Access VPN Tunnel via VLAN

fvnet · October 22, 2024, 2:05pm

Hello dear friends,

I started managing a site which has a RB2011iL ( 6.47.4) installed. I am not that expert with Mikrotiks but hopefully coping just fine.
The site has a 192.168.24.0/24 main (management) lan and a 10.0.3.0/24 VLAN.

The site needs to connect to a remote SQL server for ERP via IPSEC VPN. The ERP Vendor offers only IPSEC VPN
It should be easy but unfortunately the 192.168.24.0 subnet is in use by them for another of their clients and there is no way for us to change our own due to many important devices having static IPs.
But the 10.0.3.0 is available for them so we created an IPSEC VPN tunnel with that VLAN and all devices that are within that VLAN can access the remote SQL server at subnet 10.29.1.0
But the devices in the main 192.168.24.0 LAN cannot access the resources and the VPN tunnel.

I added nat and firewall rule to allow traffic between 192.168.24.0/24 and 10.29.1.0/24 but still no access, I cannot ping it at all.
So the simple question is this: Could there be a way to access the VPN Tunnel from another VLAN?

Thank you so much in advance

BrateloSlava · October 22, 2024, 7:42pm

Unfortunately, there are no telepaths here.
Show your router’s text configuration file. Post it here in CODE tags, removing all confidential information (serial numbers, passwords, etc.). Draw a diagram of how traffic should be routed.

fvnet · October 23, 2024, 12:26pm

Hello again,

First of all thank you for the reply.

I managed to solve the issue by searching for in the forums, and..
http://forum.mikrotik.com/t/mikrotik-nat-ing-from-one-subnet-to-the-other/100344/1

/ip firewall nat
add chain=srcnat src-address=192.168.24.0/24 dst-address=10.29.1.0/24 action=netmap to-address=10.0.3.0/24
add chain=dstnat dst-address=10.0.3.0/24 src-address=10.29.1.0/24 action=netmap to-address=192.168.24.0/24

Now my devices in the 192.168.24.0/24 LAN can access the VPN other end at 10.29.1.0/24 which was setup by using the local VLAN 10.0.3.0/24

Not bad at all.
I usually work with Draytek routers which have subnet network translate option in the GUI of the VPN setup but it’s nice to get back to the legacy CLI from time to time.

BR from Greece

erlinden · October 23, 2024, 12:54pm

When I see “6.47.4”, all alarm bells are ringing. Please consider upgrading the router while you are working on it.

fvnet · October 23, 2024, 2:06pm

Hmm, Thank you so much for pointing this

I see option to upgrade channel stable v. 6.49.17
and channel upgrade v. 7.12.1

Which shall I choose pls?

Kindly note that router is in an island (Hotel closed for winter season) it if something goes wrong I will need to get a boat from Athens to get there!!!

anav · October 23, 2024, 2:20pm

No worries,
I am able to travel, please send airplane tickets to Athens and then obviously the boat to get to the island.

I would definitely plan for loss of connectivity and need to be on site and the good news is that the location is not being used at the moment and the update can be done when possible vice tomorrow.