Community discussions

MikroTik App
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

VPN to connect home network to cottage

Sun Oct 10, 2021 5:54 pm

Good morning everyone,

I'm looking at getting some help in the design and setup of extending my home network to my cottage so that I have access to all my services from both locations. I will post my current setup when I get back home but I wanted to first know what device I should get for the cottage location.

I currently have a RB4011iGS+5HacQ2HnD-IN with wifi (my kids call it the little alien). I also have a Cap AC (2.4&5GHz) to extend my WiFi around the house. I will probably need some Cap AC for the cottage as well, but that can be done once I have the initial connection.

At the cottage, I have had my Starlink working flawlessly and using only that. But now I would like to be able to start working from the cottage, have access to my home network (NAS, home server, Plex server, home automation server extension) to make it feel like I'm still at home. I continue to want WiFi in the cottage, be able to use my streaming services, add the cottage printer to the network.

So my first question is: What would be the recommended device to enable this connectivity? Should I just buy another 4011? Or is there something else that would work better?

Once I know the device, I'm hoping that is half the battle. My home network has a couple vlans, for the home automation stuff, the server stuff, and an admin one.

Thank you in advance for all the help. I'll post my config either later today or tonight.

Cheers,
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Sun Oct 10, 2021 6:09 pm

Question 1:
What kind of Speed's are available via Starlink in your location ?
Something like ~ 70 Mbps (Download) and ~ 20 Mbps (Upload) ?

Question 2:
What kind of Speed's are available at Home ?

Question 3:
Do you have a Public IP at Home?
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Sun Oct 10, 2021 11:05 pm

  1. I am getting on averate 125 Mbps download and 20 Mbps upload
  2. I have 500/500 FTTH service
  3. If you mean do I have a static IP the answer would be no, but I do have my RB4011 which has DDNS enabled so I have at least that DNS that is reachable from anywhere.
I've attached my current home network config. @anav was nice enough to help me get this working. I'm sure there are still some things in there that should be cleaned out from me testing and tinkering here and there. TBH, I don't even know if my minecraft port forward works. haha. I haven't used it outside my network in a long time.

Thanks for the help!
You do not have the required permissions to view the files attached to this post.
Last edited by hahnhell on Wed Oct 13, 2021 3:35 am, edited 2 times in total.
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Mon Oct 11, 2021 1:50 am

1. Router-Config
Just in case your "Virgin Mobile" ist still active,
You may want to remove some User-Information
under -> service-name="Virgin Mobile PPPoE" user=...........

2. Hardware for Cottage
If money isn't a issue, another RB4011 isn't a bad choice
It as a lot of features , like WLAN, 10 Ether-Ports, etc...
Performace of the Router can provide good IPsec-Tunnel with your ISP-Speeds.

If money or space is an issue, a cAP ac can be used.
It still as WLAN for the Cottage and 2 Ether-Port (1x for Starlink and 1x for PC or printer)
IPsec throughput isn't bad, but will be the limiting factor (bottleneck) of the system.
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Mon Oct 11, 2021 2:21 am

Small addition to my last Post...
I assumed a "small" Cottage, but if you are already planning on multiple AP's
then I need to think bigger :D

Alternatively to the RB4011...
You could use the very powerfull RB5009UG+S+IN
in conjunction with one or more AP's like the cAP ac.
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Mon Oct 11, 2021 5:22 am

Yep, missed that Virgin part. It's an old cancelled service, not a huge issue.

I was figuring it would be best to just get another 4011. It will help with the expansion in the cottage (not so small, probably more like a retirement home). I do think that the 5009 is a bit overkill for what I need. Had to look it up, what a nice piece of kit!

What would the next steps be in getting this setup?
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Mon Oct 11, 2021 4:48 pm

Ordered the RB4011 (wifi version). I'll pick it up tomorrow and be able to install it on the weekend. :)

Then I can work on learning how to extend my current network out to the cottage.

I figure there will be 2 types of devices at the 'cottage:' Home_Devices and IoT. So I will need to figure out how to extend both VLAN15 and VLAN50 out to the cottage.

