Community discussions

MikroTik App
 
homerouter
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Sun Dec 26, 2021 12:52 pm
Location: DK

Dial/Client in VPN to VLAN

Sun Sep 18, 2022 3:41 pm

Dial/Client in VPN to VLAN

Both site 1 & 2 use MT devices.

When client connect from site 2 to Site 1 it must be assigned to a VLAN.
My first idea was EOIP but as Site 2 wont accept any direct incoming traffic it wont work, right?
Site 2 must start the traffic for it all can work.

Site 1
This site is the server site, client from site 2 connect to this, and must be assigned to a VLAN.

Site 2
This site is the client site, it connect to the server as site 1.
One big issue it from the Internet Provide NO incoming access. All connection must be started from here and the be related to work.

What way to do this?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Dial/Client in VPN to VLAN

Sun Sep 18, 2022 4:11 pm

  1. don't do it, L2 tunneling is a bad idea
  2. as you need to do it despite 1., if a single VLAN is sufficient, use L2TP/IPsec with BCP. At both the server and the client, use a /ppp profile row that indicates a bridge to attach the L2 tunnel to. Set max-mtu and max-mru to 1380 at both the server and the client and experiment with mrru size needed to get the payload L2 MTU large enough that 1514 byte frames would fit and get split at MLPPP level rather than fragmented at IP transport level.
 
homerouter
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Sun Dec 26, 2021 12:52 pm
Location: DK

Re: Dial/Client in VPN to VLAN

Sun Sep 18, 2022 5:10 pm

Best if I just tell what it will be used for.
Site 2 is some computers(servers) connected to a MT. They have internet access.
Site 2 connect to site 1. Then site 1 can access all the IP at site 2.

So i just need site 2 connecting to site 1, to some IP i can manage in the fire wall.
Site 1 have 4 VLAN and a lot client connected. Site 2 must not access anything, but site 1 must access all at site 2.

OpenVPN can be a solution but then i cant assign any VLAN?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Dial/Client in VPN to VLAN

Sun Sep 18, 2022 5:49 pm

Your description doesn't explain why you need L2 transparency. Do you need some devices to be in the same VLAN and subnet on Site 1 and Site 2 and receive broadcast traffic from devices in the same VLAN and subnet on the other site? Or is it enough that you set routes, on Site 1, to all subnets in vlans at Site 2, via an L3 tunnel, and vice versa?

OpenVPN supports L2 tunneling using its own mechanism, but the Mikrotik implementation only uses TCP as transport, so loss of a packet causes a delay of all the following packets and other problems. L2TP uses UDP as transport so these problems do not occur.

You can use any L3 tunnel to deliver EoIP packets, but only the PPP-based tunnels with MLPPP allow to avoid IP-layer fragmentation of transport packets as they slice the payload packets before encapsulating them into transport ones. I have seen too many internet paths to drop some non-first fragments, that's why I advocate this approach.

What doesn't work with BCP (PPP bridging) directly is "vlan filtering", i.e. if you set vlan-filtering to yes on the bridge to which a BCP tunnel is dynamically connected, you cannot specify which VLANs to be transported using the BCP tunnel and which not - no VLAN-tagged frames are transported. But this can be worked around by using an auxiliary VLAN interface and bridge if you really need to tunnel multiple VLANs at a time and at the same time use vlan filtering, and CPU-wise this approach is not much different from EoIP, maybe it is even lighter.

But the key question is whether you really need to tunnel the broadcast traffic between the sites.
 
homerouter
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Sun Dec 26, 2021 12:52 pm
Location: DK

Re: Dial/Client in VPN to VLAN

Mon Sep 19, 2022 9:22 am

I dont need L2 transparency.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Dial/Client in VPN to VLAN

Mon Sep 19, 2022 1:23 pm

I dont need L2 transparency.
If so, let's stop thinking in VLANs and start thinking in subnets (although you likely follow the best practice, and use a dedicated VLAN for each subnet).

So you can create any kind of L3 tunnel, set up routes at Site 2 via that tunnel to all subnets at Site 1 that the clients at Site 2 need to reach, and set up routes via that tunnel at Site 1 to all subnets at Site 2 from which clients may connect to servers at Site 1. An exception is bare IPsec where you use traffic selectors rather than routes, but that's not for beginners anyway - in my opinion, L2TP/IPsec is the best way to start with VPNs. Plus you should not start with VPNs until you master the firewall.

In case of L2TP, you can add a list of destination prefixes, to which routes via the tunnel should be dynamically added once a client connects, to the routes parameter of the /ppp secret row representing the client. If you create your own /ppp profile row (or more), you can specify an interface list to which the virtual interface representing the client tunnel should be added, and an address-list to which the address assignet to the client should be added, and use them in firewall rules to control which clients can connect to which servers at Site 1. On client side, the L2TP interface is static, so you don't need these tools and you can refer to the interface name directly, but you may want to add the address to an address-list if you use a pool for client addresses at the server side.

L2TP/IPsec will handle the issue that only Site 1 has a fixed address and can accept incoming connections (Site 1 must be the server). A drawback of LT2P/IPsec is that if multiple clients get NATed to the same public IP address and use the same port (like the Windows embedded VPN client does), only one of such clients will work at a time. But that should not bother you.

Who is online

Users browsing this forum: Amazon [Bot], jvanhambelgium and 79 guests