MicroTIK VPN Solution
MicroTIC VPN Solution
Developed for AltaMed and other clients with remote parking locations. Never implimented at a customer location (as of 11/6/14)
<br\><br\>
System Topology Diagrams
VPN Client with internet cable connection.
<br\><br\>
VPN Client with 3G USB internet connection.
<br\><br\>
VPN Client with NanoStation connection.
<br\><br\><br\><br\>
Client Side
<br\><br\>
Information Requirements
Static Internet connection information for remote customer site (where Transfer point is to be installed)
- IP Address in slash notation EX: 216.133.162.67/28 = IP Address 216.133.162.67 NetMask 255.255.255.240
- Default Gateway for connection EX: 216.133.162.65
- Network Address EX: 216.133.162.64
IP address block explained. the /28 limits the Block of addresses to 16 as follows:
216.133.162.64 - Network Address (1 address)
216.133.162.65 - Gateway Address (1 address)
216.133.162.66 - 216.133.162.79 14 useable addresses)
http://www.zytrax.com/tech/protocols/ip-classes.html#calculator
<br\><br\>
Initial Configuration Setup
<br\><br\>
Set up RB751U-2HnD Router for initial configuration
Document the MAC addresses range from the bottom of the unit. IE 00:0C:42:AE:F2:7C - 00:0C:42:AE:F2:81 (5 addresses). These will be used to connect to the device and be logged in AdminCenter.
Connect to power
Connect cat 5 cable from Port ETH5 to the NIC for Idrive wireless
- Change settings for wireless NIC on your computer to:
- -192.168.88.10
- -255.255.255.0
<br\><br\>
Connect using Winbox
Download and install Winbox Configuration tool for RouterOS.
Run Winbox.exe or double click the icon on the desktop
- Enter the Default "Connect To" IP Address: 192.168.88.1
- Login: admin
- password: blank
- Click "Connect"
Upon initial log in the "RouterOS Default Configuration" pop-up window will appear. Choose "OK". We are not concerned about the default settings because they will be overwritten with the idrive default configuration file.
Create a backup of the default configuration just in case
Files >Backup
<br\><br\><br\><br\>
Upgrade OS and Firmware
Obtain the latest versions (V6.x) from the MicroTik [|download] site
Click on the correct link for the hardware architecture (mipsbe for RB751U-2HnD)
Click on "All Packages" and click Save
Extract all of the files from zip package
Copy the files from your computer to the Router Board by dragging and dropping all of the files into the files list in the WinBox window
Restart the router and log back into the router and confirm that WinBox shows the new version of RouterOS and Firmware
<br\><br\>
Setup using Restore configuration file (Recommended)
Load Idrive Standard configuration
For simplicity and consistency it is better to set the routers configuration using the RouterOS backup/restore function. This "restores" the standard idrive configuration from a .backup file. This will leave only a few custom settings that are specific to the customer location(s).
- Download the most current .backup file from Admin Center
- Unzip the file to the Desktop on your computer
- In WinBox select “Files” from the left menu to open the Files List window.
- Use the mouse to drag and drop the configuration file from the Desktop into the Files List (uploads the file to the Router)
- Highlight the config file and click on "Restore"
The router will reboot with the new configuration. You will need to use the new IP address and password
- -The new IP address for Ports 3 - 5 will be 192.168.0.3
- -Change the IP address on your NIC to 192.168.0.10
Reconnect to the Router with the "Connect to" address of 192.168.0.3, password idrive#
<br\><br\><br\><br\><br\><br\>
Set Customer/Location Specific Settings
Static Internet IP Address
Click IP >Address to open the Address list form. Double Click on address to edit. All three interface addresses are shown open here. You should only need to change the ether1 address.
Modify the internet connection address for the customer's location.
ether1 - This must be configured prior to shipment or you will not be able to contact the Transfer Point when it is installed at the customer location!!!.
- Enter Static IP address (216.133.162.67/28 in this example)
- Enter Network Address (216.133.162.64 in this example)
- Interface "ether1"
bridge_local - No need to change unless there is more than one Remote Transfer point in the Idrive system. This is the IP address that the base station will see. Ports 3,4,5 share this address.
- IP Address 192.168.0.3/16
- Network 192.168.0.0
- Interface bridge_local
ether2 - Set by config file and does not need to be changed.
