
b) you have never tried the capabilities of the OpenVPN on the phones themselves, so you have to try it first anyway
c) there may be no need to use the OpenVPN in L2 (= ethernet in Mikrotik terms, = TAP in OpenVPN terms) mode unless the phones themselves only support that mode
I feel Mikrotik router to be fit as an L4 firewall and VPN gateway provided its CPU is powerful enough to handle the traffic you want it to handle. hEX S is definitely too weak for a 400 Mbit/s downlink even if not for the VPN role; hAP ac² could be at its margin, you haven't specified how many simultaneous phone calls you expect to move through it, nor what is the expected volume of other traffic. One of other issues with Mikrotik's OpenVPN in ROS 6.x is that it cannot use the hardware encryption, no idea whether ROS 7 has changed this.
Do the phones only support OpenVPN or also any other VPN types? If so, which ones?
@anav, I am using the hEX S for some of my business clients [30 people] and they all are very pleased. I 4 1 do not believe that the hEX S was designed for the home environment .... everything depends on requirement ..... IMO @Bionic made a good selection except for the OVPN side of things ... the CISCO switches are EXCELLENT and will do exactly what he wants to :-)One connection is different from many connections and the CPU and ram accordingly is designed for a home environment and you have something far greater in the planning.
Since you've mentioned almost 10 VLANs/subnets intended for various types of users, I automatically supposed that the firewalling functionality is required, as you probably don't want the guests to access any of the internal subnets, nor you want users in any other subnets to have management access to your infrastructure elements, etc. That's why I looked at the "25 firewall rules" throughput figures for mid-sized packets. If you didn't need it to act as a firewall, only as a router, it would definitely be sufficient. If you set up some firewall rules, the CPU may have tough time, so it is important to use the stateful firewall so that most packets would be fasttracked and if not, handled by just two firewall rules each.A few months ago tested an OpenVPN Tunnel with the Mikrotik hEX S RB760iGS and did a few speed test.
1st I ran a test with the Hex S configured as a router behind a router with out an OpenVpn connection, and I was able to get an Iperf transfer at 936 mbits.
That's still twice the bandwidth of your upload, so if you'd be only using the hEX S for this "voice VPN" and a little bit of remote management, it's OK.Once I established an OpenVPN connection the iperf speed dropped to 35 mbits.
The ciphers used are important to a certain degree; the certificate settings are not as the certificate is only used when the connection is established.The openvpn server settings were Auth sha1, Cipher aes 256. The certificate settings were 2048 key size.
Shared upload of 10 Mbps from multiple APs will be enforced by what? If the APs themselves or one of the Cisco boxes, no problem; if the bandwidth enforcement should be done by the hEX S, it's additional load for it. Again, try and see.As for normal data usage at the facility, 1 day a week I may have 50 users on the wifi streaming from youtube or facebook. But for those users I set the wifi to limit there download speed to 4mbits and there upload to a shared 10mbps..
Many Home networks are far more demanding than Business networks by a country mile :-) There are some niche business networks that require POWER but for the most part the majority of office environments are as boring as watching frozen molasse become unfrozen :-)If you have practical experience that says otherwise, that is more valuable.
If I succeed the OpenVpn requirement that now puts a lot of diffrent routers back on the table. Including the cisco RV340..Where it becomes an issue TODAY is live streaming ...i.e. Microsoft Teams where many join in from the cloud, the same for Zoom, because the bandwidth throughput required is symmetrical and most use HD .... high volume concurrent VoIP usage .... etc the hEX could not handle that kind of stuff.
Consider the RB4011, it will handle all of the load you've described with relative ease ....So to better prepare myself for the future what Mikrotik router would you all recommend?
Or would it be better to go with a cisco router since all the other equipment I am using is cisco, and be able to use there single pane of glass managment and monitoring solution called Cisco Business Dashboard to see and configure everything???
The RB4011 is $204 @ Amazon.Consider the RB4011, it will handle all of the load you've described with relative ease ....So to better prepare myself for the future what Mikrotik router would you all recommend?
Or would it be better to go with a cisco router since all the other equipment I am using is cisco, and be able to use there single pane of glass managment and monitoring solution called Cisco Business Dashboard to see and configure everything???
YES if I was in your shoes I would go with the Cisco Router because the single pane of glass management and monitoring solution is outstanding.
Yes I have .... that’s why I stated outstanding.Have you had an opportunity to use the Cisco Business Dashboard?
RV340 is severely limited and handicapped - only a dual wan router, NOT multiwan ;-PYes I have .... that’s why I stated outstanding.Have you had an opportunity to use the Cisco Business Dashboard?
Btw, it’s really not a fair comparison between the RB4011 and the RV340 ... the Cisco is a security appliance plus it does near line rate NAT +++
Anyway, this is MikroTik forum so let’s stop here :-)
@anav :-)RV340 is severely limited and handicapped - only a dual wan router, NOT multiwan ;-P
Yes YOU are 100% correct :-)Thats okay Mozerd is going to pay for them!! ;-P
One should be held responsible for promises of 'wow' security!!!!!!!!
@Sindy provided a very nice description of Layer 7 work :-) Thank You.To those who have actually used these type of subscription features, do you feel they are worth the price, and which subscription features do you use? If you have used them and are now no longer paying for the features, what made you change?
At home I run MikroTik with MOABOut of curiousity Mozerd, at home do you run MT with mOAB or are you using CISCO with UTM.
What do you recommend for your clients.............. ie what threshold do you insist they move to CISCO
i don't use anything like these at home but we do for our customers. To be honest I'm not a fan of the Cisco Small Business products (although their L2 switches can be OK). Aside from that we've had disappointments where they didn't support something you'd take for granted in anything called "Cisco", or where a feature had to be configured in a bizarre way. I don't suppose much has changed aside from renaming the range as "Business" rather than "Small Business". Pure prejudice tells me that since Cisco has Firepower as their premium firewall family, and Meraki below that, it stands to reason that the Small Business products must be less capable.To those who have actually used these type of subscription features, do you feel they are worth the price, and which subscription features do you use? If you have used them and are now no longer paying for the features, what made you change?