Answer the question
In order to leave comments, you need to log in
Combining more than 10 remote offices into one network using mikrotik?
Greetings. I have the task of combining more than 10 remote offices into one network. The main mikrotik router and the ACS server are in the head office, in remote offices there will also be mikrotik routers and 4-6 readers (each reader has its own ip). At the same time, there are several computers in the head office - ACS clients. I would also like to have access to each of these offices from my home computer (some will have 1-2 more computers). All of this needs to be properly organized.
At the moment, I have an openvpn server up and connected to one of the offices. This office has 6 readers and 2 computers. Everyone sees each other. The subnets in them are different and forwarded routes to each other. But from my home computer, through the central router, I can't get to the computers in the remote office. I understand that you can bother with routing and it will somehow work out, but it seems to me that there are some better options.
Static ip only on the central router. I thought about a single, address space. Raise eoip over ovpn, I don’t know how acceptable this is. Or is everything to be decided by ovpn and routing?
Answer the question
In order to leave comments, you need to log in
Well, for starters, ask yourself, do you need L2? after all, L2 is very heavy and does not like delays and large jitter.
If L3, then I would build on IPIP tunnels, and where there is no external IP, sstp would be raised, and routing would be implemented using OSPF. and after the network was up, I weighed the pros and cons of whether you need IPSec.
If there is an ACS, then only the ACS can encrypt and no more than that, or maybe no one needs such information ?!
I will say this OSPF with 10 points can be configured in one hour.
with IPSec a little longer
Too complicated, cumbersome, resource-intensive and inefficient. OVPN is not well implemented in Mikrotik anyway, and for some reason you also want to shove EoIP into it ...
Just use IPsec. It is simple, reliable, convenient, effective. An IPsec client is available everywhere from Windows to iPhone (that is, you can manage the network from anywhere from your phone), no need to pervert with installing the client. IPsec can work through NAT, you can tighten authorization by certificates, etc., etc. In Mikrotik, IPsec is implemented at the proper level.
I have a similar scheme - the Central Office, Cloud Core in it, in pfSensy branches. Everyone is friends with each other using GRE-over-IPsec. Potentially, OSPF can also be screwed on, but so far everyone sees each other on statics, the scheme is stable.
Previously, there was pure IPsec, there were difficulties with politicians, and branches only saw the office, but in order to see each other, they would have to do terrible monster policies. IP-IP is also good if OSPF is not needed.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question