Thanks for the help so far! I really appreciate it.
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 2:11 am

A little "Food for Thought" until your new RB4011 arrives,

RouterOS supports many VPN and Tunneling Solutions.
But which one is the right one ? :D

The Main Question right now is,
Do you want or need Layer2 connectivity between your Main-Network and the Cottage?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 2:26 am

Wireguard is the right solution, WHEN its out of beta, so you really mean in the interim ?? ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5896
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 2:40 am

...
Last edited by rextended on Wed Oct 13, 2021 2:41 am, edited 2 times in total.
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 2:41 am

Yes, of course !!!!!
I hope we will get a Stable Ver.7 as a early Christmas present from Mikrotik :D
Last edited by ConnyMercier on Wed Oct 13, 2021 3:15 am, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5896
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 2:41 am

@hahnhell
The export is really Sympatic oh...
you forgot to Hide Something while Export...
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 3:01 am

@hahnhell
The export is really Sympatic oh...
you forgot to Hide Something while Export...
Yep, we mentioned that above. I went ahead and removed the PPPoE info from my defunct Virgin Mobile services. They've been deactivated for some time now. I went back to B[H]ell Fibe, got a plan for less money and upped my speed by 5x (and now it's symmetric).

Wireguard huh? That looks neat. I'll have to think about what I want to do exactly with the VPN. I honestly think right now it's just going to be an extension of my VLAN50 and VLAN15. I want to be able to access my Plex server as a local device on my googletv, will probably add a network printer at the cottage. That is probably it for now, until I start doing some work-from-home at the cottage, then my needs will change somewhat.

Good to see you @anav!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5896
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 3:13 am

Sympatico HSE is Virgin?
Last edited by rextended on Wed Oct 13, 2021 3:45 am, edited 1 time in total.
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 3:21 am

Not sure where you're finding anything about Sympatico in that file :( I haven't used/heard of that service since the 90's when I was living at my parents. I would have removed any public facing IPs if there were any in there... the only other item I see with a 76 in there is one of the MAC for the wireless interface.
Are we looking at the same file?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5896
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 3:24 am

[removed for not provide hint...]
Last edited by rextended on Wed Oct 13, 2021 3:43 am, edited 1 time in total.
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 3:35 am

Ah you're right! Man there is a lot of simple things I keep forgetting about with this. Not that anything is accessible through that outside facing address.

Thanks for the insight. I'll do the changes above.
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 3:37 am

And sympatico is Bell.. and Virgin is a sub of Bell, so yeah it probably was similar before when I was with Virgin.

Thanks for the lesson! I don't look for these things anymore. Maybe I should take some refresher courses.
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 3:40 am

Thanks for the lesson!
No Problem, as a Thank you just send us a nice bowl of Poutine !
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 3:41 am

hahaha I hope rextended didnt also take your virginity at the same time..................
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5896
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 3:43 am

ma..... :lol: :lol: :lol:
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5896
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 3:44 am

@hahnhell
The export is really Sympatic oh...
you forgot to Hide Something while Export...

Now you understand the first "hint" ??? :lol:
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 4:04 am

Yep, I understand it fully now. It made a bit of sense because I remember Bell used to sell there services as Sympatico. but yeah, I forgot that SN+the rest gave you the routers facing page.

Is there a way to actually disable that, but continue to have the connectivity to services by using the mikrotik dns?
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 4:30 am

Sadly no....
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 8:27 pm

Alright, RB4011 in hand. Is there a way that I can configure the new one while being here at home and then just do minor tweaks when I arrive at the cottage this weekend?

Thanks!
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Wed Oct 13, 2021 8:49 pm

Just use your Cellphone as a HotSpot!

Configure your Mikrotik-Device with the help of the "Interface-List" Funktion.
And simply use the 2.4Ghz wifi (wlan1) as the "WAN" until you are at the cottage

For Exemple:
/interface list
add name=WAN
/interface list member
add interface=wlan1 list=WAN
add interface=ether1 list=WAN
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Thu Oct 14, 2021 11:50 pm

Man I wish I would have more time to do things like this.

I have internet connectivity on my laptop that is connected to the cottage rb4011. It is getting that internet via wifi hotspot on wlan2 (2.4GHz).