- IP Address 1.1.1.2/24
- Network 1.1.1.0
- Interface ether2
<br\><br\>
Set SSTP Dial Out address
Set the Dial Out address (Static IP address of the base stations internet connection)This is the number that the Transfer Point "calls" to contact the base station.
<br\><br\>
Set Timezone for customer location
Set the timezone. The Date and time will be set by NTP (Network Time Protocol) when connected to the internet
<br\><br\>
Network Cable Connections
EHT1 - Internet
ETH2 - loopback cable to ETH3
ETH3 - loopback cable to ETH2
ETH4 - Optional extra AP (192.168.0.3)
ETH5 - Optional extra AP (192.168.0.3)
<br\><br\>
Advanced Configuration (no config file)
<br\><br\>
Interfaces configuration
Select "Interfaces" from the left menu and enable both "wlan1" and "ppp-out1".
<br\><br\>
PPP configuration
Select "PPP" from the left menu then go to "Profiles" tab and add new profile.
Complete the fields then select "Protocols" tab and check "yes" under "Use Encryption".
<br\><br\>
SSTP configuration
Return to "Interface List" and add new "SSTP Client".
In the "Dial Out" fill "Connect To:" with the VPN Server public IP, set port to 1723, enter the user name and password that you have created on VPN Server.
Uncheck "pap" and "chap" boxes from "Allow".
If the VPN Server is configured the status will appear as connected.
If the VPN Server is not configured then check Configure VPN Server.
<br\><br\>
WLAN configuration
Return on "Interface List" double-click "wlan1", select "Wireless" tab and complete the fields as in picture.
<br\><br\>
Bridges configuration
Select "Bridge" from the left menu and add new bridge. Configure the two bridges as shown.
for "bridge_tunnel" Make sure the "ARP" is disabled and enter the MAC Address: 00:00:5E:80:01:01 then select "STP" tab and check "Protocol Mode: rstp".
select "Ports" tab and add interfaces to the proper bridge as shown
<br\><br\>
Addresses configuration
Use the "+"button and add the addresses as shown Here
<br\><br\>
Routes configuration
Add the three routes
route <0.0.0.0/0> - set the Gateway address for the customers internet gateway at the remote location. Leave Dst. Address all zeros.
route <192.168.0.0/16> - routes 192.168.x.x (events) traffic through the tunnel to the base station.
route <216.133.162.64/28> - Routes all internet traffic out the Ether1 interface. The address is the Network address for the remote location internet connection.
<br\><br\>
NTP configuration
Network Time Protocol - keeps the time syncronized
<br\><br\>
3G notes from Florin
Connect your 3G USB dongle and restart router.
Return on "Interface List" and double-click "ppp-out1" and make sure that "usb1" option is selected. If the "Port" drop-down list is empty then your 3G dongle is not supported.
Our 3G USB worked by default without any other configuration. Click on "Advanced Mode" if your SIM does require mobile carrier configuration.
Functional testing troubleshooting
<br\><br\>
Initial Installation Checks
<br\><br\>
Internet connection working ?
Connect using Winbox
Connect using a browser
Telnet into the Terminal Point using Putty
Ping the terminal point
<br\><br\>
connected to base station?
Ping the base station public IP address
Check the structure using neighbor discovery (192.168.0.2 is at the base station end). This shows connectivity as well as the tunnel working.
<br\><br\>
Wifi tools / channel selection
View other Wifi in the area
View the amount of traffic on each channel
<br\><br\>
extra APs connected and functioning?
Ping the additional AP(s)
<br\><br\>
Installation checklist
Mounting
Electrical Wiring
Antenna sealed with tape
Internet connection
External APs installed and connected
<br\><br\>
Server Side
<br\><br\>
Information Requirements
Static Internet connection information for Idrive Base Station site
- IP Address in slash notation EX: 216.133.162.68/28 = IP Address 216.133.162.67 NetMask 255.255.255.240
- Default Gateway for connection EX: 216.133.162.65
- Network Address EX: 216.133.162.64
IP address block explained. the /28 limits the Block of addresses to 16 as follows:
216.133.162.64 - Network Address (1 address)
216.133.162.65 - Gateway Address (1 address)
216.133.162.66 - 216.133.162.79 14 useable addresses)
http://www.zytrax.com/tech/protocols/ip-classes.html#calculator
<br\><br\>
Initial Configuration Setup
Set up RB2011LS-IN Router for initial configuration
Document the MAC addresses range from the bottom of the unit. IE 00:0C:42:AE:F2:7C - 00:0C:42:AE:F2:86 (10 addresses). These will be used to connect to the device and be logged in AdminCenter.
