Combine multiple offices via a VPN (Kerio + Mikrotik)?

There is a head office and 10 branches around the city. At any point in the local network up to 30 hosts. Offices between the United provider through a VLAN on their side. With a single point provider allowed output 1 of the device. The head office is installed Kerio Control, which comes VLAN from the ISP for branches, Internet and LAN. The branches have a Mikrotik rb951ui-2hnd for everyone. There is a need for enterprises and branch office locations in the pile with the ability to see each other. Prompt where to dig?
April 7th 20 at 10:46
3 answers
April 7th 20 at 10:48
In principle you have everything, even VPN is not necessary to push the provider for all you have done. Has only the routes to register on Kerio and on Mikrotik'Oh, and you're done.

Can be rake, if the Pro-plan ip addressing before, no one thought suddenly it turns out that in different branches of the same network (for example, "favorite" all the staff 192.168.0.0/24 and 192.168.1.0/24).
In addition to Kerio nothing is configured. Network no problem. During the configuration process, it is now possible to prescribe any. Ie I understand you correctly, that Mikrotik can be configured as a normal router and set the routes in Mikrotik on each branch indicating as gateway Kerio? - Dylan72 commented on April 7th 20 at 10:51
@Dylan72,
pointing as a gateway Kerio
You can, especially if you want to centralizovannaja Kerio control interbranch traffic. If this is not required, there are other options:
  • each Mikrotik to prescribe 10 routes to the rest of the points (boring, but easy)
  • to raise dynamic routing.
- Hilda85 commented on April 7th 20 at 10:54
@Dylan72, Prescribe the branches of the subnet view 192.168.30.0/24, 192.168.41.0/24, 192.168.152.0/24, on Microtech specify a single route to 192.168.0.0/16 in Kerio. - shane.Upton commented on April 7th 20 at 10:57
As I understand ISP gives L3 channel and fail to marshrutizatory network without network configuration on the provider side. Or L2 channel? - dahlia_Maggio commented on April 7th 20 at 11:00
@dahlia_Maggioif the provider called the service VLAN, it must be L2. - Hilda85 commented on April 7th 20 at 11:03
@Hilda85, you're right - dahlia_Maggio commented on April 7th 20 at 11:06
@Hilda85, and here is a little below wrote that we need NATить all traffic is permitted as the output of only one device. Whether will be then problems with the routing configuration? Or I not understand something?))) - Dylan72 commented on April 7th 20 at 11:09
@Dylan72about NAT - perhaps the friend just does not understand the essence of what you have and what you want. Don't need NAT on the internal network, except for some special cases (you are not special, you have a standard requirements). - Hilda85 commented on April 7th 20 at 11:12
April 7th 20 at 10:50
Time allowed the output of one device, then you need NATить. What microt that Kerio can do it
Yeah, and then ports to push if you want to connect via rdp. Easier ip addressing to change (if not previously thought) and routes to write. Nat in a small network of evil. - dahlia_Maggio commented on April 7th 20 at 10:53
Raise the tunnel and resolve routing. As Kerio with microtia to make a tunnel there are a lot of manuals. And for the future if money can buy L2-VPN channel from your provider and not have tunnels to play. - dahlia_Maggio commented on April 7th 20 at 10:56
I wonder then what the TC means by "one device" - Dasia.Nader3 commented on April 7th 20 at 10:59
@Dasia.Nader3that the provider at this point should only see one device - Dylan72 commented on April 7th 20 at 11:02
Well here is an option then only NAT. Otherwise the other IPS provider will see - Dasia.Nader3 commented on April 7th 20 at 11:05
@Dasia.Nader3behind the NAT will normally routing between offices to work? - Dylan72 commented on April 7th 20 at 11:08
Well, probably it is necessary to first connect all the routing. Through the tunnels. And then natit. Then everything is not just fine and run perfectly. The idea is if you with the provider to negotiate and NAT is not needed. I honestly 1 time face such constraints. They are usually such garbage are not engaged. Makes no sense whatsoever. Traffic is restricted enough. And so anyway you can get around. You specify. Maybe we misunderstand something... It's not a Beeline to the end, which pulls money if anlim on multiple devices share - Dasia.Nader3 commented on April 7th 20 at 11:11
April 7th 20 at 10:52
Configure gre tunnel (provider-one connection) and to drive the routing.

And best buy office RB4011 should handle. Well, or more powerful.
Configure OSPF between microtome. Get rid of hemorrhoids in the future.
All right said above and Take of this bunch Kerio - only problem potl gain.
And what VPN you need L3 or L2? - Georgianna.Lakin commented on April 7th 20 at 10:55

Find more questions by tags VPNMikrotikKerio