SSTP Site to Site Routing won't work
If you installed RouterOS just now, and don't know where to start - ask here!

9 posts   •   Page 1 of 1
ralflindahl
just joined
 
Posts: 4
Joined: Sun Mar 04, 2012 3:00 pm

SSTP Site to Site Routing won't work

by ralflindahl » Fri Mar 09, 2012 6:46 pm

I have 2 RB750, Trying to route Site to Site SSTP.
SSTP Connect OK between routers and I can ping from Terminal in router1 to computers behind router2
But not From a computer on LAN side Router1 to Computers on LAN router2.
I.e. The tunnel is working OK But not Routing/firewall/NAT.
I think the problem is either NAT-rule or Firewall-rule. Below is my config.

Router2 is the Server Connected direct to Internet.
Router1 is behind a NAT/Firewall.

Router1:
/IP Routing
0 A S 0.0.0.0/0 10.110.110.3 1
1 ADC 172.35.0.1/32 172.35.0.2 sstp-out1 0
2 ADC 10.110.110.0/24 10.110.110.14 ether1-gateway 0
3 ADC 192.168.88.0/24 192.168.88.1 ether2-master-l... 0
4 A S 192.168.89.0/24 172.35.0.1 2

/IP Firewall NAT
0 A S 0.0.0.0/0 10.110.110.3 1
1 ADC 172.35.0.1/32 172.35.0.2 sstp-out1 0
2 ADC 10.110.110.0/24 10.110.110.14 ether1-gateway 0
3 ADC 192.168.88.0/24 192.168.88.1 ether2-master-l... 0
4 A S 192.168.89.0/24 172.35.0.1 2

/Ip Firewall Filter
;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=established

2 ;;; default configuration
chain=input action=accept connection-state=related

3 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

Router2:
IP Firewall Nat
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=ether1-gateway

IP Firewall Filter
0 chain=input action=accept protocol=tcp in-interface=ether1-gateway
dst-port=443

1 chain=input action=accept protocol=gre in-interface=ether1-gateway

2 chain=input action=accept protocol=tcp in-interface=ether1-gateway
dst-port=1194

3 ;;; default configuration
chain=input action=accept protocol=icmp

4 ;;; default configuration
chain=input action=accept connection-state=established

5 ;;; default configuration
chain=input action=accept connection-state=related

6 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

IP Route
0 ADS 0.0.0.0/0 85.224.1.129 0
1 ADC 85.224.1.128/25 85.224.1.141 ether1-gateway 0
2 ADC 172.35.0.2/32 172.35.0.1 <sstp-vpn> 0
3 ADS 192.168.88.0/24 172.35.0.2 1
4 ADC 192.168.89.0/24 192.168.89.1 ether2-master-l... 0

I have probably missed something fundamental, but can't figure out what!
Can anybody help me ?

ralflindahl
just joined
 
Posts: 4
Joined: Sun Mar 04, 2012 3:00 pm

Re: SSTP Site to Site Routing won't work

by ralflindahl » Sat Mar 10, 2012 5:01 pm

Bump

Zebble
newbie
 
Posts: 37
Joined: Mon Oct 17, 2011 4:07 am

Re: SSTP Site to Site Routing won't work

by Zebble » Mon Mar 12, 2012 7:00 am

It's a firewall rule. Try adding a "log" action, identical to your drop rules, just before the drop rules, then try your tests again and check the logs. You should see where the packets are getting last and be able to add a rule to compensate.

If you're still stuck, send the relevant portions of the logs during your test.

-zeb

ralflindahl
just joined
 
Posts: 4
Joined: Sun Mar 04, 2012 3:00 pm

Re: SSTP Site to Site Routing won't work

by ralflindahl » Tue Mar 13, 2012 8:51 am

Hi thanks for reply, I have tried to log.
If I ping from a computer behind router1 to 192.168.88.1 I can se that the signal reaches Router2,
but If I do the reverse, Ping from a computer behind Router2 to 192.168.89.1 then the signal never reaches router1.

Could this be a routing problem in the SSTP Server ?

Zebble
newbie
 
Posts: 37
Joined: Mon Oct 17, 2011 4:07 am

Re: SSTP Site to Site Routing won't work

by Zebble » Tue Mar 13, 2012 4:55 pm

SSTP doesn't do any routing, it's simply a VPN pipe. We've been using SSTP from site-to-site, as you've described, without any issues.

Your issue is either a rule problem, or a routes problem. Your routes look ok, so I suspect it's a rule problem and the logs should indicate what's being dropped and why to give you a better idea of what's going on and what you need to open up.

-zeb

ralflindahl
just joined
 
Posts: 4
Joined: Sun Mar 04, 2012 3:00 pm

Re: SSTP Site to Site Routing won't work

by ralflindahl » Thu Mar 15, 2012 5:54 pm

I've solved it.
The problem is IP Routing.
I changed the local network on router1 to 192.168.110.0/24
and then all started to work OK!
I have reset my routers to default and tested again.
If I have local networks of 192.168.89.0/24 ( on the router with SSTP Server )
And 192.168.88.0/24 on the "client" router then it just won't work.
BUG ?

hadizeid
just joined
 
Posts: 12
Joined: Wed Mar 14, 2012 8:20 am

Re: SSTP Site to Site Routing won't work

by hadizeid » Wed Mar 28, 2012 3:57 pm

just a quick question.
do you need to have certificates if you are trying to connect 2 mikrotiks over sstp?

Zebble
newbie
 
Posts: 37
Joined: Mon Oct 17, 2011 4:07 am

Re: SSTP Site to Site Routing won't work

by Zebble » Wed Mar 28, 2012 4:03 pm

Certificates are optional if you're connecting between Mikrotik's using SSTP.

User avatar
Ibersystems
Forum Guru
Forum Guru
 
Posts: 1675
Joined: Wed Apr 12, 2006 12:29 am
Location: Cabrils, Barcelona - Spain

Re: SSTP Site to Site Routing won't work

by Ibersystems » Tue Aug 06, 2013 2:15 pm

I just created a SSTP tunnel with all the routes and I'm able to make pings from sstpclientside to sstpserverside, but not the other way. Why?


If I make tracert from a sstpserverside computer to any computer of clientsstpside, I can reach the 10.10.10.2 IP (SSTP client) but then all the jumps are 0.0.0.0
Martín
martinruiz at ibersystems.es
Experto en redes WiFi y enlaces WiFi.

Facebook: @Ibersystems
Twitter: @Ibersystems

Certified in Traffic Shaping, Wireless, Internetworking, Routing and User Management.
MTCTCE - MTCWE - MTCINE - MTCUME - MTCRE

9 posts   •   Page 1 of 1

Who is online

Users browsing this forum: Bing [Bot] and 12 guests

It is currently Sat Nov 29, 2014 10:17 am