Multi node management

This article, a work in progress, describes how to remotely monitor and manage one or more groups of bridged routers from a central location. The configuration instructions for RouterOS are based on WinBox, and are not intended for copy/paste. Use them as guidelines.
Network Topology

At the network monitoring location, you want to use the Dude or WinBox to monitor and manage all of the remote routers.

Each remote bridged network looks like this:
A cable modem or DSL modem, referred to in this article as The Modem, at a remote location
A router, referred to in this article as the Gateway Router, connected to the Modem using a public IP address
A bunch of routers wirelessly connected to the Gateway Router via WDS
All of the routers having addresses on the same private subnet
The Gateway Router is using NAT to masquerade the private subnet

You might also have these complications:
The Gateway Router might be running a Hotspot
There might be a non-MikroTik firewall or router between the Modem and Gateway Router
There might be several remote subnets
[edit]
Basic Solution - single remote subnet

The following 2 procedures will setup a PPTP server on the gateway router and a PPTP client on the network management PC.

When you activate the connection to the gateway router from your PC, the Dude or WinBox will appear to be on the private side of the gateway router, on the bridged subnet, and WinBox and/or the Dude will be able to connect directly to any router or all of them at once. Port forwarding is not needed.
[edit]
On the Gateway Router:
ppp->pptp server->enabled (check all authentication boxes)
ppp->secrets->add
name =
password =
service = pptp
local address =
remote address =
[edit]
On the Windows PC where WinBox or the Dude is run:

The following prodedure is for Windows XP SP2.
Start->Control Panel->Network Connections->Create a new connection
Connect to the network at my workplace Next>
Virtual Private Network Connection Next>
Select a name to call this VPN Next>
Do not dial the initial connection Next>
Enter the IP address of the PUBLIC side of the Gateway Router




[edit]
Solution with Hotspot on Gateway Router

Since the other routers are behind the hotspot, they will not be able to communicate with the VPN tunnel in the Gateway Router, even though they are all on the same subnet. To permit access through the hotspot to each of the other routers, create an IP Binding entry as shown below for each router that is behind the hotspot. The IP addresses assigned to the routers can be outside the hotspot address pool if you prefer.
For each router, whose private ip address is of the form 192.168.x.y:
ip->hotspot->IP Bindings->Add
Address: 192.168.x.y
To Address: 192.168.x.y
Type: bypassed
[edit]
Solution with Firewall/Router between Modem and Gateway Router

Assume the gateway router has IP address 192.168.a.b as viewed by the firewall/router. On the firewall/router between the Modem and the Gateway Router, do the following:
Forward port 1723 (PPTP) to IP address 192.168.a.b
Forward protocol 47 (GRE) to IP address 192.168.a.b

Note that some routers cannot forward protocols, only ports. In this case, you will NOT be able to create a VPN tunnel to the gateway router. Also, some routers can forward protocol 47, but the mechanism to do so is undocumented. There are also routers that will forward protocol 47 automatically when you forward port 1723. Consult the documentation for your router, and if you don't find any mention of PPTP or port 1723, try finding a user forum where this subject is discussed.
[edit]
Solution with multiple remote subnets

Create a separate VPN tunnel to each bridged network