I'm planning to connect some company sites each using xdsl line with public IP address in order to route traffic between different LAN subnets
Which private networking system should I use and which do not?
GRE with IPSEC, MPLS/VPLS ecc.ecc.

Thank you for any suggestion

We need more info on number of sites, topology, etc

Let's say 15 sites one of wich with a 34mbs symmetric dsl , the other mostly 7m/1m asymmetric dsl

Each site with its 192.168.x.x C class and VoIP traffic to be managed.

I've used succesfully GRE w IPSEC and static routes in same three-site networks , i'm asking if (surely) some dynamic routing and different vpn method would be better....

Thank you

Let's say 15 sites one of wich with a 34mbs symmetric dsl , the other mostly 7m/1m asymmetric dsl

Each site with its 192.168.x.x C class and VoIP traffic to be managed.

I've used succesfully GRE w IPSEC and static routes in same three-site networks , i'm asking if (surely) some dynamic routing and different vpn method would be better....

Thank you

hi,

L2TP with IPSEC might be a good option.
http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

Some things to consider:
1. L2TP is a hub and spoke topology, you might want to have a hub site which all the rest of the remote sites will connect, this site is preferably with static Public IP, and bandwidth capacity would be considered as well.

2. The applications that will run on the VPN tunnels, as this would depend how much bandwidth you need for each site. VOIP requires a good internet access, and if you have other applications running along with VOIP, you will need to enable QoS, in many cases VOIP should be running on a separate internet link.

3. Routing protocols, since you have about 15 sites, you should run somekind of dynamic routing protocols, like RIP or OSPF. OSPF is suitable on L2TP links.


Let us know if you have more information on your setup.
regards,

Thanks for replies,
All sites have their own public static IP address

It would be interesting that traffic wouldn't pass through "A" site when "B" is talking with "C" (assuming "A" is the main company site)
So, for 15 sites, should I build 14 tunnels each ?? , manually ? statically ?

I have done something similar. I use l2tp + ipsec. Each site has its own tunnel. Works like a champ.

Sent from my Nexus 6 using Tapatalk

Thanks for replies,
All sites have their own public static IP address

It would be interesting that traffic wouldn't pass through "A" site when "B" is talking with "C" (assuming "A" is the main company site)
So, for 15 sites, should I build 14 tunnels each ?? , manually ? statically ?

Hi,

it is very good to know if you have all static IP address for all sites.
It would make the implementation easier.

>It would be interesting that traffic wouldn't pass through "A" site when "B" is talking with "C" >(assuming "A" is the main >company site)
>So, for 15 sites, should I build 14 tunnels each ?? , manually ? statically ?

What you are referring to is a "full mesh network", and in this case, you want a site to site full mesh VPN connection.

Mesh network is defined here:
https://en.wikipedia.org/wiki/Network_topology

As you mentioned above, we can do n-1 tunnel for n number of sites, and n*(n-1) number of total tunnels to be created. So for 15 sites, we need to create 15*14=210 tunnels.

And since MK L2TP is actually point to point, yes, we have to create each tunnel manually and statically, while this is possible, it might not be practical nor easy to manage.

For Mikrotik L2TP interface, while this is not a Full mesh VPN, this does not mean that we can't create a flat dynamically connected Layer 2 site to site VPN, in this case, for each site, it would be just one tunnel to connect to a HUB site.

1. we can designate a HUB site, perhaps it is the main site with big enough bandwidth to have all sites connected to this site, and then we create a single tunnel for each site to the HUB site, a spoke-hub topology
2. Since it is a Layer 2 (L2TP) implementation, it would be transparent for all sites on the IP Layer 3, however, on the physical connection, all the traffic will still have to go through the HUB (e.g. site A), just as what you have commented above, for example for site B to talk to site C, it still have to go via site A (HUB site).
3. On the routing issue, we can use OSPF for each site to dynamically update their routing tables as new sites become available, static routes will not be easy to manage.

Both these info below are applicable if we can follow the instruction closely:
http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
http://wiki.mikrotik.com/wiki/Manual:BC ... _bridging)

Basically we can use L2TP interface with BCP bridging.


regards,

OK, useful infos...!
At this point I can say the central hub site to pass through has to be avoided, it has greater bandwidth but not enough to manage all traffic the other sites are doing between them.

What difference using GRE (as I already used in the past in conjunction with IPSEC) vs L2TP ??
I found it so easy and immediate to set up and manage, is there any advantage between them ?

Reading the rfc will enlight you in the way you cant imagine...
If you are want to connect sites using VPN, l2tp with ipsec is just fine.
GRE is used to encapsulate all kinds of other protocols.

Hi,

OK, GRE(+IPSEC) is another point to point tunnelling protocol (it was first developed by CISCO),

you can also check this out: IPIP and EoIP in which they have similiar features.

http://wiki.mikrotik.com/wiki/Manual:Interface/Gre

GRE and IPIP are layer 3 tunneling protocols, in which you will need IP layer (IP address) and

thus routing protocols (including static routes are to be setup) to make the site to site VPN

tunnels workable.

L2TP interface however, is working on Layer 2 (imagine an Ethernet Switch), it does not bound by

the IP Layer, so we do not to worry about IP routing, so it is much more flexible and IP layer will

just work on top of Layer 2. It is even possible to create a VPN with a single subnet network

with DHCP and default gateway via L2TP.

Just a side note, if the main cetral hub has certain operational limitation (bandwidth, uptime,

etc), one thing to consider is to create a HUB site in the cloud, there is a new Mikrotic Cloud

Hosted Router (CHR) which is in the works right now.
http://forum.mikrotik.com/viewtopic.php?t=98981

regards,

. . .

3. Routing protocols, since you have about 15 sites, you should run somekind of dynamic routing protocols, like RIP or OSPF. OSPF is suitable on L2TP links.

Try to avoid RIP or at least make sure you are using RIPv2. Ref: Understanding RIP Routing
--

Regards, Lars.

Sure, I was just making an example that RIP, as one of dynamic routing protocols out there, is supported within L2TP, however, newer and better routing protocols like OSPF is recommended with any L2TP implementations.

regards,

Ok, I've played succesfully with OSPF and I think I'llgo for it,

About L2TP (that I never used) is there perhaps some "unwanted" or "problematic" traffic in connecting 16 fully meshed sites on Layer2 ???
It's like to have all sites wire-connected , all seeing all , despite protocols etc
From what I've understood is a hardware direct connnection more than a routed one....
One can move any pair of already networked PC and install them on two of these sites and still keeping them to work between....

Am I wrong in this ???

Hi,

It is good to hear that you are good with OSPF.

About L2TP (that I never used) is there perhaps some "unwanted" or "problematic" traffic in connecting 16 fully meshed sites on Layer2 ???
It's like to have all sites wire-connected , all seeing all , despite protocols etc
From what I've understood is a hardware direct connnection more than a routed one....
One can move any pair of already networked PC and install them on two of these sites and still keeping them to work between....

We need to use Bridge Interface in Mikrotik, the main concerns are "Broadcasts" and "Loop", both are taken care of Bridge Interface RSTP:

http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
http://wiki.mikrotik.com/wiki/Manual:In ... e_Protocol

Make sure that each site is configured properly with correct IP addressing, routing, etc, so that each site will connect to each other as intended.

regards,