Connect to power
Connect cat 5 cable from Port ETH6 to the NIC for Idrive wireless
- Change settings for wireless NIC to:
- -192.168.88.10
- -255.255.255.0
<br\><br\>
Connect using Winbox
Download and install Winbox Configuration tool for RouterOS.
Run Winbox.exe or double click the icon on the desktop
- Enter the Default "Connect To" IP Address: 192.168.88.1
- Login: admin
- password: blank
- Click "Connect"
Upon initial log in the "RouterOS Default Configuration" pop-up window will appear. Choose "OK". We are not concerned about the default settings because they will be overwritten with the idrive default configuration file.
Create a backup of the default configuration just in case
Files >Backup
<br\><br\><br\><br\>
Upgrade OS and Firmware
Obtain the latest versions (V6.x) from the MicroTik [|download] site
Click on the correct link for the hardware architecture (mipsbe for RB2011)
Click on "All Packages" and click Save
Extract all of the files from zip package
Copy the files from your computer to the Router Board by dragging and dropping all of the files into the files list in the WinBox window
Restart the router and log back into the router and confirm that WinBox shows the new version of RouterOS and Firmware
Log back into the router and confirm the WinBox shows the new version of RouterOS and Firmware
<br\><br\>
Setup using Restore configuration file (Recommended)
Load Idrive Standard configuration
For simplicity and consistency it is better to set the routers configuration using the RouterOS backup/restore function. This "restores" the standard idrive configuration from a .backup file. This will leave only a few custom settings that are specific to the customer location(s).
- Download the most current .backup file from Admin Center
- Unzip the file to the Desktop on your computer
- In WinBox select “Files” from the left menu to open the Files List window.
- Use the mouse to drag and drop the configuration file from the Desktop into the Files List (uploads the file to the Router)
- Highlight the config file and click on "Restore"
The router will reboot with the new configuration. You will need to use the new IP address and password
- -The new IP address for Ports 6 - 10 will be 192.168.0.2
- -Change the IP address on your NIC to 192.168.0.10
Reconnect to the Router with the "Connect to" address of 192.168.0.2, password idrive#
<br\><br\><br\><br\><br\><br\><br\><br\><br\>
Set Customer/Location Specific Settings
Static Internet IP Address
Click IP >Address to open the Address list form. Double Click on an address to edit. Both interface addresses are shown open here. You should only need to change the ether1 address.
Modify the internet connection address for the customer's location.
ether1 - This is the Static Ip Address for the Base Station
- Enter Static IP address (216.133.162.68/28 in this example)
- Enter Network Address (216.133.162.64 in this example)
- Interface "ether1"
bridge_local - This is the IP address that the base station will see. Ports 5,6,7,8,9,10 share this address.
- IP Address 192.168.0.2/16
- Network 192.168.0.0
- Interface bridge_local
<br\><br\>
Set Timezone for customer location
Set the timezone. The Date and time will be set by NTP (Network Time Protocol) when connected to the internet
<br\><br\>
Network Cable Connections
EHT1 & ETH2 - Internet
ETH3 - loopback cable to ETH4
ETH4 - loopback cable to ETH3
ETH5 - Idrive Base Station Wireless NIC (192.168.0.10)
ETH6 - ETH10 - Local extra APs (192.168.0.2)
<br\><br\>
Advanced Configuration (no config file)
<br\><br\>
Interfaces configuration
Select "Interfaces" from the left menu - finish this section
<br\><br\>
Bridges configuration
Select "Bridge" from the left menu and add new bridge by clicking on the "+" button. Configure the three bridges as shown.
"bridge_local" Make sure the "ARP" is enabled and enter the MAC Address: 00:00:5E:80:01:01 then select "STP" tab and check "Protocol Mode: rstp".
"bridge_tunnel" Make sure the "ARP" is disabled then select "STP" tab and check "Protocol Mode: rstp".
