Community discussions

MikroTik App
 
ralflindahl
just joined
Topic Author
Posts: 4
Joined: Sun Mar 04, 2012 2:00 pm

SSTP Site to Site Routing won't work

Fri Mar 09, 2012 5:46 pm

I have 2 RB750, Trying to route Site to Site SSTP.
SSTP Connect OK between routers and I can ping from Terminal in router1 to computers behind router2
But not From a computer on LAN side Router1 to Computers on LAN router2.
I.e. The tunnel is working OK But not Routing/firewall/NAT.
I think the problem is either NAT-rule or Firewall-rule. Below is my config.

Router2 is the Server Connected direct to Internet.
Router1 is behind a NAT/Firewall.

Router1:
/IP Routing
0 A S 0.0.0.0/0 10.110.110.3 1
1 ADC 172.35.0.1/32 172.35.0.2 sstp-out1 0
2 ADC 10.110.110.0/24 10.110.110.14 ether1-gateway 0
3 ADC 192.168.88.0/24 192.168.88.1 ether2-master-l... 0
4 A S 192.168.89.0/24 172.35.0.1 2

/IP Firewall NAT
0 A S 0.0.0.0/0 10.110.110.3 1
1 ADC 172.35.0.1/32 172.35.0.2 sstp-out1 0
2 ADC 10.110.110.0/24 10.110.110.14 ether1-gateway 0
3 ADC 192.168.88.0/24 192.168.88.1 ether2-master-l... 0
4 A S 192.168.89.0/24 172.35.0.1 2

/Ip Firewall Filter
;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=established

2 ;;; default configuration
chain=input action=accept connection-state=related

3 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

Router2:
IP Firewall Nat
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=ether1-gateway

IP Firewall Filter
0 chain=input action=accept protocol=tcp in-interface=ether1-gateway
dst-port=443

1 chain=input action=accept protocol=gre in-interface=ether1-gateway

2 chain=input action=accept protocol=tcp in-interface=ether1-gateway
dst-port=1194

3 ;;; default configuration
chain=input action=accept protocol=icmp

4 ;;; default configuration
chain=input action=accept connection-state=established

5 ;;; default configuration
chain=input action=accept connection-state=related

6 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

IP Route
0 ADS 0.0.0.0/0 85.224.1.129 0
1 ADC 85.224.1.128/25 85.224.1.141 ether1-gateway 0
2 ADC 172.35.0.2/32 172.35.0.1 <sstp-vpn> 0
3 ADS 192.168.88.0/24 172.35.0.2 1
4 ADC 192.168.89.0/24 192.168.89.1 ether2-master-l... 0

I have probably missed something fundamental, but can't figure out what!
Can anybody help me ?
 
ralflindahl
just joined
Topic Author
Posts: 4
Joined: Sun Mar 04, 2012 2:00 pm

Re: SSTP Site to Site Routing won't work

Sat Mar 10, 2012 4:01 pm

Bump
 
Zebble
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Mon Oct 17, 2011 4:07 am

Re: SSTP Site to Site Routing won't work

Mon Mar 12, 2012 6:00 am

It's a firewall rule. Try adding a "log" action, identical to your drop rules, just before the drop rules, then try your tests again and check the logs. You should see where the packets are getting last and be able to add a rule to compensate.

If you're still stuck, send the relevant portions of the logs during your test.

-zeb
 
ralflindahl
just joined
Topic Author
Posts: 4
Joined: Sun Mar 04, 2012 2:00 pm

Re: SSTP Site to Site Routing won't work

Tue Mar 13, 2012 7:51 am

Hi thanks for reply, I have tried to log.
If I ping from a computer behind router1 to 192.168.88.1 I can se that the signal reaches Router2,
but If I do the reverse, Ping from a computer behind Router2 to 192.168.89.1 then the signal never reaches router1.

Could this be a routing problem in the SSTP Server ?
 
Zebble
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Mon Oct 17, 2011 4:07 am

Re: SSTP Site to Site Routing won't work

Tue Mar 13, 2012 3:55 pm

SSTP doesn't do any routing, it's simply a VPN pipe. We've been using SSTP from site-to-site, as you've described, without any issues.

Your issue is either a rule problem, or a routes problem. Your routes look ok, so I suspect it's a rule problem and the logs should indicate what's being dropped and why to give you a better idea of what's going on and what you need to open up.

-zeb
 
ralflindahl
just joined
Topic Author
Posts: 4
Joined: Sun Mar 04, 2012 2:00 pm

Re: SSTP Site to Site Routing won't work

Thu Mar 15, 2012 4:54 pm

I've solved it.
The problem is IP Routing.
I changed the local network on router1 to 192.168.110.0/24
and then all started to work OK!
I have reset my routers to default and tested again.
If I have local networks of 192.168.89.0/24 ( on the router with SSTP Server )
And 192.168.88.0/24 on the "client" router then it just won't work.
BUG ?
 
hadizeid
just joined
Posts: 14
Joined: Wed Mar 14, 2012 7:20 am

Re: SSTP Site to Site Routing won't work

Wed Mar 28, 2012 3:57 pm

just a quick question.
do you need to have certificates if you are trying to connect 2 mikrotiks over sstp?
 
Zebble
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Mon Oct 17, 2011 4:07 am

Re: SSTP Site to Site Routing won't work

Wed Mar 28, 2012 4:03 pm

Certificates are optional if you're connecting between Mikrotik's using SSTP.
 
User avatar
Ibersystems
Forum Guru
Forum Guru
Posts: 1686
Joined: Wed Apr 12, 2006 12:29 am
Location: Cabrils, Barcelona - Spain
Contact:

Re: SSTP Site to Site Routing won't work

Tue Aug 06, 2013 2:15 pm

I just created a SSTP tunnel with all the routes and I'm able to make pings from sstpclientside to sstpserverside, but not the other way. Why?


If I make tracert from a sstpserverside computer to any computer of clientsstpside, I can reach the 10.10.10.2 IP (SSTP client) but then all the jumps are 0.0.0.0

Who is online

Users browsing this forum: giovanniv, GoogleOther [Bot] and 42 guests