I've gone ahead and created my wifi interfaces the way I want them at my cottage.

Now I need to know how to get my cottage IP range to have:

VLAN15 (from home network) on cottage ethernet and wifi.
If that isn't clear because I'm not super detailed sometimes, I would like to plug a PC into the cottage rb4011 (2-10) and over JBHLMH_Cottage_WiFi_(2or5)GHz and have an IP from the VLAN15 range (Home).
VLAN50 (from home network) on cottage wifi
Same thing, if I connect a device to IoT_WiFi it will get an IP from the VLAN50 range (Home).
Starlink_WAN ethernet port will be where my internet is coming from the actual StarLink.

So what do I need to do on my Home device to enable a L2PT VPN (using the built in DNS I'm hoping??) and also what needs to be done on the Cottage device to connect? I've provided the config of the Cottage RB4011 here. Firewall, etc is using default config as the device arrived.
You do not have the required permissions to view the files attached to this post.
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Sat Oct 16, 2021 6:37 pm

I really can't complain about Starlink. It has made working from the cottage a real thing! And now I can even have the whole family kicking around and able to do stuff on a rainy/snowy day.

All the more reason to get some better connectivity with the house now.
You do not have the required permissions to view the files attached to this post.
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Tue Oct 19, 2021 7:17 pm

200/200 Mbit/s isn't bad at all !!
I will go now and cry about my miserable 50/10 Mbit/s :(


Where you able to setup a VPN-Connection ?
or do you still need help ?
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Tue Oct 19, 2021 9:00 pm

I honestly haven't looked. I watched a couple YT videos on how to enable the L2TP VPN, but I am not sure about the IPs required. Will I need to create a second IP range within both VLAN50 and VLAN15 that will be the ones the cottage will use? That seems to me the most logical thing... But I'm not great with networking.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN to connect home network to cottage

Tue Oct 19, 2021 10:05 pm

Ahh brother, I am with you and would be at the same exact spot.
What I can tell you is that wireguard is as easy as vanilla bean icecream melting off hot apple pie!!!
Three choices.
a. config routers to vers 7.1beta RC4 adn take your chances............. should be fine in my view for most easy configs
b. wait
c. go out and buy two hex routers one for either end to colocate with the existing Main Routers and use these as routers but just for wireguard .
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Tue Oct 19, 2021 10:08 pm

ahhhh ahhhhh !!! :lol:

C
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Tue Oct 19, 2021 11:31 pm

C'mon folks, that's not fair! I just went and spent money on a nice new RB4011 which I find to be a super slick and powerful device.

What you're telling me is that VPN over VLAN is complicated and I ought to wait until wireguard is out?
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Tue Oct 19, 2021 11:34 pm

lol =)

I have some time tomorrow
I will do some Test in the LAB for L2TP/IPsec

and post a Step-by-Step Guide
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN to connect home network to cottage

Wed Oct 20, 2021 12:18 am

Yes, dont you want to save yourself hours of frustration!!
You can always load up ver7.1b RC4 on both routers and go for it LOL

Read through this thread to see if there are any gotchas for a basic setup..........
viewtopic.php?t=178704

Yeah I had a read through I would wait until rc5 comes out too many notes of RB4011s crashing.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Wed Oct 20, 2021 2:20 am

Thanks for the quick review @anav. Wireguard looks promising! I'm sure I'll eventually be able to migrate to that. For now, 2 VLANS need to get shoved through a VPN to my cottage somehow.

Will it take more than 1 VPN? perhaps 1 VPN per VLAN? I'm just trying to conceptualise this.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN to connect home network to cottage

Wed Oct 20, 2021 2:28 am

I would hope that only one IPSEC tunnel is needed.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
felixka
just joined
Posts: 18
Joined: Mon Oct 19, 2020 4:12 am

Re: VPN to connect home network to cottage

Wed Oct 20, 2021 5:30 am

For now, 2 VLANS need to get shoved through a VPN to my cottage somehow.

