How to connect three remote offices into 1 network via Mikrotik?

A

alz52014-07-28 04:16:36

VPN

alz5, 2014-07-28 04:16:36

There are 3 rooms already connected to each other through routers - Mikrotiki, only a slightly different function is performed there - connection with the main office and access to its internal subnet.
In one office, there is, as it were, the main router with 2 pptp servers configured, 2 other routers cling to the main one as pptp clients. At the moment, the following IP address scheme is in effect:
1 - server
internal network 192.168.1.0/24, where the router itself is 192.168.1.1
with the first vpn client (first remote office) router 10.10.1.1
with the second vpn client (second remote office) router 10.10.2.1
2- first remote office
internal network 192.168.2.0/24, where the router itself is 192.168.2.1
when connected to the server, the router has an ip-shnik 10.10.1.2
3- the second remote office has an
internal network 192.168.3.0/24, where the router itself is 192.168.3.1
when connected to the server, the router has an ip-shnik 10.10.2.2
Plus, routes are configured on the server how to get there in 192.168.2.1 and 192.168.3.1, and on each of the remote offices it is written how to get to 192.168.1.1.
At the moment, the task is for all clients on 192.168.2.1 to see and interact with clients on 192.168.3.1, but I can’t figure out how to do it correctly.
PS Adhering to the organization of the pptp exchange, I prescribed the following additional rules:
On the server side:
ip firewal nat add action=masquerade chain=srcnat out-interface=vpn_na_pervoe_podkluchenie
ip firewal nat add action=masquerade chain=srcnat out-interface=vpn_na_vtoroe_podkluchenie
ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.2.0/24 action=accept
ip firewall filter add chain=forward src-address=192.168.2.0/24 dst-address=192.168.1.0/24 action=accept
On the first client side:
ip route add dst-address=192.168.2.0/24 gateway=10.10.1.1 pref-src=10.10.1.2
On the side of the second client:
ip route add dst-address=192.168.1.0/24 gateway=10.10.2.1 pref-src=10.10.2.2
But from the address 192.168.2.20 it is impossible to ping 192.168.1.1. It seems that I didn’t add something, please tell me where I could be mistaken.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

C

Cool Admin, 2014-07-28
@alz5

Hey! In this case, if you stay on pptp, then:
1. On the third route to the network of the second via pptp, the address of the first
2. On the second route to the network of the third via pptp, the address of the first
3. On the third, allow traffic between the networks of the third and second.
If you abandon this hemorrhoid and move on to another ~~hemorrhoid~~ , then you can do this
: 1. Switch to IPSec in tunnel mode
2. Configure peers and policies on all three, while allowing auto-creation of policies and preconfiguring outgoing policies only for the local network on each node
3. In this case, the connection will be each with each and it will be much easier to configure something when changing the topology.
You can also switch to IPSec in transport + EoIP or GRE tunnels, this is a secure option like IPSec, but easier in terms of service like PPTP.
But I recommend that you refuse pure PPTP as soon as possible, since you yourself know 128-bit encryption in a public network is ...

A

alz5, 2014-07-30
@alz5

I solved everything by editing the static routes, thanks to everyone for the advice