This article has two purposes. It is the second part of the Mikrotik IPSec series and, at the same time, a short virtualization guide. I will present how we can simulate most common scenarios them in virtual environment.
Although I am using Oracle VirtualBox (referred to as VBox from here on out) for these demonstrations, you can use any other virtualization solution in a very similar way. We don’t need any special features of the virtualization solution. You should only optimize your VMs based on the settings related to your environment. You can find my guides about VBox environment here and here.
Whenever we want to simulate a specific scenario, regardless of whether it is the network testing, OS evaluation or application development (just to name a few), we need to establish a testing frame. Inside this frame, we can then specify the testing procedures and expected results. We can further choose the appropriate VMs that will serve us in that demonstration.
We will demonstrate the network connections in this series. Therefore, we need to have routers and some clients and servers, commonly referred as hosts. We are presenting the Mikrotik RouterOS capabilities and we will use the software based RouterOS x86 versions. To expand the possibilities, we will use different versions of the RouterOS – in a real-life you can’t expect to always be working with the latest version.
We do not need any special feature on the hosts used for the presentation. They only should be able to communicate over the TCP/IP protocols. That means that we can use any operating system on the hosts, from DOS over Windows to Linux and UNIX.
Oh yes, you can use ye olde DOS with packet driver and TCP stack as client or even a small server. There are software packets for Web, FTP or Telnet server. If we’re using the Microsoft stack, you can build a small server with shares. In addition, you need only 4 MB of RAM and about 10 MB for the virtual HDD. I found this very nice for grandpa DOS.
During this series, our scenario is to simulate a mutual connection between two companies. One of them is larger. The second company can be a “daughter” company, branch or partner company. In addition, we have a few users somewhere on the road, maybe some small company that works with us.
I was a bit lazy and I’m using famous company names from the Microsoft scenarios and exams. Therefore, yes, they are Contoso and FabrikaM. However, names are not important at all, name them as you wish.
More important is the relation between the networks. You can see four clouds. In the real world, there can be even more clouds and every cloud is a local ISP. We can make this whole scenario very simple or very complicated. I will suggest keeping it simple.
Even in the case of both customers using the same ISP they cannot communicate directly. Therefore, I used in the end one ISP between both companies. Every company has its own “public IP” from the /30 network pool.
I omitted another ISP for the remote users and small partner company. I used just another router to simulate ADSL links and PPPoE access. You can add more routers here, but they will not improve our experience.
I followed recommendations about the IP addresses used in the demonstration according to this and this RFC. I suppose that you can easily find the address blocks for the documentation in the RFC 5737, on page 1 section 3.
I will recommended to you to check also the RFC 5735, where you can find a lot more blocks of the IP addresses that you can use in the demonstrations. We can use the private IP addresses as well; as your test environment is separated from the rest of the network.
How we can simulate separated networks?
You can use any computer for those simulations. It can be desktop, laptop, even server, whatever you have. I’m using a laptop, as this is more convenient for me. Every modern laptop (or notebook) has only one wired and one WiFi NIC. In addition, we usually can’t add a new NIC in the laptop.
Most of the time, we’re using only one of those NICs, never both at the same time. Moreover, we should not use both NICs at the same time or we can make a real mess with our network access. So, how we can simulate more than one network?
No, you don’t need to throw out that laptop and run to buy some desktop computer. Instead we will use the miracle feature of every virtualization solution; the virtual network switch or vSwitch.
Virtual network switch is a feature that simulates the whole operation of the any network switch without the hardware. The capabilities of such switch can vary between solutions. This part is not necessary now and I’ll not spend time on it today.
We can build three types of the virtual network switches:
External switch is built over the host’s NIC and virtualize even the network connection of the host. Every VM connected over that switch can access the rest of the network in the same way as the host. This approach is used in private clouds, mostly in corporate networks. I’m using such access for the remote supporting VM.
Now I’ll briefly go a bit off-topic. If you’re the SysAdmin, then you should use VMs with network access even for the system administration. Furthermore, you should use a separate VM for the e-mail or Internet from the VM for the remote administration of your servers. As I mention in this post, Windows servers can be (and should be) administered remotely and we don’t need a GUI on them.
Internal switch is built over the host’s NIC, but the VMs can only communicate with the host and between themselves. In this scenario, you can’t access rest of the network.
We can build more than one internal network even if we have one NIC. Over one NIC we can build one vSwitch. The solution is very simple. Depending on the solution, we can either install a virtual NIC from our solution or add Microsoft Virtual Network Adapter as new NIC in the computer. Oracle VBox supports both methods.