Will it take more than 1 VPN? perhaps 1 VPN per VLAN? I'm just trying to conceptualise this.
VLANs are Layer2, IPsec is Layer 3. You can route all your home traffic through one tunnel and then separate it into VLANs again in the cottage's router.
If you need to extend the Layer2 aspect of your VLANs then you'd need something like EoIP. But beware the MTU issues with Layer2 encapsulation.
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Thu Oct 21, 2021 9:40 pm

@hahnhell, can you post please POST you latest Config-Files for both Home and Cottage routers?


In return i will post a IPSEC/EOIP Config
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Fri Oct 22, 2021 12:19 am

IPSec-Configuration Server (Home-Router)
Based on your Config (10.10.2021)


Step 0: Backup
Just in case something goes wrong =)

----------------------------------------------------------------------------
Step 1: Generate and Sign CA-Certificate
/certificate
add common-name=IPSEC-CA name=IPSEC-CA days-valid=3650

/certificate
sign IPSEC-CA
----------------------------------------------------------------------------
Step 2: Generate and Sign IPSec-Server

--- Warning ----
Replace both xxxxxxxxxx.sn.mynetname.net with own DNS-Name
/certificate
add common-name=xxxxxxxxxx.sn.mynetname.net subject-alt-name=DNS:xxxxxxxxxx.sn.mynetname.net days-valid=3650 key-usage=tls-server name=IPSec-Server

/certificate
sign IPSec-Server ca=IPSEC-CA
----------------------------------------------------------------------------
Step 3: Generate and Sign IPSec-Client
/certificate
add common-name=IPSec-Client1 name=IPSec-Client1 days-valid=3650 key-usage=tls-client


/certificate
sign IPSec-Client1 ca=IPSEC-CA
----------------------------------------------------------------------------
Step 4: Export CA-Certificate
/certificate
export-certificate IPSEC-CA type=pem
----------------------------------------------------------------------------
Step 5: Export

--- Warning ----
Replace xxxxxxxxxx with own Passphrase
/certificate
export-certificate IPSec-Client1 export-passphrase=xxxxxxxxxx type=pkcs12
----------------------------------------------------------------------------
Step 6: Download
Select both Files in Winbox, and download to your computer.

IPSEC-CA.crt
IPSec-Client1.p12

----------------------------------------------------------------------------
Step 7: Create IPSec-Server
/ip ipsec mode-config
add address=192.168.77.100 address-prefix-length=32 name=IPSec-ModeConfig system-dns=no

/ip ipsec policy group
add name=IPSec-Policies

/ip ipsec profile
add enc-algorithm=aes-256,aes-192,aes-128 name=IPSec-Profile

/ip ipsec peer
add exchange-mode=ike2 name=IPSec-Peer1 passive=yes profile=IPSec-Profile

/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 name=IPSec-Proposal pfs-group=none

/ip ipsec identity
add auth-method=digital-signature certificate=IPSec-Server generate-policy=port-strict mode-config=IPSec-ModeConfig peer=IPSec-Peer1 policy-template-group=IPSec-Policies remote-certificate=IPSec-Client1

/ip ipsec policy
add disabled=no dst-address=192.168.77.0/24 group=IPSec-Policies proposal=IPSec-Proposal src-address=0.0.0.0/0 template=yes
----------------------------------------------------------------------------
Step 8: Create IP-Counterpart

--- Warning ----
This Step may be .. let say "Suboptimal"

/interface bridge
add name=IPSec-Counterpart

/ip address
add address=192.168.77.200 interface=IPSec-Counterpart network=192.168.77.200
----------------------------------------------------------------------------
Step 9: Input-Firewall

--- Warning ----
Very Basic Firewall, you may need to add or modify depending on your needs.

