MikroTik

Hello, greetings.

I'm a beginner for Mikrotik, have some experiences for setup kind of basic, Firewall, NAT, hotspot only - some basic VPN.
Hope someone from this forum can help - would be appreciated - thanks!

We have 3 locations, I try to figure out how our "HR office" can connect to time-clock machine of our branch office through HQ by "remote", currently the branch office only have private IP from their ISP (not possible to get Public IP for now)

Both offices HQ and branch is using Mikrotik RB750Gr3 as the main router with approximated 10-20 users of each office at LAN (including the time-clock machine @branch)

*** Try to setup as follows:
192.168.1.1 ~ HQ=Mikrotik with VPN server (IP public available)

192.168.20.1 ~ Branch=dial-up VPN to HQ (successful and connected with given IP: 192.168.1.75)
192.168.20.55 (Time-clock machine), example port: tcp7400
*** Result:
From HQ Mikrotik "terminal", I can ping to 192.168.1.75, telnet to 192.168.20.55 port=7400 (OK)

I want to setup so HR office, can remote to branch office's time-clock machine via HQ IP public
Tried many ways with no luck, I'm sure is possible but I just can't figure it out.

HR office/or internet ----remote------> HQ (ip-public) ------vpn-client-ip---------> Branch office (time-clock machine-tcp7400)

Hope someone understand what I try to explain and can help.

Thank you so much.

Regards

What you're trying to do makes sense but you shouldn't expose the time clock on the Internet.

What should happen is that the HR Office/Remote computer makes a VPN connection to HQ and then HQ routes the traffic through the VPN connection to the Branch Office and time clock.

What sort of VPN connections are you using? Please provide a copy of your MikroTik configuration without sensistive details (See my signature for details on how) so that we can provide more help.

Firstly I have no clue what 192.168.75.1 has anything to do with the branch office???
The subnet there is 192.168.20.X ??
So I will ignore whatever you have setup for VPN and discuss a wireguard connection.
If you have other VPN requirements, they can be worked into the wireguard after..............
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Create a WG vpn connection.
1 - with the Main HQ Office as the WG server
2 - with the Branch Office a WG client.
3 - ON remote computer use, windows (or linux etc.) wireguard client to connect to WG HQ.

Then through routes, firewall rules and allowed IPs, you will be able to connect to the remote clock.

REMOTE CLIENT COMPUTER

Wireguard settings:
name=wireguard-remote
wireguard address - 10.10.10.3/32
Generated Public key ---> Will be used by HQ wireguard settings ( in peer settings for remote computer)

Peer Settings
Endpoint= publicWANIP of Main office router
Endpoint port = 15555
public key ---> generated by HQ wireguard and installed in remote computer.
Allowed IPs=10.10.10.0/24,192.168.20.0/24
keep-alive=35 seconds

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

OFFICE BRANCH ROUTER

Wireguard settings
name=wireguard-branch
Generated public key -----> to be used by HQ router in its peer settings for branch office router.

Peers Settings
Endpoint= publicWANIP of Main office router
Endpoint port = 15555
public key ---> generated by HQ wireguard and installed in the branch router here
Allowed IPs=10.10.10.0/24
keep-alive=35 seconds

/ip address
add address=10.10.10.2/24 gwy=wireguard-branch

/ip firewall filter
add action=accept chain=forward in-interface=wireguard-branch dst-address=192.168.20.50

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

HQ ROUTER

Wireguard settings
name=wireguard-HQ
listening port=15555
Generated public key -----> to be used by branch router and remote computer in their peer settings for HQ router.

Peers Settings
branch
Allowed IPs=10.10.10.2/32,192.168.20.0/24
public key ---> generated by branch office wg settings and installed here.

home remote computer
Allowed IPs=10.10.10.3/32
public key ---> generated by home computer wireguard application and installed here.

/ip address
add address=10.10.10.1/24 gwy=wireguard-HQ

/ip firewall filter
add action=accept chain=input dst-port=15555 protocol=udp
add action=accept chain=forward in-interface=wireguard-HQ out-interface=wireguard-HQ

/ip route
add dst-address=192.168.20.0/24 gwy=wireguard-HQ table=main