PPTP VPN - multiple ADSL remote locations to Cental Office
Central location is connected to Internet with 10 Mbit link, public range of addresses /27 (32 addresses, 30 useful), and there are also more than 100 remote locations connected to the Internet by ADSL or Cable. All those remote connections have to be in VPN with headquarters (HQ) and have full access to all network resources.
First configure HQ router to allow HQ network to access Internet (assign private and public addresses, gateway, NAT...). Next set up remote routers to do the same (private address pppoe dial-up, NAT, routes...) as described in:
- http://wiki.mikrotik.com/wiki/How_to_Connect_your_Home_Network_to_xDSL_Line
Assume the following:
Address | Subnet mask | Gateway | |
HQ public | 80.80.80.110 | 255.255.255.224 (/27) | 80.80.80.97 |
HQ private | 192.168.3.254 | 255.255.254.0 (/23) | 192.168.3.254 |
Remote public addresses are dynamic
Address | Subnet mask | Gateway | |
Remote 1 private | 10.0.1.0/24 | 255.255.255.0 (/24) | 10.0.1.254 |
Remote 2 private | 10.0.2.0/24 | 255.255.255.0 (/24) | 10.0.2.254 |
Remote 3 private | 10.0.3.0/24 | 255.255.255.0 (/24) | 10.0.3.254 |
Remote n private | 10.0.n.0/24 | 255.255.255.0 (/24) | 10.0.n.254 |
First - set up HQ router.
1.enabling server
/ interface l2tp-server server set enabled=yes max-mtu=1460 max-mru=1460 \ authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
2.creating users (one for each remote location)
/ ppp secret add name="user1" service=l2tp caller-id="" password="P@ssw0rd" \ profile=default-encryption local-address=192.168.3.254 \ remote-address=10.0.1.254 routes="" limit-bytes-in=0 limit-bytes-out=0 \ comment="" disabled=no
add name="user2" service=l2tp caller-id="" password="P@ssw0rd" \ profile=default-encryption local-address=192.168.3.254 \ remote-address=10.0.2.254 routes="" limit-bytes-in=0 limit-bytes-out=0 \ comment="" disabled=no
add name="user3" service=l2tp caller-id="" password="P@ssw0rd" \ profile=default-encryption local-address=192.168.3.254 \ remote-address=10.0.3.254 routes="" limit-bytes-in=0 limit-bytes-out=0 \ comment="" disabled=no
3.adding routes (will be "unknown" until remote users connect)
/ ip route add dst-address=10.0.1.0/24 gateway=10.0.1.254 scope=255 target-scope=10 \ comment="" disabled=no
add dst-address=10.0.2.0/24 gateway=10.0.2.254 scope=255 target-scope=10 \ comment="" disabled=no
add dst-address=10.0.3.0/24 gateway=10.0.3.254 scope=255 target-scope=10 \ comment="" disabled=no
Second - set up remote router(s)
1.Creating client interface on remote location 1
/interface l2tp-client add add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" \ connect-to=80.80.80.110 disabled=no max-mru=1460 max-mtu=1460 \ mrru=disabled name="l2tp-out1" password="P@ssw0rd" \ profile=default-encryption user="user1"
2. Adding route to HQ network (will be inactive until connection is established)
/ip route add comment="" disabled=no distance=1 dst-address=192.168.2.0/23 \ gateway=192.168.3.254 scope=255 target-scope=10
3.Optional - if you want your remote locations to communicate with each other
/ip route add comment="To other offices" disabled=no distance=1 dst-address=10.0.0.0/16 \ gateway=192.168.3.254 scope=255 target-scope=10
Repeat on each remote location changing username
Enjoy !