I have a L2TP VPN Server on my MikroTik router. The internal subnet is: 10.10.0.0/24, I would like to assign to all VPN clients from this address space: 10.10.0.91-10.10.0.95. I created a pool which contain this address space. I set the following paramaters on the PPP-Profiles: Local Address: 10.10.0.90 Remote Address: vpn_pool(10.10.0.91-10.10.0.95). I can connected successfully from my client but I can only communicate with the routers default IP (10.10.0.1). I can’t reach any device on the 10.10.0.0/24. Why? How can I set IP address to may VPN clients from the same network space. Thank You.
Unfortunately not. I haven’t got bridge, I have a LAN interface which is include 2 vlan. I enabled the proxy-arp on the physical interface and the vlan interface. The Aruba switch is connected to the physical interface directly. The clients are connected to this switch.
Best and common practice is to have a dedicated subnet for vpn clients.
There’s absolutely no reason for vpn clients being located in the same subnet as the local LAN.
-Chris
There is a vpn client who need an IP address from the local address space. I reconfigured the VPN server PPP/Profiles. Local address: 172.30.90.1, Remote address: vpn_pool2 (172.30.90.2-172.30.90.254). When I connect to the VPN server, I get an 172.30.90.x IP address and I can communicate with the all of the device from the 10.10.0.0/24 subnet. BUT, I set the one of the user under the Secrets and assign an IP address from the LAN address space to the VPN users Remote Address field, like 10.10.0.100. When I connect again with this VPN user, get the 10.10.0.100 IP address, but I only communicate with the default gateway. (The arp is set to proxy-arp) Is it possible somehow to communicate the other devices?
Hi!
To put it simply, this is how the protocol works. Everything coming via the L2TP tunnel will reach only the router. You cannot do anything to reach IPs behind that router but in the same subnet as the l2tp client.
As you’ve already seen, doing different subnets ( 1 for internal and a different one for remote users) will enable traffic. If you really need Layer 2 connectivity between sites your best bet is Eoip over IPSEC which means you need a mikrotik router on the remote site too.
Totally agree with @cdiedrich, but if you insist, and to expand on what @Zacharias said, you will need to configure proxy-arp on the LAN facing interface, may it be physical, bridge or vlan
If that does not work, then you might have other network problems, i.e. firewall rules, routing issues, etc and without seeing network topology / config of devices involved makes it difficult to assist
The only reason I can see for this being necessary is a service running in your LAN that only accepts connections from the local LAN.
So it’s not the client that needs the local range address but the service being accessed.
I’d create a srcnat rule for exactly that service (matching dst ip, portocol and port) and nat it to your router’s local address while having the client still in the vpn range.
-Chris