Hi,

Like I said in the subject, I want to extend my network with 10 remote places. There are several ways to do this and I prefer PPTP but what is the best way? Also, I intend to use one CCR1009 as a main router. All sites are with static IPs. One central site should also control APs. Friends, I would like to ask these things:

1. What's the best to use as a security? Do I need IPS/IDS?
2. I have 5 APs and they will have about 150 users at once maximum. Can I use CCR1009 to do CAPsMAN job along with everything else?

Best Regards!

Are your remote sites using only a single IP? (maybe with NAT behind it)
Then PPTP could work.
However, it might be that you want to connect a larger subnet at the remote site. Then PPTP is not a good choice.

You can use normal IPsec tunnels, or use one of the Tunnel interface types combined with IPsec.
(IPIP tunnel or GRE tunnel)

This has little to do with IPS/IDS.
The CCR1009 is quite powerful, I am using one right now and I have not yet been able to see CPU usage above 1%
on a network with 60 Mbit/s outside connection and about 250 inside users.

Are your remote sites using only a single IP? (maybe with NAT behind it)
Then PPTP could work.
However, it might be that you want to connect a larger subnet at the remote site. Then PPTP is not a good choice.

You can use normal IPsec tunnels, or use one of the Tunnel interface types combined with IPsec.
(IPIP tunnel or GRE tunnel)

This has little to do with IPS/IDS.
The CCR1009 is quite powerful, I am using one right now and I have not yet been able to see CPU usage above 1%
on a network with 60 Mbit/s outside connection and about 250 inside users.

Hi,

Thanks for reply!

All sites will have subnets size /24 and won't use whole space. the main site may use more than other.
Please help me to understand why PPTP is not a good choice.

Best Regards.

PPTP is for teleworkers. 1 IP address at the client end.

PPTP is for teleworkers. 1 IP address at the client end.

I see. Which security protocols would You recommend. I will have one central database.

When you want a clear picture of what is happening with obvious places where you apply firewall rules, go for
one of the tunnel interfaces (IPIP or GRE) with IPsec configured, with a /30 network on each of them, and static
routes or an automatic routing protocol (e.g. BGP) to distribute the routes for the subnets.

When you don't want this extra complexity you can also directly use IPsec tunnels, but it will be more tricky to
apply firewall rules and avoid issues with avoiding NAT between your sites and at the same time have NAT to internet.

When you want a clear picture of what is happening with obvious places where you apply firewall rules, go for
one of the tunnel interfaces (IPIP or GRE) with IPsec configured, with a /30 network on each of them, and static
routes or an automatic routing protocol (e.g. BGP) to distribute the routes for the subnets.

When you don't want this extra complexity you can also directly use IPsec tunnels, but it will be more tricky to
apply firewall rules and avoid issues with avoiding NAT between your sites and at the same time have NAT to internet.

I see. Thanks for explanation. Can I use CCR1009 for this?

Yes, it is very suitable to work as a central router in such a network, it could serve many remotes.
For the remotes you can use the same routers but probably a lower-end router is suitable as well.

I have installed a CCR-1009-8G-1S-1S+ last week to work as VPN router, and also to route to a DMZ and to
serve a guest WiFi network (NAT and DHCP on a /22 network) and I really like this box.
Unbelievable what we get for our money at MikroTik... This router replaces a Cisco that has died, but it
is much less expensive than a comparable Cisco replacement yet it offers features like redundant power supply
that Cisco would only offer in yet more expensive types.

But of course what is most important (no matter what type of router is used) in such an installation is
to have good knowledge of networking and routing. Just clicking-together a working setup without
insight in the matter can lead to trouble no matter what router you use.

Thanks for reply. It helped me.

Yes, it is very suitable to work as a central router in such a network, it could serve many remotes.
For the remotes you can use the same routers but probably a lower-end router is suitable as well.

I have installed a CCR-1009-8G-1S-1S+ last week to work as VPN router, and also to route to a DMZ and to
serve a guest WiFi network (NAT and DHCP on a /22 network) and I really like this box.
Unbelievable what we get for our money at MikroTik... This router replaces a Cisco that has died, but it
is much less expensive than a comparable Cisco replacement yet it offers features like redundant power supply
that Cisco would only offer in yet more expensive types.

But of course what is most important (no matter what type of router is used) in such an installation is
to have good knowledge of networking and routing. Just clicking-together a working setup without
insight in the matter can lead to trouble no matter what router you use.