At the moment i have 400+ internal (IPs 10.0.1.1 - 10.0.2.209) for 400+ devices. I want to create a VPN PPTP Connection for every single IP to a Server IP, so that every single device uses a different public IP.
The server is already set up and everything works. I managed to create VPN connections the following way:
Everything works, but at some point, i run into the “mark-routing” limit thats mentioned in a thread on mikrotik forums. There seems to be a limit at 250/260?
Is there a more “elegant” way to let the internal IPs use the public server IPs or a way to avoid the “mark-routing” limit? Or maybe i am doing some other things the wrong way.
I’m not seeing why you want that many vpns.it would seem to be an application for NAT. You also need to beware having the router handle that many connections.
Can you please post a network diagram? Because maybe you don’t need to have that many tunnels but dynamic routing between your internal router and your “server IP”.
Thanks for your fast reply. What do you recommend?
Problem is i don’t know how to set up the hetzner server + 254 additional IPs with something else than pptp.
Thanks for your answer. Can you ellaborate on this? Unfortunately i am a “beginner” in networking.If i only create one vpn connection from the router to the server, how can i get sure, that every local IP from the devices connected to the router gets a individual public IP?
I can only use NAT for local connections (LAN) right?
I described my setup more precisely in another post. I have 400+ devices with internal IPs at my company and an external dedicated server from hetzner with 255 additional IP-package. The internal IPs from the devices in the company should use the external IPs of the server.
You can nat an external ip to an internal. I amnfinding it hard to imagine why you want to expose that many devices to the internet e rent though. Generally I would map specific ports. You router is going to be better off if most of this is handled in a block rather than processing so many definitions.
The Hetzner server has the public IPs routed to it? If that’s a yes then:
Create a tunnel (IPsec, L2TP/IPsec, GRE…) from the Hetzner server to the Mikrotik router.
Route all the public IPs to the Miktrotik using the tunnel you just created.
Decide if you wan to give the public IPs to each device or NAT them on the Mikrotik:
To give the IPs de each device you can do it by PPPoE or just declare the network (or networks) assigned to you on the “LAN” side of the Mikrotik and assign IPs using DHCP / static addressing.
If you want the public IPs to no enter your “LAN” side just declare them on the Mikrotik and NAT accordingly (ex: 10.0.1.11/32 → 100.0.0.1/32, 10.0.1.12/32 → 100.0.0.2/32…)
If the Hetzner server does not have the public IPs routed to it just use the same method but NAT on the Hetzner server (giving the IPs to the end users is not possible in this scenario)
Tunnel to the Mikrotik
Route your 10.0.1.0/22 to the Mikrotik ant the create the NAT rules on your Hetzner server (ex: 10.0.1.11/32 → 100.0.0.1/32, 10.0.1.12/32 → 100.0.0.2/32…)
I described it more precisely on another post under this one. I have 400+ devices with internal IPs at my company and an external dedicated server from hetzner with 255 additional IP-package. The internal IPs from the devices in the company should use the external IPs of the server.
Ok. I don’t know if i described it right in my initial post.
I have 400+ devices with internal IPs at my company and an external dedicated server from hetzner with 255 additional IP-package. The internal IPs from the devices in the company should use the external IPs of the server.
If I only create 1 VPN connection to the server, the server can’t “see” my internal IPs from my company, right? It can only “see” the router IP from the company?
You connect your machine to your server (pool of public ips) with a secure VPN (IPsec or wire guard) then you can point every public ip to you specific internal ip with the mentioned NAT method.
If I only create 1 VPN connection to the server, the server can’t “see” my internal IPs from my company, right? It can only “see” the router IP from the company?
No. Without NAT in place all the original IP address are available over the tunnel.