Community discussions

MikroTik App
 
pcmd
just joined
Topic Author
Posts: 24
Joined: Thu Jul 08, 2004 12:45 am
Location: Kansas City, MO
Contact:

Connecting remote offices

Tue Mar 21, 2023 4:13 pm

I currently support an organization with a main office housing Windows DC, SQL, and file servers, and two satellite offices. DHCP and DNS services provided by the DC. All user access is from the LAN, approximately 50 Windows PCs and laptops, 15 network printers no mobile "road warrior" access. The main office provides Internet access for all three offices through an RB2011UiAS. All three offices are connected with a product called "Network on Demand" from ATT that I believe provides layer 2 connectivity. All three offices share the same address space. This has worked well for 6 yrs. but it is relatively slow and very expensive. The owners have installed gigabit fiber Internet (also ATT) at all three offices and I've installed RB3011UaIS's intending to create VPN connections to the offices. After researching current VPN technology, I settled on using WireGuard and have succeeded in connecting all three offices. I'm able to share domain resources, remote printers, etc. The problem for me is that I can't configure the VPN so the offices can share the same address space. I'm sure, in the past, I've created VPNs that shared the same address space and currently have an l2tp VPN running at another customer's offices sharing the same address space. Am I asking for something that can't happen with my current setup? Thanks in advance for any advice!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting remote offices

Tue Mar 21, 2023 5:30 pm

Lucky for you Toto, just looking at this subject. ( okay so KC is in MO, but thats a ridonkulous proposition )
BUT why did you use old routers for a new purchase, an RB5009 would have been more appropriate, especially since ZEROTIER would have fixed your issues SO SO easily and with the right horsepower and RAM etc..............

WIreguard is PEER TO PEER and a LAYER 3 construct.
IF YOU WANT TO SPAN A subnet over TWO locations, zerotier is my first choice
but otherwise you can do it
a. eoip over wireguard
b. vxlan over wireguard

Assuming that you want
a. offices to get DHCP from main office
b. offices to get internet from main office (and not local)?
 
pcmd
just joined
Topic Author
Posts: 24
Joined: Thu Jul 08, 2004 12:45 am
Location: Kansas City, MO
Contact:

Re: Connecting remote offices

Tue Mar 21, 2023 5:55 pm

Thanks for the quick reply and advise. Like most small businesses, cost is always a factor and most don't understand the "penny wise pound foolish" mindset. I'll explore the other options including returning the RB3011s for something newer with better resources. Thanks again!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting remote offices

Tue Mar 21, 2023 6:32 pm

Dont give up me yet LOL.
Can I ask if the offices have one local subnet aka on a bridge or MULTIPLE LOCAL subnets ??

Was the intention to have MAIN office internet for the single Subnet or try to use local WAN for internet at local router OR NO internet at all??

With this information a plausible solution may be possible.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting remote offices  [SOLVED]

Tue Mar 21, 2023 7:10 pm

USING Wireguard to SPAN One Subnet
Assumptions - One DCHP Server, Subnet Uses Main Office For Internet.

SOLUTION METHOD ONE: EOIP OVER WIREGUARD

a. create wireguard connectivity as per normal and then
b. create the EOIP tunnel within the WG tunnel ( EOIP never concerns its self ever with local WANIPs at either end )

Note: Here we are considering one MAIN office R1 and one Satellite office R2.
a. Setup the WG

/MT Device One info
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2 interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home

/MT Device Two
/interface wireguard
listening port 10771 mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24 endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client

b. Setup EIOP tunnel over wireguard.

Router ONE,
eoip-to-TWO
remote address= 192.168.50.2
local address= 192.168.50.1
tunnel ID= 321

Router TWO
eoip-to-ONE
remote address= 192.168.50.1
local address= 192.168.50.2
tunnel ID= 321

Now lets provide context to the configuration and identify key components.

VLAN 20 is the common VLAN on both routers with subnet 192.168.88.0/24
R1 Address   192.168.168.1/24 interface=vlan20 network=192.168.168.0  { Main office }
R2 Address   192.168.168.2/24  interface=vlan20 network=192.168.168.0 { Satellite office }
R1 - Provides full DHCP service for both main and satellite.
R1 - Provides internet for both main and satellite.
R1 - ether4-MainR1  { port on router }
R2 - ether3-SatelliteR2  { port on router }

Router One
/interface bridge ports
add bridge=bridge interface=ether4-MainR1
add bridge=bridge interface=eoip-to-TWO pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=eiop-to-TWO,ether4-MainR1 vlan-ids=20

