School me on RouterOS site-to-site VPN

bds1904

Gawd
Joined
Aug 10, 2011
Messages
1,007
I'm looking into the Routerboard RB2011UAS series of routers for myself and several of my friends. The hardware specs fit our needs, and I have used RouterOS a little in the past on some older Routerboard products. Even then it was very limited use.

We do routed site-to-site connections between my house and the other LAN's. The networks behind each router are in different broadcast domains, and therefor use their own internet connections to surf.

What are my options for types of connections to use for the site-to-site's, as well as the associated pros and cons.
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,161
IPSec is your best bet. If you have dynamic IPs it may be a pain though. You can also use pptp and sstp if you wish.

Check out Greg Sowell's site for great tutorials with site to site using RouterOS.

I'm a huge fan of Mikrotik routers. I have quite a few deployed.
 

dave99

2[H]4U
Joined
Jan 20, 2011
Messages
2,129
I don't know much about routerOS, but I've learned to love using openvpn over ipsec. Maybe a touch more difficult to setup initially, but far more reliable for me. Every now and then an IPSEC tunnel will go down (usually when I'm rebooting a firewall on one side, or a momentary internet outage) and then be a bitch to get reconnected due to timing mismatches for 10 or 15 minutes. With openvpn, my tunnels are up an running before the OS (pfsense) is even fully finished booting.
 

RESTfulADI

2[H]4U
Joined
Feb 20, 2005
Messages
2,211
IPSec is your best bet. If you have dynamic IPs it may be a pain though. You can also use pptp and sstp if you wish.

Check out Greg Sowell's site for great tutorials with site to site using RouterOS.

I'm a huge fan of Mikrotik routers. I have quite a few deployed.
I'm a huge fan too but SHA kills the cpu, I couldn't even get 2 Mbit on the 750GL with site to site ipsec using AES 128 before reverting to MD5. My 750G overclocked to 800 still cant hit 5 Mbit. And why they refuse to implement OpenVPN over UDP is beyond me. Finally I decided to use OpenVPN and forward tunnel traffic to a pfSense vm. I'd like to see what the Edgerouter Lite can do.

I love their QoS though, one day I need to sit down and make sense out of the v6 changes.

OP, my coworker got the RB2011 and he likes it so far but we found some interesting things. The gig switch and the 100Mb switch are bridged and you will peg the cpu if you transfer a lot of data between them. Also, even though the cpu overclocks to 750, with a few mangle rules and a queue tree, it can barely handle 50/25 FIOS.
 
Last edited:

bds1904

Gawd
Joined
Aug 10, 2011
Messages
1,007
Just to update i pulled the trigger on a RB2011UAS-RM for my house and a few RB951G-2HnD for my friends.

So far so good. A 5mbit VPN over IPIP encrypted with IPSEC put the cpu at 45% which fits our needs. We are running OSPF to handle the routing table, i'm lazy.

The goal of this entire project was to reduce power usage, and that has happened. We have gone from an x86 router running pfsense and a small smart switch at each site to the previously mentioned hardware. We have reduced the power usage from 90W to 8W.

Even with some basic QoS setup on my router and a 50/15 connection the CPU never gets anywhere near 100%.

I wouldn't reccomend this hardware for someone that needs extensive traffic shaping, but it gets the job done for us.

The other sites won't outgrow the hardware for 3-5yrs, but I may in 1-2yrs. At that point I am thinking about buying a L5 licence and running it virtualized on my ESXi box.
 
Top