Site-To-Site VPN. Hosts can ping each other but can't access any shared file

Tombstone · Sun Dec 25, 2016 1:50 pm

Hello
As I mentioned i have Site-to-Site VPN between 2 Mikrotik router.
I can ping any client/host on the network between both locations successfully but can not access in shared files.
Should I forward some port or any idea?

Thanks

Tombstone · Wed Dec 28, 2016 10:53 am

Interesting...

No ideas?

pe1chl · Wed Dec 28, 2016 11:56 am

When you can connect between systems but you cannot use the application level services, it likely is a
problem at the application level, not the MikroTik routers. You may need to change security settings,
deploy some inter-site name service (DNS), etc.
This all depends on details of your network, which you carefully omitted from your question.

lillis · Wed Dec 28, 2016 1:25 pm

Can you reach the shared files on the local network? If not you probably have some problems on the application level, as pe1chl described. Maybe you have blocked access in a local firewall or something?

zipvault · Wed Dec 28, 2016 1:47 pm

samba?

Tombstone · Wed Dec 28, 2016 2:18 pm

When you can connect between systems but you cannot use the application level services, it likely is a
problem at the application level, not the MikroTik routers. You may need to change security settings,
deploy some inter-site name service (DNS), etc.
This all depends on details of your network, which you carefully omitted from your question.

I already spoke to my service (network) provider and they said there is no problem from them.

Can you reach the shared files on the local network? If not you probably have some problems on the application level, as pe1chl described. Maybe you have blocked access in a local firewall or something?

I can't. I already disabled every "Drop" rule in a Router Firewall, but nothing...

pe1chl · Wed Dec 28, 2016 3:36 pm

I already spoke to my service (network) provider and they said there is no problem from them.

Unless you obtain file services from some provider, the place where you need to look is your own network.
Do you have the basic skills to operate a multi-site network for the secret operating system that you are using?
When this is your first experience with connecting some sites together and then sharing files between them,
you might have to do configuration tasks on the servers and clients that you have never done before.
But that is not a router issue.

bennn · Fri Dec 30, 2016 2:24 am

I have experienced the same, ping is possible but file shares are not. It was definitely a firewall filter rule that fixed it however my configured has changed so much since then that the rule no longer exists and I don't remember it!
Try adding an Accept rule for the other site's internal subnet and go from there.

Tombstone · Fri Dec 30, 2016 2:26 pm

It's Firewall issue...
Thanks everyone...

giga157 · Fri Jan 13, 2017 10:38 pm

Hi everyone, I have a similar problem. I have a site-to-site vpn and it is working correctly, but I can not ping the router and no network computers.

I already have a NAT rule, but my problem continues.

Company: 192.168.100.0/24
Branch: 192.168.0.0/24

These rules are at the top.
Company Router: add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.100.0/24
Branch Router: add chain=srcnat dst-address=192.168.100.0/24 src-address=192.168.0.0/24

Any idea?

bennn · Sat Jan 14, 2017 4:17 pm

Have you got your routes set up in IP > Routes?

giga157 · Sat Jan 14, 2017 4:58 pm

The only routes I have is for the links. How should it be done?

Company: 192.168.0.0/24 (lan branch) gateway: vpn link?
Branch: 192.168.100.0/24 (lan company) gateway: Link vpn?

Do I need to mark a route through IP> Firewall> Mangle?

Thank You.

bennn · Sun Jan 15, 2017 4:23 pm

Can you post an export of your routes...?

You don't need to Mangle anything.
You should have at least three routes on each router; LAN, WAN and VPN. Post your config and I'll take a look.

giga157 · Sun Jan 15, 2017 8:26 pm

Okay, take a look.

