ROUTER1 - CHR in hosting
ROUTER2 - Head office
ROUTER3 Location 2
ROUTER4 Seat 3
Then I have another 40 Routers which we call R1 guest, R2 guest and so on.
The R1-CHR acts as a l2tp+ipsec, sstp and wireguard server.
sstp and l2tp+ipsec are distributed redundantly with the same subnet and same IP, using ECMP.
Wireguard instead uses a dedicated subnet.
I would like everyone in the office area to announce all the subnets to each other but not the subnets of the vpn itself.
Also, everyone in the guest area, only the R1-CHR needs to know about the remote LANs but the guest LANs don't need to know about the office area.
I started the conf but the VPN subnet is also announced to me, so before going too far I wanted to resolve this first.
The subnet used for l2tp+ipsec and sstp is 10.165.32.0/24
The one used for Wireguard is 10.165.33.0/24
In the R1-CHR I have to announce 10.245.159.0/24
In the R2-office I have to announce the subnets, 10.246.159.0/24
10.246.161.0/24
10.250.159.0/24
10.10.10.0/24
In the R3-office I have to announce
192.168.17.0/24
192.168.80.0/24
In the guest routers there are various subnets that I will not list now, but let's assume that on R1-guest it must announce 172.16.70.0/24.
I started the configuration like this:
This is R1-CHR:
Code: Select all
/routing id
add disabled=no id=192.0.0.1 name=id-1 select-dynamic-id=""
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=id-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=backbone
add area-id=1.1.1.1 disabled=no instance=ospf-instance-1 name=ospf-area-1
/routing ospf interface-template
add area=backbone disabled=no networks=10.245.159.0/24 passive
add area=backbone disabled=no interfaces=l2tp-casa-terralba,sstp-casa-terralba type=ptp
add area=backbone disabled=no interfaces=wireguard-server1 type=ptp
This is R2-office:
Code: Select all
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing id
add disabled=no id=192.0.0.2 name=id-1 select-dynamic-id=""
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=id-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=backbone
/routing bfd configuration
add disabled=no
/routing ospf interface-template
add area=backbone disabled=no networks=10.246.159.0/24,10.246.161.0/24,10.250.159.0/24,10.10.10.0/24 passive
add area=backbone disabled=no interfaces=l2tp-Synthohosting,sstp-CHR-synthohosting type=ptp
add area=backbone disabled=no interfaces=wireguard_CHR-c1v type=ptp
Code: Select all
#R1-CHR
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, o - OSPF; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 As 0.0.0.0/0 1.2.3.10 1
DAo 10.10.10.0/30 10.165.32.3%l2tp-casa-terralba 110
DAo 10.165.32.1/32 10.165.32.3%l2tp-casa-terralba 110
DAc+ 10.165.32.2/32 <l2tp-casa.morgongiori> 0
DAc+ 10.165.32.2/32 <sstp-casa.morgongiori> 0
DAc+ 10.165.32.3/32 sstp-casa-terralba 0
