Dear Users
First of all, I read many parts of this forum and didn't find what I needed. So if there's a specific thread for my questions please let me know, otherwise please answer my questions which will be greatly appreciated.

I have three offices each equipped with Routerboard 450G and having static IP. Database and Application Servers are on office 1 and I would like to connect all these locations with Site to Site VPN in order to be able to use the server.
Also, There may be some other users connecting to the server outside of these sites with dynamic IPs.
Also, I would like to allocate a specific amount of bandwidth to each client in each local network.


So my questions would be:

1. How to setup the firewall in order to raise the security of each network and what are the commands needed to begin with?
2. How do I setup a site to site VPN and what are the required commands?
3. Do I need to forward any port? How?
4. Do I need a PPTP/L2TP VPN for users outside of the mentioned offices? How do I set that?
5. Can users connected to the VPN or Site to Site VPN use the internet?
6. How do I allocate bandwidth to clients?
7. Since I only have 2 clients in office 2 how can I authenticate them to the server without site to site VPN?
Some of my questions may be trivial or not understandable at all but please help me with a step by step walk through.

Bump. Please help me

Hi,

re question 1, the default ROS configuration has most firewall settings you need. Additional commands can be found here:
http://aacable.wordpress.com/2011/08/15 ... wan-users/

questions 2 to 5 are more or less covered here:
http://youtu.be/U-8RmkNpgWI
http://wiki.mikrotik.com/wiki/Manual:In ... -Site_SSTP
http://wiki.mikrotik.com/wiki/Manual:In ... -Site_L2TP
http://wiki.mikrotik.com/wiki/Manual:In ... -Site_PPTP
http://wordpress.wlevels.nl/configuring ... tp-server/
http://wiki.mikrotik.com/wiki/Manual:IP ... Sec_Tunnel

re 6, use queues

re 7, assuming they use Windows you can use the built in Windows VPN client

If they are all mikrotik setup SSTP VPN from clients Mikrotik to the main Mikrotik at the head office

Thank you for your replies.
But why SSTP? is it more safe and secure?


This question may seem stupid but When the remote office connects to the main office with site to site VPN, can it still use it's own internet to surf the web? Do I need to set a parameter or something?

Hi,

re question 1, the default ROS configuration has most firewall settings you need. Additional commands can be found here:
http://aacable.wordpress.com/2011/08/15 ... wan-users/

questions 2 to 5 are more or less covered here:
http://youtu.be/U-8RmkNpgWI
http://wiki.mikrotik.com/wiki/Manual:In ... -Site_SSTP
http://wiki.mikrotik.com/wiki/Manual:In ... -Site_L2TP
http://wiki.mikrotik.com/wiki/Manual:In ... -Site_PPTP
http://wordpress.wlevels.nl/configuring ... tp-server/
http://wiki.mikrotik.com/wiki/Manual:IP ... Sec_Tunnel

re 6, use queues

re 7, assuming they use Windows you can use the built in Windows VPN client

Thank you Ohara for your reply.

Another Question.

This picture shows the topology of the main office network. Is it OK to put the router where it is right now? Or should I change the topology somehow? Please let me know what's best for the router.

Someone help me please.

Someone help me please.

Instead of pasting in my findings on how to setup Mikrotik SSTP please find my Mikrotik SSTP post on my website here. www.nasa-security.net

Hopefully it will give you enough of a head start that you can fill in the gaps of what you need later.

Another Question.

This picture shows the topology of the main office network. Is it OK to put the router where it is right now? Or should I change the topology somehow? Please let me know what's best for the router.

Typically you should have your Internet go to ether1 (WAN) port of your mikrotik and ether2 connects to your network via a switch

The you setup masquerading to hide private LAN side from Internet.

Those switches should connect all your computers to be. BEHIND your firewall.

Another Question.

This picture shows the topology of the main office network. Is it OK to put the router where it is right now? Or should I change the topology somehow? Please let me know what's best for the router.


Typically you should have your Internet go to ether1 (WAN) port of your mikrotik and ether2 connects to your network via a switch

The you setup masquerading to hide private LAN side from Internet.

Those switches should connect all your computers to be. BEHIND your firewall.

Yeah you right. So I connect my ADSL model to through ether1 (WAN) and Connect the whole network to ether2. My ADSL modem assing an IP for the router for example 192.168.1.2
and my router assign IPs to the server and clients 192.168.2.0/24 so when I want to use site to site IPsec VPN do I have to put 192.168.2.0/24 as my local address or 192.168.1.0/24?

Again its me.
It's now a little scary with all these IP ranges.

This is the topology and IP addresses of my clients/servers


Provided that my public IP address is 1.1.1.1 for site one and 2.2.2.2 for site 2. How can I connect all the clients of this site to site 2. I mean I'm not sure about the local IP addresses to enter in IPsec VPN section.

Is there a particular reason why you have mixed internal IPs?
192.168.88.x
192.168.2.x
192.168.3.x
192.168.4.x

If your using 192.168.2.x subnet then if you should have a LAN address on ether 2 that is something like 192.168.2.1
Then if all your internal client are on the 192.168.2.x subnet then they should be able to connect through the VPN to the other site

If you are unsure of how to use TCPIP I would read up on basic TCP IP and routing. This will help with sorting out connectibity problems and how to route onside networks onto the internet and what it means to masquerade and NAT private IPs.