/ip firewall filter
add action=accept chain=input comment="Accept: IPSec UDP  (Internet -> Router)" connection-state=established,related,new dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Accept: IPSec-Traffic (Cottage --> Router)" dst-address=192.168.77.200 in-interface-list=WAN ipsec-policy=in,ipsec src-address=192.168.77.100
----------------------------------------------------------------------------
Step 10: Create EOIP-Tunnels
/interface eoip
add comment="EOIP iD111 Home-Network" local-address=192.168.77.200 name=eoip-tunnel1 remote-address=192.168.77.100 tunnel-id=111
add comment="EOIP iD222 IOT-Network" local-address=192.168.77.200 name=eoip-tunnel2 remote-address=192.168.77.100 tunnel-id=222
----------------------------------------------------------------------------
Step 11: Assign Bridge to EOIP-Tunnels
/interface bridge port
add bridge=Home_Bridge interface=eoip-tunnel1 pvid=15
add bridge=Home_Bridge interface=eoip-tunnel2 pvid=50
----------------------------------------------------------------------------
Step 12: Configure VLAN-Filtering on EOIP-Tunnels
/interface bridge vlan
add bridge=Home_Bridge tagged=Home_Bridge,10-cAP_AC untagged="Home_WiFi_2GHz,3-Server,7-Synology,4-Work_PC,8-Printer,Home_WiFi_5GHz,5-Upstairs,eoip-tunnel1" vlan-ids=15
add bridge=Home_Bridge tagged=Home_Bridge,10-cAP_AC untagged="IoT_WiFi,eoip-tunnel2" vlan-ids=50
Last edited by ConnyMercier on Sat Oct 23, 2021 6:02 pm, edited 3 times in total.
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Fri Oct 22, 2021 12:28 am

IPSec-Configuration Client (Cottage-Router)
Based on your Config (10.10.2021)

Step 0: Backup
Just in case something goes wrong =)

----------------------------------------------------------------------------
Step 1: Upload
Upload both Files in Winbox

IPSEC-CA.crt
IPSec-Client1.p12

----------------------------------------------------------------------------
Step 2: Import Certificates

--- Warning ----
Replace xxxxxxxxxx with own Passphrase
IPSEC-CA.crt doesn't have a passphrase, leave empty

/certificate import file-name=IPSEC-CA.crt passphrase=""

/certificate import file-name=IPSec-Client1.p12  passphrase=xxxxxxxxxx
----------------------------------------------------------------------------
Step 3: Create IPSec-Client

--- Warning ----
Replace xxxxxxxxxx.sn.mynetname.net with own DNS-Name
/ip ipsec mode-config
add connection-mark=IPSec name=IPSec-ModeConfig responder=no use-responder-dns=no
/ip ipsec policy group
add name=IPSec-Group
/ip ipsec profile
add enc-algorithm=aes-256,aes-192,aes-128 name=IPSec-Profile
/ip ipsec peer
add address=xxxxxxxxxx.sn.mynetname.net exchange-mode=ike2 name=IPSec-Peer1 profile=IPSec-Profile
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 name=IPSec-Proposal pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=IPSec-Client1 generate-policy=port-strict mode-config=IPSec-ModeConfig peer=IPSec-Peer1 policy-template-group=IPSec-Group
/ip ipsec policy
add disabled=no dst-address=0.0.0.0/0 group=IPSec-Group proposal=IPSec-Proposal src-address=0.0.0.0/0 template=yes
add group=IPSec-Group proposal=IPSec-Proposal template=yes
----------------------------------------------------------------------------
Step 4: Create Mangle Rule

--- Warning ----
This Step may be .. let say "Suboptimal"
/ip firewall mangle
add action=mark-connection chain=output dst-address=192.168.77.0/24 new-connection-mark=IPSec passthrough=yes
----------------------------------------------------------------------------
Step 5: Input-Firewall

--- Warning ----
Very Basic Firewall, you may need to add or modify depending on your needs
/ip firewall filter
add action=accept chain=input comment="Accept: IPSec-Traffic (Home --> Router)" dst-address=192.168.77.200 in-interface-list=WAN ipsec-policy=in,ipsec src-address=192.168.77.100
----------------------------------------------------------------------------
Step 6: Create EOIP-Tunnels
/interface eoip
add comment="EOIP iD111 Home-Network" local-address=192.168.77.100 name=eoip-tunnel1 remote-address=192.168.77.200 tunnel-id=111
add comment="EOIP iD222 IOT-Network" local-address=192.168.77.100 name=eoip-tunnel2 remote-address=192.168.77.200 tunnel-id=222
----------------------------------------------------------------------------
Step 7: Assign Bridge to EOIP-Tunnels

--- Warning ----
In your config, VLAN-Filtering isn't active...
To avoid any L2-Loop you will need to edit your config.
Option A: Activate VLAN-Filtering
Option B: Have two seperate Bridges

/interface bridge port
add bridge=bridge2 interface=eoip-tunnel1
add bridge=bridge3 interface=eoip-tunnel2
Last edited by ConnyMercier on Sat Oct 23, 2021 4:28 pm, edited 1 time in total.
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 2:28 pm

Ok, so I've managed to input all of this on both devices.