Company:

/ip address
add address=192.168.100.1/24 interface=LOCAL network=192.168.100.0

/ip firewall filter
add chain=forward out-interface=LOCAL
add chain=forward dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add chain=input comment=RDP dst-port=xxxx protocol=tcp
add chain=input dst-port=1723 protocol=tcp
add chain=input dst-port=1701 protocol=tcp
add chain=input dst-port=500 protocol=udp
add chain=input protocol=ipsec-ah
add chain=input protocol=ipsec-esp

/ip firewall nat
add chain=srcnat comment="VPN IPSEC NAT" dst-address=192.168.10.0/24 src-address=192.168.100.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=masquerade chain=srcnat out-interface=Imicro
add action=masquerade chain=srcnat out-interface=Velox
add action=dst-nat chain=dstnat comment=RDP dst-port=xxxxx protocol=tcp to-addresses=192.168.100.xxxx to-ports=xxxx
add action=dst-nat chain=dstnat comment=WINBOX dst-address=xxx.xxx.xxx.xxxx dst-port=xxxx protocol=tcp to-addresses=192.168.100.1 to-ports=xxxx
add action=dst-nat chain=dstnat comment="VPN PORTAS" dst-port=1723 protocol=tcp to-addresses=192.168.0.1 to-ports=1723
add action=dst-nat chain=dstnat dst-port=47 protocol=tcp to-addresses=192.168.0.1 to-ports=47
add action=dst-nat chain=dstnat dst-port=1723 protocol=tcp to-addresses=10.0.0.1 to-ports=1723
add action=dst-nat chain=dstnat dst-port=500 protocol=udp to-addresses=192.168.100.0/24 to-ports=500
add action=dst-nat chain=dstnat dst-port=1701 protocol=udp to-ports=1701
add action=dst-nat chain=dstnat dst-port=4500 protocol=udp to-ports=4500
add action=dst-nat chain=dstnat comment=SRV dst-port=xxxx protocol=tcp to-addresses=192.168.100.xxxx to-ports=xxx

/ip route
add distance=1 gateway=Imicro routing-mark=link1_route
add distance=1 gateway=Velox routing-mark=link2_route
add distance=1 gateway=Imicro
add distance=1 gateway=ISP1
add distance=1 gateway=192.168.100.1
add distance=2 gateway=Velox

Branch:

add address=192.168.0.1/24 interface=LOCAL network=192.168.0.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1

/ip firewall filter
add chain=forward out-interface=LOCAL
add chain=forward dst-address=192.168.100.0/24 src-address=192.168.0.0/24

/ip firewall nat
add chain=srcnat comment=VPN dst-address=192.168.100.0/24 src-address=\
    192.168.0.0/24
add action=masquerade chain=srcnat out-interface=Imicro
add action=dst-nat chain=dstnat comment=WINBOX dst-address=xxx.xxx.xxx.xxx\
    dst-port=xxxx protocol=tcp to-addresses=192.168.0.1 to-ports=xxxx
add action=dst-nat chain=dstnat dst-port=500 protocol=tcp to-addresses=\
    192.168.0.0/24 to-ports=500
add action=dst-nat chain=dstnat dst-port=1701 protocol=tcp to-addresses=\
    192.168.0.0/24 to-ports=1701
add action=dst-nat chain=dstnat dst-port=4500 protocol=tcp to-addresses=\
    192.168.0.0/24 to-ports=4500

/ip route
add distance=1 gateway=Imicro

bennn · Sun Jan 15, 2017 9:18 pm

OK, so I see you don't have routes, so traffic doesn't know how to reach the other network.
Add these, see how you get on.

Company:

/ip route
add comment=VPN distance=1 dst-address=192.168.0.0/24 gateway=192.168.0.1

Branch:

/ip route
add comment=VPN distance=1 dst-address=192.168.100.0/24 gateway=192.168.100.1

giga157 · Sun Jan 15, 2017 11:01 pm

It worked perfectly my friend, thank you very much. I will continue to be present in the forum in search of knowledge. Now, I can find through the server, but through the terminal in rb, I get a ping timeout response, is that right?

bennn · Sun Jan 15, 2017 11:11 pm

It helps to do a 'source address' when pinging, so the Mikrotik knows which route to use.
I would help with a command but I'm not near a computer. Sorry!

For example, if pinging from Company to Branch then set the source address as the local Mikrotik: 192.168.100.1

giga157 · Mon Jan 16, 2017 12:07 am

I understand, you've already helped me a lot. I owe you a cold beer here in Brazil. All the best!