Community discussions

MikroTik App
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 112
Joined: Tue Sep 08, 2015 6:16 pm

Solution to manage multiple Mikrotiks and access client LANs

Sat Jan 21, 2023 4:01 pm

Hi,
I'm currently managing multiple Mikrotiks at my client locations using OpenVPN. I set up OVPN on each Mikrotik router, edit the .ovpn config with the
"route 192.168.0.0 255.255.255.0 10.8.0.1"
so I can access the client's subnet and manage devices (printers, other devices). I'm making use of MT's DDNS because of dynamic IP. When I want to connect to the client's Mikrotik and\or access some device in his LAN I just dial in from my laptop\office desktop.

This worked well for me but the number of managed devices increased and it's not feasible anymore. My Mikrotiks are also most of the time behind ISP ONTs on wich I have to either port forward or set up in bridge mode so I can get in from my side. This is not a good ideea anymore because of OTA updates on those ONTs, CGNAT, replacements by the ISP, etc so I need a solution to make the client's device call home to my VPN server.
I do have several Mikrotik devices at my office that I can use as a VPN server and also some VPSes.

I'm stuck at how to configure the routes for the VPN client>server so I can access the client's subnet because these subnets overlap, for example I have multiple clients that use 192.168.0.0/24. I know NAT can be used but I have not reached.

I was thinking of using SSTP on the Mikrotiks to call home to my VPN server over port 443. I would then connect to the VPN server myself and access the client's LAN and\or Mikrotik router. But how would I resolve the issue with overlapping subnets?
You do not have the required permissions to view the files attached to this post.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2985
Joined: Mon Apr 08, 2019 1:16 am

Re: Solution to manage multiple Mikrotiks and access client LANs

Sun Jan 22, 2023 12:10 am

For the client devices to connect just masquerade will do.
However the problem here is to select access those devices from the VPN server or from the "ME on WWAN" point.

Different IP addresses will be needed to identify/separate the different clients, in a VPN server managed consistent IP network (with unique IP addresses and subnets). The translation to the local (and non-unique) IP addresses is then done before accessing them. e.g. The Client A and Client C subnet is mapped in a different subnet of the global consistent IP network.
Devices are addressed and connected with their global consistent IP address, that gets DST-NATted and routed to that local IP address.

The route may include the %interface, to make it unique for routing. But more can be done with connection marks and routing marks, routing tables, VRF, ... .

More on this here:

viewtopic.php?t=187178
viewtopic.php?t=159653

Who is online

Users browsing this forum: CGF and 41 guests