I'm not sure what I'm supposed to see :/ I don't feel like it is working as we haven't reached any sort of difference in the IP range of the cottage devices. I tried enabling VLAN filtering on the Cottage however it just kicks me out right away and I can't get anything to work.

Question about the firewall rules: Where exactly should those be? see the attached and let me know if I've slid them into the right hierarchy.

When I'm connecting, I'm just getting a default 88 IP address. How do I enable the connection to home from the cottage?
You do not have the required permissions to view the files attached to this post.
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 3:12 pm

To quickly understand if the IPsec-Tunnel and EoIP works,
simply create a DHCP-Client on bridge1 and bridge2
/ip dhcp-client
add disabled=no interface=bridge1
add disabled=no interface=bridge2
You can check if the Bridge receives an IP-Address from the Home-Router.
/ip dhcp-client print
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 3:23 pm

Nadda, just says searching. :/ I'm not good enough at this to even know where to start. you used ipsec vice l2pt, which I don't know anything about both other than I understood the part about the shared key so I don't have to put in a password every time they go to connect...
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 3:29 pm

When you wrote
Replace xxxxxxxxxx.sn.mynetname.net with own DNS-Name
I'm assuming you meant my HOME device.
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 3:33 pm

When you wrote
Replace xxxxxxxxxx.sn.mynetname.net with own DNS-Name
I'm assuming you meant my HOME device.
Yes , use your home-Router xxxxxxxxxx.sn.mynetname.net
For both Home-config (Step 2) and Cottage-Config (Step3)
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 3:46 pm

Found a mistake on your Home-Router

The Firewall-Rules for IPSec
-> add action=accept chain=input comment="Accept: IPSec UDP (Internet -> Router)" ......
-> add action=accept chain=input comment="Accept: IPSec-Traffic (Cottage -> Router)" .....

Need to be BEFORE
-> add action=drop chain=input comment="Drop All Else"

**You can use Winbox to "Drag&Drop"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 3:55 pm

Found a mistake on your Home-Router

The Firewall-Rules for IPSec
-> add action=accept chain=input comment="Accept: IPSec UDP (Internet -> Router)" ......
-> add action=accept chain=input comment="Accept: IPSec-Traffic (Cottage -> Router)" .....

Need to be BEFORE
-> add action=drop chain=input comment="Drop All Else"

**You can use Winbox to "Drag&Drop"
Thats not a mistake in the config, thats lack of understanding of the fact that order in rules is critical.
In that the router starts at the first rule of the input chain and attempts to match packets to rules which then are actioned and dont see any more of the rules.
In this case all the ipsec packets hit the rule, drop everything else and then are dropped so the next rules are never seen.

Better to learn about the config instead of copying blindly :-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 3:59 pm

Found the same Firewall "Mistake" on the Cottage-Router

-> add action=accept chain=input comment="Accept: IPSec-Traffic (Home -> Router)" ......

Needs to be before
-> add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 4:02 pm

After correcting the small mistakes
Restart the Cottage-Router and recheck DHCP-Client
/ip dhcp-client print
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 4:24 pm

Good morning Anav!

Thanks ConnyMercier.

I've moved the rules up in both devices. restarted - No joy.

What exactly are the 2 ipsec policies added but not enabled? Neither are doing anything, and the cottage one has 0.0.0.0 for dest and src.

I'm just trying to find things that we added that may be out of place..
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 4:27 pm

My mistake, please enable them !
I will correct the Step-by-Step Guide
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 4:42 pm

I still seem to have nothing.