"bridge_internet" Make sure the "ARP" is enabled then select "STP" tab and check "Protocol Mode: none".
select "Ports" tab and add interfaces to the proper bridge as shown
<br\><br\>
Addresses configuration
Use the "+"button and add the addresses as shown Here
<br\><br\>
Routes configuration
Add the three routes
route <0.0.0.0/0> - set the Gateway address for the customers internet gateway at the remote location. Leave Dst. Address all zeros.
route <192.168.0.0/16> - routes 192.168.x.x (events) traffic through the tunnel to the base station.
route <216.133.162.64/28> - Routes all internet traffic out the bridge_internet interfaces. The address is the Network address for the base station internet connection.
<br\><br\>
PPP & SSTP Server configuration
Note: PPP is the "dial in" protocol, SSTP is the Secure tunnel that PPP uses.
Select "Profiles" tab from PPP interface add new profile.
From the "General" tab fill the new profile name and select "bridge_tunnel" from drop-down list.
Select "Protocols" tab and check "yes" from "Use Encryption".
From PPP interface select "Secrets" tab and create new secret.
Fill with the name and password and select the profile you have created above.
Select "SSTP Server" from PPP->Interface, check 1723 port, select "default-encryption" and uncheck "pap" and "chap" authentication.
If the VPN client is configured the connection will start automatically. If the VPN client is not configured, check Configure VPN Client.
To check active connection select PPP->Active Connection or Bridge->Ports.
NTP configuration
Network Time Protocol - keeps the time syncronized
<br\><br\>
Configuration files
Will be much easier for us to make the equipment’s configurations using the backup/restore RouterOS function - only thing that have to be changed, after restore, will be the internet connections settings.
Attached you can find the routers configuration (backup) files from our equipment’s that can be restored to the exact ones that you have.
Server side Config File
Idrive-BS1-04062013-1833.backup will be used for RB2011LS-IN, Base station equipment.
Client Side Config File
Idrive-TP1-30052013-1851.backup will be used for RB751u-2HnD, TP equipment.
To be able to create the VPN a public IP will be called from the transfer point equipment (VPN client), so we need a dedicated IP for Base Station router or can be used “port forwarding” (1723 or 443) to one of the private LAN IP’s.
Restore the configurations
Get winbox.exe application (the configuration tool for RouterOS)==
http://www.mikrotik.com/download or
https://admincenter.idrive.pro/wiki/images/c/c2/Winbox.zip
1. Run winbox.exe;
2. Connect the router to computer or through a switch. ( works with cat5 cable)
3. Start the application and click the “…” button, wait for equipment MAC address to be listed, click on it and Connect. Use Login name: admin / empty pass
4. Select “Files” section from left menu, drag the specific .backup file on the files list and click “Restore”. (copy and paste the file from the hard drive and paste if in the routerboard)
After this only thing that needs to be changed is the IP addresses of the Base Station equipment (RB2011LS-IN), port “ether1”, for internet connection, using Winbox under “IP” section > “Addressed” and gateway under “IP” section > “Routes” (0.0.0.0/0 to x.x.x.x).
For RB751u-2HnD, if the 3G modem is compatible with the equipment you have to set the APN using Winbox under “PPP” > “Interface” > Edit existing connection > General tab > APN and PPP Advanced Mode if requires username and password.
VPN Useful Links
http://wiki.mikrotik.com/wiki/Manual:BCP_bridging_%28PPP_tunnel_bridging%29
http://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
MikroTik NAT
http://wiki.mikrotik.com/wiki/NAT_Tutorial
MikroTik 3G
http://www.wifitech.com.pk/howto-connect-evonitro3g-modem-with-mikrotik/
http://www.tnsolutions.ro/rb-751g-2hnd-3g-orange-rds/
http://www.youtube.com/watch?v=0MCMbDIR7kM
RB751U-2HnD Manuals
Quick Guide: http://i.mt.lv/routerboard/files/rb751U-2HnD-qg.pdf
User Guide: http://i.mt.lv/routerboard/files/rb751U-2HnD-ug.pdf
RB2011LS-IN Manuals
Quick Guide: http://i.mt.lv/routerboard/files/rb2011L-qg.pdf
Router OS Manual: http://wiki.mikrotik.com/wiki/Manual:TOC