allow packets to VPN client

jeremyandrews · September 12, 2022, 7:31am

I have configured an IPSec VPN L2TP tunnel to my home network, and it's working great. I can access all my local servers correctly through the VPN.

What I can't do is initiate connections to a service running on my VPN client from my private network, which I'd also like to do.

I can ping the VPN client from the mikrotik CLI, I just can't ping the VPN client from another server on my home network.

--

For example:

Home network: 10.1.1.0/24
Mikrotik server: 10.1.1.1
VPN client gets assigned: 10.1.1.200

Home server: 10.1.1.10

When I connect into my home network over the VPN:

I can ssh from the client on 10.1.1.200 to the server at 10.1.1.10.
I can ping from the mikrotik server on 10.1.1.1 to the VPN client at 10.1.1.200.
I can NOT ping from the home server on 10.1.1.10 to my VPN client at 10.1.1.200.

I'm trying to troubleshoot where things are failing. I'm currently unclear if this is a firewall configuration issue, or a routing issue, or something else. And more importantly, I'm curious how I'd debug this. I use the Web UI and ssh interface to manage the Mikrotik. What tools are recommended to determine where things are getting confused?

\

I'm currently running RouterOS v7.1.3 (stable).

nichky · September 12, 2022, 10:07am

without seeing your config/topology, first thing on top of my head, missing route

jeremyandrews · September 12, 2022, 10:22am

Thank you for the quick reply. I’m reviewing the routing configuration now, there is an automatically added routing but perhaps that’s not sufficient? (In this table, its called .)

[MikroTik] /routing/route> print
Flags: U, A - ACTIVE; c, s, d, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE->
    DST-ADDRESS       GATEWAY        AFI   D  SC  TA  IMMEDIATE-GW            
Ad  0.0.0.0/0         192.168.8.1    ip4   1  30  10  192.168.8.1%isp1
 d  0.0.0.0/0         192.168.1.1    ip4   2  30  10  192.168.1.1%isp2    
Ac  10.1.1.0/24      home       ip4   0  10      home                
Ac  10.1.1.200/32  <l2tp-jeremy>  ip4   0  10      <l2tp-jeremy>           
Ac  172.16.100.0/24   dmz            ip4   0  10      dmz                     
Ac  192.168.1.0/24    isp2       ip4   0  10      isp2                
Ac  192.168.8.0/24    isp1   ip4   0  10      isp1            
A H ether1                           link  0                                  
A H <l2tp-jeremy>                    link  0                                  
A H ether3                           link  0                                  
A H ether5                           link  0                                  
A H ether7                           link  0                                  
A H mylan                         link  0                                  
A H isp1                     link  0                                  
A H dmz                              link  0                                  
A H isp2                         link  0

tdw · September 12, 2022, 11:11am

If the VPN client uses an address which overlaps with the local subnet you have to enable proxy-arp so the Mikrotik replies to ARP requests from local devices on behalf of the VPN client.

However, as you say you can SSH from the client on 10.1.1.200 (the VPN connection) to the server at 10.1.1.10 (on the local network) then proxy-arp must already be enabled, in which case it is likely firewall rules.

nichky · September 12, 2022, 11:13am

What I can’t do is initiate connections to a service running on my VPN client from my private network, which I’d also like to do.

what is your private network?

/ip route pr
/ip add pr

jeremyandrews · September 12, 2022, 12:19pm

Where can I confirm this is correctly configured? At

/interface/ethernet print

I do not see proxy-arp configured.

I do see

arp=proxy-arp

configured at

/interface/bridge print

, only for the bridge I have set up for my ISP (WAN). Should this also be enabled on the L2TP client side somehow? Where?

jeremyandrews · September 12, 2022, 12:30pm

what is your private network?

My private network is

10.1.1.0/24

.

Is it a problem that I’ve placed my remote client w/in this subnet? (The L2TP client is being assigned an IP address of 10.1.1.200.) This has worked fine until I needed to connect from my home network to the report client, at which time I realized I’m unable to initiate connections in that direction.

I’m both hoping to resolve this, as well as to understand the proper steps to debug where requests are being dropped. The firewall (10.1.1.1) can ping the remote VPN client (10.1.1.200) so it knows how to get there. But a server on my local network (10.1.1.10) can not ping the remote VPN client through the firewall – it’s unclear to me if this is a routing issue, or a packet filter issue: and I’m struggling to debug.

jeremyandrews · September 12, 2022, 12:38pm

Arp does indeed seem to be the issue. It seems I need to enable arp-proxy on the client side, too? How would I do that / where?

When I try and ping 10.1.1.200 from 10.1.1.10 I see the server makes a series of ARP requests to which nobody is replying:

$ sudo tcpdump -vvni interface0 host 10.1.1.200
tcpdump: listening on interface0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:35:41.083450 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.1.1.200 tell 10.1.1.10, length 28
14:35:42.095988 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.1.1.200 tell 10.1.1.10, length 28
14:35:43.119962 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.1.1.200 tell 10.1.1.10, length 28

jeremyandrews · September 12, 2022, 3:51pm

And … sorry, it was indeed as simple as enabling proxy-arp on my local network. I’m now able to both ping the server from the client, and the client from the server. Thanks!