Router Two
/interface bridge ports
add bridge=bridge interface=ether3-SatelliteR2 pvid=20
add bridge=bridge interface=eoip-to-ONE pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=eiop-to-ONE,ether3-SatelliteR2 vlan-ids=20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

SOLUTION METHOD TWO: VXLAN OVER WIREGUARD

a. create wireguard connectivity as per normal and then
b. create the VXLAN tunnel within the WG tunnel ( vxlan never concerns its self with local WANIPs at either end )

Note: Here we are considering one MAIN office R1 and one Satellite office R2.
a. setup the wg tunnel

/MT Device One info
/interface wireguard
listening port 15551 mtu=1550 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2, interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home

/MT Device Two
/interface wireguard
listening port 10771 mtu=1550 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24, endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client

Now lets provide context to the configuration and identify key components.

VLAN 20 is the common VLAN on both routers with subnet 192.168.88.0/24
R1 Address   192.168.168.1/24 interface=vlan20 network=192.168.168.0  { Main office }
R2 Address   192.168.168.2/24  interface=vlan20 network=192.168.168.0 { Satellite office }
R1 - Provides full DHCP service for both main and satellite.
R1 - Provides internet for both main and satellite.
R1 - ether4-MainR1 { port on router }
R2 - ether5-SatelliteR2  { port on router } 

VLANx Settings

Step1: Assign vxlan interface name.
R1: Interface name=MO   { Main Office }
R2: Interface name=SOL1  { Satellite Office Location 1 }

Step2: Allocate VTEP to the underlying structure
R1: VTEP --> interface=MO remoteIP=192.168.50.2 { since the remote IP wireguard address of R2 is 50.2 }
R2: VTEP --> interface=SOL1 remoteIP=192.168.50.1 { since the remote IP wireguard address of R1 is 50.1 }

Step3: Assign vxlan parameters as required. The first iteration of this solution will be to span the same subnet.
R1 (interface MO --> vni=1001 port=9472
R2 (interface SOL1) --> vni=1001 port=9472

Step4: Add both vxlan interfaces to the single bridge on each router and connect/associate to the applicable VLAN interface.
R1
/interface bridge port
add bridge=bridge interface=ether4-MainR1 pvid=20
add bridge=bridge interface=MO pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=MO,ether4-MainR1 vlan-ids=20
R2
/interface bridge port
add bridge=bridge interface=ether5-SatelliteR2 pvid=20
add bridge=bridge interface=SOL1 pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=SOL1,ether5-SatelliteR2 vlan-ids=20
 
pcmd
just joined
Topic Author
Posts: 24
Joined: Thu Jul 08, 2004 12:45 am
Location: Kansas City, MO
Contact:

Re: Connecting remote offices

Tue Mar 21, 2023 9:17 pm

Sorry anav, misunderstood your initial reply pointing me to different hardware and technique. Currently the main office provides Internet access (through the RB2011) to all three offices. ATT just hands off an ethernet connection to me from the satellite offices, plugged into a switch at the main office so they have one logical network, single subnet, 192.168.27.0/24. I'm trying to achieve the same logical single subnet so that all LAN and Internet traffic stays on this logical subnet between the three offices similar to the present set up but I do want to create VLANs at each office to segment guest access and streaming Internet access to the local Internet connection. Hope I'm making sense. I'll take a look at the configurations you sent me. ZeroTier will run on the RB3011s but I got the impression maybe the RB3011s don't have the resources to run it efficiently? Thanks once again!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting remote offices

Tue Mar 21, 2023 10:31 pm

TO RECAP, There are four possibilities:

(1) USE WIREGUARD --> Single Subnet at Satellite: The configuration provided should work with all existing hardware with ONE internet connection provided by the MAIN office. No extra work is required to change any /interface bridge nat settings. This is predicated on single subnets at Satellite offices and no vlans.

(2) USE WIREGUARD --> Single Subnet at Satellite: The configuration provided should work with all existing hardware with three separate internet connections and with the required change to /interface bridge nat setting. Local routers get local internet. This is predicated on single subnets at Satellite offices and no vlans.

(3) USE WIREGUARD --> Multiple Subnets at Satellite: The configuration provided should work with existing hardware with three separate internet connections with required changes to /interface bridge nat settings. Entails one bridge for spanned subnet, and a separate bridge for all non-spanned subnets. Local routers get local internet. This is predicated on multiple subnets and at least two bridges ( one for each additional subnet ) at Satellite offices and no vlans.

NOTE: Although I stated can be done with existing hardware they would NOT be able to optimize modern WAN fiber throughput or wireguard so RB5009 still recommended.