How exactly does this IPSec-Counterpart Bridge come into play?
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 5:02 pm

by the way, not sure where in the line of all of this it happened, but it has killed my ability to ssh correctly. I was having trouble getting git to work along with VSCode with remote-SSH. Just reverted to see and it is working again. Seems to be something with my remote-host service though because it didn't do it for everything, just that particular host.
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 5:32 pm

I am very sorry @hahnhell, but i found a small error in my Step-by-Step Guide...
I already corrected it in the Step-by-Step Guide...

You will have to execute following on your Home-Router :
/certificate remove IPSec-Server
And then redo the now corrected Step 2: Generate and Sign IPSec-Server


AND Forgot the pvid for the Bridge-Ports on the Home-Router
/interface bridge port
add bridge=Home_Bridge interface=eoip-tunnel1 pvid=15
add bridge=Home_Bridge interface=eoip-tunnel2 pvid=50
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 6:25 pm

Ahh, I cant wait for wireguard to go mainstream, watching this torture is no fun.... ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 8:24 pm

I went through the steps again, this is what I'm at now.

Still no luck.

Is there anything on the Cottage side we have to do with UDP? Just wondering since we didn't do anything on that part compared to 'home'.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 8:39 pm

In the meantime, try downloading winbox remote for your main router and also for the cottage router.
You will need to use two different email addresses as you only get one free tunnel per location.
The free version costs nothing............

You can have a tunnel up and running in 5- 10 minutes.
Just tell me if you want to try and I can give you assistance.........

OR maybe you already have connection as you are configuring your cottage router remotely??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 8:44 pm

Still an Error in the Firewall (Home-Config)
Both Firewall-Rules are still at the bottom and need go go up !
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 8:46 pm

The rules are up above in winbox. I don't know what else I'm supposed to do. I dragged them up there! :)
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 8:48 pm

@anav,

I just have both devices sitting here on my workbench. cottage is connected to my cellphone(using moblie only, not wifi) the other is the main house router/device. I'm using a laptop to configure the cottage one (through port 2).
 
ConnyMercier
Member
Member
Posts: 313
Joined: Tue Dec 17, 2019 1:08 pm

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 8:51 pm

I rechecked your last Export (Home-Config)



add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="VLAN Allow Admin to Router" in-interface=AdminPC_VLAN101 src-address=192.168.101.101
add action=accept chain=input comment="TCP for cAP AC" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="UDP for cAP AC" dst-port=53 in-interface-list=LAN protocol=udp
---------------------------------------------------------------------------------
Firewall Rules should be here
---------------------------------------------------------------------------------
add action=drop chain=input comment="Drop All Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="VLAN Admin Access" in-interface=AdminPC_VLAN101 out-interface-list=Admin src-address=192.168.101.101
add action=accept chain=forward comment="VLAN Internet Access" in-interface-list=Internet out-interface-list=WAN
add action=accept chain=forward comment="Server Access" in-interface=Home_Devices_VLAN15 out-interface=IoT_VLAN50 src-address=192.168.15.10
add action=accept chain=forward comment="VLAN IoT Access" dst-address=192.168.15.10 in-interface=IoT_VLAN50
add action=accept chain=forward comment="defconf: Allow Port Forward" connection-nat-state=dstnat connection-state=new in-interface-list=WAN

---------------------------------------------------------------------------------
Firewall Rules are here (Wrong place)

add action=accept chain=input comment="Accept: IPSec UDP (Internet->Router)" connection-state=established,related,new dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Accept: IPSec-Traffic (Cottage->Router)" dst-address=192.168.77.200 in-interface-list=WAN ipsec-policy=in,ipsec src-address=192.168.77.100
---------------------------------------------------------------------------------
add action=drop chain=forward comment="drop all else"
 
hahnhell
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: VPN to connect home network to cottage

Sat Oct 23, 2021 9:03 pm

I'll have to see what's bugging out with my ssh when I do that firewall. :/

Will investigate later. I thank you both for your amazing help today! Super fast responses. I have the rest of the day with the family. I'll crack on with this a bit later.

THANKS!

Who is online

Users browsing this forum: cheeseliao, Google [Bot] and 26 guests