With a such virtual adapter, either the VBox Host-only Network or the Microsoft Loopback adapter, can have the IP address. If we have an IP address, we can communicate with the VMs. In addition, if we have the network connection through switch with the Mikrotik router, we can use the WinBox GUI tool.
The last version – Private switch, will generate a pure internal network visible only for the VMs. Even the VMs can’t access the host over it. This vSwitch is not connect to any NIC. The number of the private vSwitches is not limited in theory.
What I have done in my environment?
Based on these features, I added one host-only network. That will add the internal NIC and I can assign the IP address to it. Furthermore, I can even activate a DHCP server on this NIC. The VBox created a vSwitch on top of the NIC.
This is an internal vSwitch and the VMs can communicate with the host. I will use this vSwitch and the associated network to establish control access to the routers. Every router has at least one network associated with this vSwitch. That allows me to access them using the WinBox tool over MAC telnet protocol.
The IP address is from the class C private network range. In my case, it is 192.168.56.2/24. Don’t worry, you can edit it and assign another IP address from the any private range.
Furthermore, we can assign a completely different IP addresses to the VMs. Yes, that will create an isolated private LAN between the VMs that use that vSwitch. That’s what I did here. As you can see on the picture, I assigned addresses from the TEST-NET-3 for the virtual ISP and the “public” IPs of the routers.
For the Contoso and FabrikaM network, I used internal networks and internal vSwitches. This allows me to use DHCP server inside that network segment. Every segment is isolated and I need a router to access anything out of it.
Contoso is a virtual big company. They have a datacenter and, inside it, we have a few servers. In most cases, servers, like the e-mail or Web server, are published and accessible from the Internet. However, I made these servers internal. This Web server can be a simulation of the CRM or Sharepoint server. In which case, we will not publish those servers to the Internet. Rather, we will keep them inside the network, with limited access for the partners and remote workers.
On the other side is smaller company named FabrikaM. This company can be the partner company, acquired company or the branch office. The only important considerations are that this is a separate network segment, with a different range of the IP addresses and that we must use a VPN tunnel to access it.
To make this scenario more realistic, I used VLANs between MegaISP, Contoso and FabrikaM routers. This is a feature of the RouterOS and had nothing to do with vSwitches. The only important item here is that Contoso and FabrikaM routers can’t communicate directly. The MegaISP router must forward traffic between them.
Then I added one access router with the PPPoE concentrator. That access router will simulate the ADSL links. I intentionally limited traffic to 4/1 Mbps for the clients. With that limitation, we can replicate slow links like in the real life case. Actually, this speed is not so important in these scenarios, but I like to make it as real as possible.
The Internet access is made over a separate network connection in the MegaISP router. I connected this vNIC (yes this is virtual NIC in the VM) to the external vSwitch on the top of one of my NICs. The beauty of this solution is that I can reconnect this vNIC to the active NIC at any time. Then you can release the beast.
Of course, to avoid complex routings, I added outgoing NAT (or masquerade) to this connection. After that, regardless of the network range that I will use inside the virtual lab (and environment where I need to give the presentation), I can allow Internet access from the VMs. In most cases, such access is not necessary, but it’s nice to know that we can do it.
Don’t be confused. I just rearranged the position of the objects on the picture to highlight them. It’s not a mistake that there are no IP addresses. Those clients will use dynamically allocated IP addressed from the access server.
I added one small virtual company. I named it Trange Frange. That’s jargon in Serbian and means something that is low quality and hastily created. A common case that I have seen far too often; where companies lease grandma’s ADSL link for their business needs. Later they complain how slow it is. Really?
As you can see, in this case we have a router before our Mikrotik router. Moreover, like in the real life, we can’t manage this router at the front. I used just another Mikrotik router, but you get the point.
Those remote users will simulate the companies’ employees that are working from the home, while on the road (so called “road warriors”) or just contracted workers. The common factor for all of them is that they need to access our company network over the Internet. Therefore, we first need to establish first the VPN tunnel. The logical choice would be L2TP/IPSec.
The next step
I have described my virtual environment. I didn’t spend time going too deep into specific settings in the VBox, like how to associate vNIC with the predefined type of the vSwitch. You can find this described in details in the on-line manual.
Although this part was more theoretic, it’s the next step to the deep dive into the world of Mikrotik IPSec services. In the next part we will present the first and most commonly used scenario – site-to-site Mikrotik IPSec VPN.
All described scenarios will rely on this and previous post. If you find something unclear, I encourage you to send me your questions, feedbacks and suggestions.