(4) USE ZEROTIER, However if you want each office to get its own internet, then this solution will work without wireguard and one can address any setup as though the LANs were on the same swtich. Local subnets can use local internet. No restriction on vlans to my knowledge but not a Zerotier expert.


IN SUMMARY, do seriously consider the RB5009 as step 1 in any solution. You can try option 3 first to see if it meets your needs at the Satellite Offices otherwise then consider migrating to zerotier.
Last edited by anav on Tue Mar 21, 2023 11:12 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting remote offices

Tue Mar 21, 2023 10:43 pm

I didnt post the configs for POSSIBILITIES 2 and 3 so done here.......

POSSIBLITIES 2 & 3 ( covers both methods eoip and vxlan ) --> single bridge specifically for one spanned subnet at Satellite Office

Note: The difference in POSSIBILITY 3, is that there is at least one other bridge for the other non-spanned subnets at the satellite office.

/interface bridge nat { at satellite office }
add chain=dstnat in-bridge=bridge in-interface=!eoip-to-ONE mac-protocol=arp arp-dst-address=192.168.168.1/32 action=arp-reply to-arp-reply-mac-address=mac:address:of:satellite:bridge[/color]

/interface bridge nat { at satellite office }
add chain=dstnat in-bridge=bridge in-interface=!SOL1 mac-protocol=arp arp-dst-address=192.168.168.1/32 action=arp-reply to-arp-reply-mac-address=mac:address:of:satellite:bridge[/color]

Note: The arp-dst-address used is that of the gateway on the MAIN office subnet. We are substituting it with the mac-address of the local bridge by dst-nat and thus users, on the single spanned subnet on the satellite side will, will go out the Local WAN for internet.

WHY: Explanation above my head but here it is.
Legend:
x.x.x.x/32 is destination address (lets say on the www)
y.y.y.y is the gateway IP of the subnet the user is located

The solution is predicated upon the fact that the IP address of the gateway is only used to determine its MAC address for routing purposes.
When one adds a route saying "the gateway to x.x.x.x/z is y.y.y.y", when the device wants to send something to x.x.x.x, it sends an ARP request for y.y.y.y and sends the packet with destination address x.x.x.x to the MAC address it got in the ARP response.
When a client asks for y.y.y.y, each local router (and in particular each subnet) must intercept the request and instead of broadcasting it, it must respond it with its own subnet MAC address.

Since we cannot substitute for LAN subnet mac address, we instead substitute for local BRIDGE mac address!!
If we use other subnets directly attached to ports, then additional bridges not required.
For each additional subnets create an additional bridge (as a bridge may cover one or more ports)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting remote offices

Tue Mar 21, 2023 11:20 pm

WARNING FOR ABOVE CONFIGS< not quite right yet, I have not removed vlans but there is a possibility I may not have too.......... investigating.
 
pcmd
just joined
Topic Author
Posts: 24
Joined: Thu Jul 08, 2004 12:45 am
Location: Kansas City, MO
Contact:

Re: Connecting remote offices

Tue Mar 21, 2023 11:44 pm

Working through the EOIP over WG settings right now for testing but hit a wall at the bridge port set ups, I get a "input does not match any value of bridge" error. Not sure what the "input" is referring to. I'll look over your last suggestions as time allows. Appreciate how much effort you're putting in for me!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting remote offices

Wed Mar 22, 2023 12:30 am

Take the EOIP R1 Office router settings
Router One
/interface bridge ports
add bridge=bridge interface=ether4-MainR1
add bridge=bridge interface=eoip-to-TWO pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=eiop-to-TWO,ether4-MainR1 vlan-ids=20

The bridge already exists
ether4 on the bridge should go to where the user/device that needs to need to talk to router 2
its pvid for 20 because assuming its two a dumb user, or switch etc..

We attach the EOIP interface to the same bridge and same process for vlan20
 
pcmd
just joined
Topic Author
Posts: 24
Joined: Thu Jul 08, 2004 12:45 am
Location: Kansas City, MO
Contact:

Re: Connecting remote offices

Wed Mar 22, 2023 11:21 pm

Hi anav, I was able to successfully configure EoIP over Wireguard in my lab and will roll out to my client in the next 10 days or so. Eventually I figured out (with lots of research) that I simply needed to add the EoIP interface to my existing lan_bridge. I've discussed with my customer that I probably under sized the MTs but they want to try the RB3011s and evaluate the performance. Thanks for pointing me in the right direction.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting remote offices

Thu Mar 23, 2023 1:06 am

Yes I was trying to convey that on my last post, use the existing bridge!!
Glad it worked!!

Who is online

Users browsing this forum: 4l4R1, mogiretony and 85 guests