DAc+ 10.165.32.3/32 l2tp-casa-terralba 0
DAc 10.165.32.4/32 <sstp-Orto-Strada3> 0
DAc+ 10.165.32.254/32 <sstp-CHR_C1v> 0
DAc+ 10.165.32.254/32 <l2tp-CHR_C1v> 0
DAc 10.165.33.0/24 wireguard-server1 0
DAc 10.165.34.0/24 wireguard-NETFLIX 0
DAc 10.165.36.0/24 bridge-loopback1 0
DAc 10.165.37.0/24 bridge-loopback2 0
DAo 10.165.50.0/24 10.165.32.3%l2tp-casa-terralba 110
DAc 10.245.159.0/24 bridge-LAN 0
DAo 10.246.159.0/24 10.165.32.3%l2tp-casa-terralba 110
DAo 10.246.161.0/24 10.165.32.3%l2tp-casa-terralba 110
DAo 10.250.159.0/24 10.165.32.3%l2tp-casa-terralba 110
DAc+ 1.2.3.4/27 ether1 0
DAc+ 1.2.3.5/27 ether1 0
DAc+ 1.2.3.6/27 ether1 0
Code: Select all
#R2-office
Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, o - OSPF; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 Xs 192.168.8.0/24 10.165.43.1 3
1 Xs 208.67.222.222/32 10.10.10.1 1
;;; backup out home assistant e vto
2 Xs 0.0.0.0/0 8.8.4.4 2
3 Xs 192.168.1.0/24 10.246.159.55 1
4 Xs 10.245.159.0/24 10.165.50.1 1
;;; ISP2 default route - BACKUP
5 s 0.0.0.0/0 8.8.8.8 2
;;; ISP1 default route MAIN
6 As 0.0.0.0/0 8.8.4.4 1
DAc 5.6.7.8/32 bridge70_L2_ON_CHR 0
;;; ISP1 route dns
7 As 8.8.4.4/32 192.168.192.168 1
;;; ISP2 route dns
8 As 8.8.8.8/32 10.10.10.1 1
DAc 10.10.10.0/30 vlan40_ether10-ISP2 0
DAc 10.127.0.0/24 wireguard-ESP 0
DAc + 10.165.32.1/32 sstp-CHR-synthohosting 0
DAc + 10.165.32.1/32 l2tp-Synthohosting 0
DAo 10.165.32.3/32 10.165.32.1%l2tp-Synthohosting 110
DAc 10.165.33.0/24 wireguard_CHR-c1v 0
DAc 10.165.43.1/32 sstp_VPN-CHR 0
9 As 10.165.46.0/24 wireguard_CHR-c1v 1
DAc 10.165.50.0/24 wireguard_CHR-c1v 0
10 As 10.200.1.0/30 10.246.159.56 1
D o 10.245.159.0/24 10.165.32.1%l2tp-Synthohosting 110
11 As 10.245.159.0/24 10.165.43.1 2
DAc 10.245.160.0/24 bridge-loopback 0
DAc 10.246.159.0/24 BRIDGE10_LAN 0
DAc 10.246.161.0/24 bridge50-TVCC 0
12 s + 10.246.170.0/24 10.165.32.1 2
13 As 10.246.170.0/24 10.165.43.1 1
14 As 10.246.180.0/26 192.168.17.60 1
15 s 10.246.180.0/26 10.165.43.1 2
16 IsH 10.247.159.0/24 10.246.159.1 1
;;; Route subnet 10.247.159.XX e 10.248.159.xx da pubblico che appartengono al map mikrotik
17 As 10.247.159.0/24 10.165.43.1 3
18 IsH 10.247.159.0/24 192.168.17.2 2
DAc 10.250.159.0/24 bridge200-VLAN-NAS 0
DAc 169.254.0.0/16 ether1 0
DAc 172.16.20.0/27 bridge30-GUEST 0
DAc 172.17.20.0/24 bridge20-HDMI 0
19 As 192.168.8.0/24 10.246.159.1 1
20 IsH 192.168.8.0/24 192.168.17.2 2
DAc 192.168.15.0/24 BRIDGE10_LAN 0
DAc 192.168.17.60/32 <l2tp-Orto.STR3> 0
21 As 192.168.74.0/24 10.127.0.2 1
DAc 192.168.80.0/24 bridge80-ARUBA_NETWORK 0
DAc 192.168.178.0/24 ether1 0
DAc 192.168.192.168/32 pppoe-NETOIP 0
DAc 192.168.200.0/24 ether1 0
22 As 192.168.255.0/24 10.165.43.1 1
;;; OUT VTO con VPN
23 As 0.0.0.0/0 10.165.43.1 1
24 As 0.0.0.0/0 8.8.4.4 1
25 As 0.0.0.0/0 8.8.8.8 1
;;; backup out Netflix
26 As 0.0.0.0/0 10.165.50.1