Hi all, I have a small project coming up that involves a m2m network for remote monitoring and control of distrubuted equipment, and I am interested in hearing about the designs and architectures that folks here may be using for this type of application. The project will involve multiple remote sites, all with similar or identical industrial equipment (PLCs, IP cameras etc) and most likely connected to a dedicated 3G/4G service via a Mikrotik gateway. The equipment on the remote sites will need to be accessible over the network by a server (to collect data from equipment), a few individuals (for maintenance purposes) and by end customers (who should only be able to access devices on their own site/s, and not the whole network). I have previously implemented a similar project where these remote sites (RB912 or similar) would run a VPN client and establish a PPTP tunnel back to a head office router (RB1100AH). The connection was over a 3G service or where permitting, would be plugged right in to the customer's own network (using NAT and DHCP-client) and get internet access. Per a helpful suggestion from Mike, each remote network had the same subnet, which allowed for much simpler 'copy and paste' site setups, and the router/tunnel was allocated a single static address (representing a single site) on the VPN network. DST-NAT rules on the remote router were used to gain access to specific equipment on the remote network using arbitary ports. This worked well enough, but had a couple of disadvantages; mainly that the DST-NAT port forwarding could create issues and confusion, but also that the whole lot was dependent on the office router/network being available, PPTP could not really be claimed to be 'secure' and customers could not access their equipment unless we gave their remote site router a public IP address and opened up access that way. Facing a similar project now, I'm curious about other implementations and approaches, and how other folks might have built out solutions around similar requirements. For instance, I'm currently dreaming of a solution along the lines of a VPN server running on a cloud provider, also running a reverse proxy (nginx) open to the internet, such that authenticated (?) customers can create TCP connections to a device using a hostname like ' device.site.customer.mycompany.com' or 'customer.mycompany.com/device' (via proxy_pass and url rewrite directives in nginx). Each remote site has a small unique subnet (perhaps a /26) so every device is individualy addressable. Maintenance staff can connect to the VPN server from wherever and have access to the full network. If anyone has anything to contribute regarding your own set up, that would be most helpful! Cheers - Jeremy
We're working with M2MOne (m2mone.com.au) who have a few different networking options. Negates the need for establishing a VPN from the device. Pricing is on their website, but factor in a bit more for network setup and static IPs etc. Regards Russell -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Jeremy Hall Sent: Sunday, 27 August 2017 6:34 To: public@talk.mikrotik.com.au Subject: [MT-AU Public] m2m network design ideas Hi all, I have a small project coming up that involves a m2m network for remote monitoring and control of distrubuted equipment, and I am interested in hearing about the designs and architectures that folks here may be using for this type of application. The project will involve multiple remote sites, all with similar or identical industrial equipment (PLCs, IP cameras etc) and most likely connected to a dedicated 3G/4G service via a Mikrotik gateway. The equipment on the remote sites will need to be accessible over the network by a server (to collect data from equipment), a few individuals (for maintenance purposes) and by end customers (who should only be able to access devices on their own site/s, and not the whole network). I have previously implemented a similar project where these remote sites (RB912 or similar) would run a VPN client and establish a PPTP tunnel back to a head office router (RB1100AH). The connection was over a 3G service or where permitting, would be plugged right in to the customer's own network (using NAT and DHCP-client) and get internet access. Per a helpful suggestion from Mike, each remote network had the same subnet, which allowed for much simpler 'copy and paste' site setups, and the router/tunnel was allocated a single static address (representing a single site) on the VPN network. DST-NAT rules on the remote router were used to gain access to specific equipment on the remote network using arbitary ports. This worked well enough, but had a couple of disadvantages; mainly that the DST-NAT port forwarding could create issues and confusion, but also that the whole lot was dependent on the office router/network being available, PPTP could not really be claimed to be 'secure' and customers could not access their equipment unless we gave their remote site router a public IP address and opened up access that way. Facing a similar project now, I'm curious about other implementations and approaches, and how other folks might have built out solutions around similar requirements. For instance, I'm currently dreaming of a solution along the lines of a VPN server running on a cloud provider, also running a reverse proxy (nginx) open to the internet, such that authenticated (?) customers can create TCP connections to a device using a hostname like ' device.site.customer.mycompany.com' or 'customer.mycompany.com/device' (via proxy_pass and url rewrite directives in nginx). Each remote site has a small unique subnet (perhaps a /26) so every device is individualy addressable. Maintenance staff can connect to the VPN server from wherever and have access to the full network. If anyone has anything to contribute regarding your own set up, that would be most helpful! Cheers - Jeremy _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Jeremy Hall Sent: Sunday, 27 August 2017 8:34 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] m2m network design ideas
Hi all,
I have a small project coming up that involves a m2m network for remote monitoring and control of distrubuted equipment, and I am interested in hearing about the designs and architectures that folks here may be using for this type of application.
The project will involve multiple remote sites, all with similar or identical industrial equipment (PLCs, IP cameras etc) and most likely connected to a dedicated 3G/4G service via a Mikrotik gateway. The equipment on the remote sites will need to be accessible over the network by a server (to collect data from equipment), a few individuals (for maintenance purposes) and by end customers (who should only be able to access devices on their own site/s, and not the whole network).
I have previously implemented a similar project where these remote sites (RB912 or similar) would run a VPN client and establish a PPTP tunnel back to a head office router (RB1100AH). The connection was over a 3G service or where permitting, would be plugged right in to the customer's own network (using NAT and DHCP-client) and get internet access. Per a helpful suggestion from Mike, each remote network had the same subnet, which allowed for much simpler 'copy and paste' site setups, and the router/tunnel was allocated a single static address (representing a single site) on the VPN network. DST-NAT rules on the remote router were used to gain access to specific equipment on the remote network using arbitary ports.
This worked well enough, but had a couple of disadvantages; mainly that
DST-NAT port forwarding could create issues and confusion, but also that
whole lot was dependent on the office router/network being available, PPTP could not really be claimed to be 'secure' and customers could not access
A few ideas for you, if it is removing NAT that you are after ;) 1. use ipv6 instead of IPv4, and implement 6-to-4 gateway to traverse the VPN part 2. use OSPF to distribute routes 3. implement EoIP tunnel across the VPN, then bridge the remote LAN to the HQ LAN, running DHCP server at the head end (using sufficiently large subnet, e.g. /20, to cover all remotes) Cheers! Mike. the the their
equipment unless we gave their remote site router a public IP address and opened up access that way.
Facing a similar project now, I'm curious about other implementations and approaches, and how other folks might have built out solutions around similar requirements.
For instance, I'm currently dreaming of a solution along the lines of a VPN server running on a cloud provider, also running a reverse proxy (nginx) open to the internet, such that authenticated (?) customers can create TCP connections to a device using a hostname like ' device.site.customer.mycompany.com' or 'customer.mycompany.com/device' (via proxy_pass and url rewrite directives in nginx). Each remote site has a small unique subnet (perhaps a /26) so every device is individualy addressable. Maintenance staff can connect to the VPN server from wherever and have access to the full network.
If anyone has anything to contribute regarding your own set up, that would be most helpful!
Cheers - Jeremy _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (3)
-
Jeremy Hall
-
Mike Everest
-
Russell Hurren