Hello,

I'm new to mikrotik, a friend recommended this brand to me as very good and useful networking products.

I need a solution for the following problem:
Current setup: Internet connection with static IP, router from the ISP only limited / almost no configuration possible and if only from the provider, Router exchange not possible. Internal, we use a switch to connect all Computer and Network devices. The ISP configured their router to forward a few ports we need for external access: mail server and NVR.

Problem: NVR can only be secured with a very weak password. But it must be reached externally.

Our Goal: In the future, access should be possible from a small number of end devices only, or at least restricted, e.g. via VPN, especially from outside. If possible, all open ports should generally be better protected (firewall?).

The following ideas have been discussed so far: a separate router between internal switch and NVR that can only be reached via VPN in order to limit NVR access in this way. Or an intelligent new switch that allows certain devices or MAC addresses to access the NVR or the mail server, or otherwise controls firewall rules.

How can we solve this and are there any products from mikrotik, that can provide a solution. Any help is welcome, thanks in advance.

all the best

NVR access externally is a great use case for the ZeroTIer VPN protocol which was just added to MikroTik on ARM based devices last year.

If you're unfamiliar with ZeroTier - here is an overview of it (before MIkroTik support was added)

https://stubarea51.net/2020/03/10/remot ... frrouting/

Then, once you've determined the bandwidth needed, you can look at either an all-in-one solution with one of the ARM based MikroTik CRS 3xx series switches - which will be slower speeds of 50 to 100 Mbps (give or take). Or also use an ARM64 router like the RB5009 or CCR2116 - both of which have excellent performance over the Internet for ZeroTier and can do 500+ Mbps.

Because ZeroTIer is so easy to configure and has PC/Mac and mobile clients, it's really straightforward to access an NVR (or any other system) behind NAT.

Alternative, probably faster than zerotier, and no license hassles, but requiring more tech know-how for setup:
Use wireguard as VPN. wireguard-"client" on local router, setting up tunnel to private wireguard-"server" on the web.
You can do this with mikrotik equipment, but also using alternatives, i.e. based on openwrt, which is totally opensource, opposed to mikrotiks stuff.

Agree that both options are pretty good but I believe that ZeroTier (ZT) might be somewhat easier to administer when you want to connect additional clients to your private network.

When it comes to ZT licenses, there are normally no costs for the private user if using either the "open source" community edition with a self-hosted controller or the "basic" version using the ZT hosted controller. https://www.zerotier.com/pricing/

Regardless of what solution you choose, I recommend buying an arm-based device to be able to take advantage of all the new features that are in router-os v7.

I agree, wireguard is great for technical people and infrastructure, but it's not a great client facing VPN for non-technical people.

ZeroTier excels at this use case and is perfect if you want a solution that you don't have to spend much time "administering" it just works. It also scales incredibly well.

Can your ISP provided Router operate in BRIDGE mode?
What Bandwidth does your ISP provide you and is that throughput symmetrical or asymmetrical?
How many users will you need to support?

I agree, wireguard is great for technical people and infrastructure, but it's not a great client facing VPN for non-technical people. ZeroTier excels at this use case and is perfect if you want a solution that you don't have to spend much time "administering" it just works. It also scales incredibly well.

Yep indeed!

Somewhat OT but regarding wg and dynamic ip address assignment (aka pptp) there are several solutions but they all are dependent on alterations at both endpoints (peers) as well as custom-made clients. Also, one really shouldn't have to be a hard-core network technician just to perform a new setup.

It's a pity Jason and gang didn't put more effort to create standardized reference implementation for this as well some other stuff like simplified configuration.

However I have to admit they've made some progress on both the windows and mac client since I last visited their dev IRC channel some years ago. I almost got thrown out when I mentioned they might consider to put some more work on the windows client. It was really a wild bunch of linux fanatics at that time, more like a sect actually :- )

+1.
Using wireguard on openwrt, which is much more "Linux" than MTs stuff, is straight forward.