After giving up on IPSEC tunnels (Not EoIP over IPSEC tho) i have created the below.
We all know how bad PPTP tunnels are, and why having them is just annoying people trying to steal your data, rather than actually protecting it.
So here is a dump from my config. Coming from DEV router to a SSTP servers setup on port 444
/interface sstp-server
add name=sstp-inHBT user=sstp-inHBT
add name=sstp-inLTN user=sstp-inLTN
/interface sstp-client
add connect-to=hobart.client.com:444 disabled=no mrru=1600 name=\
sstp-outHBT password=11111111 profile=default-encryption user=sstp-inDEV
add connect-to=launceston.client.com:444 disabled=no mrru=1600 name=\
sstp-outLTN password=11111111 profile=default-encryption user=sstp-inDEV
/interface sstp-server server
set enabled=yes port=444
/ip firewall filter
add chain=input comment=”Allow SSTP To Router” dst-port=444 protocol=tcp
/ip route
add distance=10 dst-address=10.4.40.0/24 gateway=10.4.1.26
add distance=20 dst-address=10.4.40.0/24 gateway=10.4.1.29
add distance=10 dst-address=10.4.48.0/24 gateway=10.4.1.21
add distance=20 dst-address=10.4.48.0/24 gateway=10.4.1.37
/ppp secret
add local-address=10.4.1.20 name=sstp-inHBT password=11111111 remote-address=\
10.4.1.21 service=sstp
add local-address=10.4.1.25 name=sstp-inLTN password=11111111 remote-address=\
10.4.1.26 service=sstp
and the HBT Router
/interface sstp-server
add name=sstp-inDEV user=sstp-inDEV
add name=sstp-inLTN user=sstp-inLTN
/interface sstp-client
add connect-to=DEV.client.com:444 disabled=no mrru=1600 name=\
sstp-outDEV password=11111111 profile=default-encryption user=sstp-inHBT
add connect-to=launceston.client.com:444 disabled=no mrru=1600 name=\
sstp-outLTN password=11111111 profile=default-encryption user=sstp-inHBT
/interface sstp-server server
set enabled=yes port=444
/ip firewall filter
add chain=input comment=”Allow SSTP In” dst-port=444 protocol=tcp
/ip route
add distance=10 dst-address=10.4.40.0/24 gateway=10.4.1.33
add distance=20 dst-address=10.4.40.0/24 gateway=10.4.1.42
add distance=10 dst-address=10.4.44.0/24 gateway=10.4.1.20
add distance=20 dst-address=10.4.44.0/24 gateway=10.4.1.38
/ppp secret
add local-address=10.4.1.37 name=sstp-inDEV password=11111111 remote-address=\
10.4.1.38 service=sstp
add local-address=10.4.1.41 name=sstp-inLTN password=11111111 remote-address=\
10.4.1.42
On the LTN router, i have the same kind of thing setup, but different IPs usernames and passwords.
The Dev router has two SSTP tunnels created to each site. One outbound, to each of the remote routers static IP addresses. And one inbound for each of the remote routers.
All routers have a 4G LTE backup dongle in them.
In the event of the primary link going down on the Dev router, the inbound VPNs will fail. As soon as the DEV router has failed over to the LTE interface, it will dial out to the other routers on their static addresses. As long as one end of the tunnel has its fixed address still online, the tunnel will still work.
Now there is no real need to keep both running at the same time, but i see no problem in keeping them both up.
« Mikrotik EoIP Tunnels with Dynamic IP Addresses Change IP address on Telstra MF823 4G Router »