Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
Y
Y
Yuri2020-09-16 08:27:46
Mikrotik
Yuri, 2020-09-16 08:27:46

Is such a connection scheme possible on Mikrotik?

I know that Mikrotik can do the most perverted schemes, so an idea arose.

Task: all traffic outside and outside should go through the VipNet Coordinator HW100 crypto router.
Condition: HW100 must be inside the network (the provider cannot be pushed there).
There is equipment: Mikrotik RB1100AHx4, the HW100 itself, and there is also Mikrotik RB750.
I thought that scheme-1 below would solve the problem, but then the idea arose to abandon the extra link in the face of the RB750 (there is not enough space in the cabinet, extra wires, etc.) and do everything using the RB1100.

scheme-1
5f619e896352c896444378.png


Now I think that RB1100 is capable of such scheme-2:
scheme-2
5f61a124d504a111406456.png
5f61a13d8d5d0846182023.png

That is, ether1 will receive the provider, ether2 will send traffic to the HW100. It will be like a separate router.
Further, traffic from the HW100 (as if from a provider, but already encrypted) goes to ether3 and will be the main traffic for the network.
How to be? What to read? :)
Explain please

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
A
Andrey Barbolin, 2020-09-16
@dronmaxman

You drew everything correctly (you can, of course, simplify the diagram and use VLANs). Now you just need to take it and set it up.
- pull e1, e2, e3 from the bridge
- assign IP addresses to e1, e2, e3 (according to your scheme)
- configure masquerade (NAT) on e1 and HW100
- configure forward rules on MIC
- add route to MIC - drive everything to 10.18 .200.1
And let's go. It will turn out double NAT, but what to do)
If there is a list of routes for which this piece of iron should be used, then I would resolve the traffic on Mikrotik by adding the necessary routes towards the HW100, and I would let everything else go directly.
You can try to pull out networks from whois if there is a whole list of sites.

Report
A
AntHTML, 2020-09-16
@anthtml

Yes, according to scheme 2, we always do it, if there is no separate requirement of the IS specialists that the WAN segment of the encoder cannot physically intersect with the LAN anywhere.
Another scheme 2, when using dynamic routing, + gives that only part of the traffic can be sent for encryption, or if the encoder falls / hangs, redirect immediately to the WAN

Report
K
Keffer, 2020-09-16
@Keffer

cryptorouter VipNet Coordinator HW100

I just can't figure it out - why is it needed here at all? Everything is quietly implemented by Mikrotiks, including traffic encryption.

Similar questions
G
gad260322015-04-10 12:48:43
MikroTik RB450G can't configure access from LAN to the Internet (VPN provider)? 3Reply
V
Vladislav2015-04-10 12:53:15
Mikrotik IPSEC, disconnection, where to dig? 3Reply
D
Delicate Ragout2019-09-11 16:36:46
VPN PPTP availability of machines? 1Reply
K
Kirill 12015-04-16 23:32:39
Login to mikrotik through L2tp over OSPF how to force? 3Reply
E
Evgeny Denisov2017-04-12 16:08:19
Split a subnet in a server room (VLAN? HNV Gateway)? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question