Home / server / Questions / 779287
Accepted
adamsfamily
Asked: 2016-05-27 12:34:36 +0800 CST

Site-to-site tunnel using two MikroTik routers where one endpoint is behind NAT (LTE modem)

  • 772

I would like to interconnect two offices where one has a public static IP address (main office) and the second one is behind NAT (no public IP) because there is just an LTE modem.

I am able to create a one-way VPN connection from the LTE modem into the main office but is it possible to make the TCP communication between the two offices bi-directional? So that people from the main office can for example RDP to the branch office?

(I'm using two MikroTik Routerboards and a PPTP connection. I should be able to change to L2TP if needed.).

UPDATE:

I'm providing details on request:

Main office: LAN: 192.168.16.0/24
Public IP: MAIN_OFFICE_IP

Branch office LAN: 192.168.1.0/24
Public IP: [DHCP from ISP]

BRANCH OFFICE configuration:

two network interfaces
one PPTP client
absolutely basic Firewall and NAT 

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] arp=proxy-arp name=ether2-master-local

/interface pptp-client
add add-default-route=yes allow=pap,chap,mschap1,mschap2 connect-to=MAIN_OFFICE_IP default-route-distance=1 dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1450 max-mtu=1450 mrru=1600 name=\
MAIN_OFFICE_VPN password=******** profile=default-encryption user=MAIN_OFFICE_USER

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=MAIN_OFFICE_VPN
add action=dst-nat chain=dstnat dst-address=BRANCH_IP dst-port=100 protocol=tcp

/ip route
add distance=1 dst-address=192.168.16.0/24 gateway=OFFICE_VPN routing-mark=“MAIN_OFFICE_VPN”
openvpn site-to-site-vpn pptp mikrotik

1 Answers

  1. Best Answer
    • Main Office LAN: 192.168.16.0/24
    • Branch office LAN: 192.168.1.0/24
    • Interconnection LAN: 192.168.2.0/30 (for example)

    On the main office router, add a PPP secret with local address 192.168.2.1 and remote address 192.168.2.2.

    On the branch router, create your PPTP client to the Main office (just like you did), it should get the correct IP (192.168.2.2).

    Then you just need to add 2 routes:

    On the main router: route 192.168.1.0/24 via 192.168.2.2

    On the branch router: route 192.168.16.0/24 via 192.168.2.1

    No need for NAT or particular firewall/mangling rules.

    So this gives in Mikrotik language:

    Main router:
/ppp secret
add name=branch password=foobar profile=default-encryption remote-address=192.168.2.2 local-address=192.168.2.1 service=pptp 
/ip route 
add dst-address=192.168.1.0/24 gateway=192.168.2.2

Branch Router
/interface pptp-client
add connect-to=OFFICE_IP disabled=no name=pptp-office password=\
    foobar profile=default-encryption user=branch
/ip route 
add dst-address=192.168.16.0/24 gateway=192.168.2.1
    • 1