Community discussions

MikroTik App
 
User avatar
Doberman
newbie
Topic Author
Posts: 38
Joined: Sat Mar 03, 2018 10:17 pm

which VPN to use ?

Thu Sep 08, 2022 3:12 am

is it possible to join PC to domain over some VPN (eoip, wireguard ...) ?
on both side we have public IP on mikrotik.
You do not have the required permissions to view the files attached to this post.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: which VPN to use ?

Thu Sep 08, 2022 6:52 am

I prefer to use ipip , even EoIP will do the job , i'm avoiding that because of the overhead, but in case if u need to bridge it, than u need to go with EoIP (depend on your setup)
 
User avatar
Doberman
newbie
Topic Author
Posts: 38
Joined: Sat Mar 03, 2018 10:17 pm

Re: which VPN to use ?

Thu Sep 08, 2022 9:55 am

Maybe in the first question I wasn't clear enough ...
PC2 is not part of domain,
Now, in this moment he is part of default WORKGROUP.
Is it possible to make him part of domain over some VPN solution ?
 
User avatar
karlisi
Member
Member
Posts: 437
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: which VPN to use ?

Thu Sep 08, 2022 10:46 am

PC2 should resolve AD domain name via DNS to join domain. It is easier if all traffic from PC2 to Internet goes trough VPN, in this case use AD DNS in PC2 network settings. If not, you can use static DNS entries in Mikrotik to forward DNS queries for AD domain to specific servers.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: which VPN to use ?

Thu Sep 08, 2022 10:51 am

Is it possible to make him part of domain over some VPN solution ?
Yes, it is. However, keep in mind that this tunnel should be site-to-site so both sides can establish any necessary connection. Also, You might wanna check your DNS config at AD, and MTs this was something that I played for around 4 hours to get it to work properly.

I have done this with IKEv2 and WG although IPIP makes sense when both sides have public IPs and are MT, however, I'm better at troubleshooting those protocols that I mention.
 
User avatar
Doberman
newbie
Topic Author
Posts: 38
Joined: Sat Mar 03, 2018 10:17 pm

Re: which VPN to use ?

Thu Sep 08, 2022 12:04 pm

PC2 should resolve AD domain name via DNS to join domain. It is easier if all traffic from PC2 to Internet goes trough VPN, in this case use AD DNS in PC2 network settings. If not, you can use static DNS entries in Mikrotik to forward DNS queries for AD domain to specific servers.
I made a EOIP in which I got that DHCP from MT1 assigns addresses to devices on MT2.
So, PC2 got DHCP from MT1 and I can ping everything in any direction.
I got automatically under MT2 in DNS section dynymic server IP address of domain controller.
On PC2 under IPv4 setings is set DHCP and it show everything ok ... IP address, GW and DNS server like is setup on MT1.

But, when I try to join ... he fail.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: which VPN to use ?

Thu Sep 08, 2022 2:10 pm

It may be an MTU/fragmentation issue. When you permit MTU of 1500 on the EoIP interface itself, the transport packet carrying the payload one sent via the EoIP interface gets bigger by the EoIP overhead, so it gets fragmented on its way to the destination. And some parts of the internet are really bad in delivering fragmented packets.

Try using L2TP with BCP and with MLPPP. BCP takes care of the L2 tunneling, MLPPP splits large payload packets so that they would fit into transport packets not exceeding the MTU of the transport path, so you get "fragmentation without fragmentation" in the sense that the transport packets need not be fragmented on IP level.

But before doing that, first try whether it is worth it, by pinging through the tunnel while specifying size=1500 do-not-fragment (on the Mikrotik itself where the size specifies the whole size of the IP packet; on Windows, the size specified is the size of the ICMP payload alone so it must be 28 bytes lower than the IP packet size, i.e. -l 1472 for a 1500-byte IP packet, and -f is used to forbid fragmentation).

Who is online

Users browsing this forum: abdulschizo, apitsos, maxslug and 79 guests