we use a single server (Windows Server 2019 Essentials) in our micro-sized business. The server’s role are Domain Controller, DNS, DHCP and some others.
We also have a MikroTik router. This is our only router and is connected to the internet directly - it’s the main gateway to our network and functions also as a firewall.
I managed to configure a SSTP server on the router and I am able to connect to it from a distant network using a Win 10 client.
I can ping the server’s IP address. But I can’t do anything else…
Can’t ping the server hostname
Can’t access shared files
Can’t do anything else on the server, basically just ping its IP
Needless to say, this all works when I’m connected directly to the network.
The server handles the DHCP, however when I configured the SSTP on MikroTik, I had to assign some IP Pool to VPN clients. As I am fairly new to MikroTik, I’m not sure if I did everything correctly here. The Windows Server DHCP assigns range 192.168.100.100-192.168.100.254 and I configured the VPN Pool on Mikrotik to 192.168.101.100-192.168.101.254.
I also have several bridges on the router, one of which is my company network. I made sure to assign this bridge to the VPN connection.
I tried to turn off Windows Firewall on the server, but that didn’t do anything.
I would appreciate any tips about why this might be happening.
Without seeing the configuration it is impossible to say what is wrong, post the output of /export hide-sensitive after redacting any other information such as public IP addresses. From the symptoms most likely firewall rules, VPN DNS settings.
Using multiple bridges is generally not optimal as hardware offload is only supported on one bridge on most Mikrotiks. SSTP is an IP VPN so bridges are not relevant to the setup unless attempting to use the PPP BCP functionality.
As for now, I’m using the public IP address, not DNS name, so that shouldn’t be the issue. I plan on adding the “A” record to our public DNS after I make it work with IP.
Here is the requested information:
# sep/19/2022 10:07:01 by RouterOS 6.49.6
# software id = 6D4F-G8NH
#
# model = RB3011UiAS
# serial number = HCV085R40Q0
/interface bridge
add admin-mac=18:FD:74:5C:40:3D auto-mac=no comment=defconf name=bridge-datel
add name=bridge-home
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=security-datel
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/caps-man datapath
add bridge=bridge-datel interface-list=LAN name=datapath-datel
/caps-man configuration
add country="czech republic" datapath=datapath-datel hide-ssid=no installation=\
indoor mode=ap name=CAPs security=security-datel \
security.authentication-types=wpa2-psk security.encryption=aes-ccm ssid=\
DatelInternalWifi
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profile-datel \
supplicant-identity=""
/ip pool
add name=vpn_pool ranges=192.168.101.100-192.168.101.254
/ppp profile
add bridge=bridge-datel local-address=192.168.100.1 name=profile-sstp \
remote-address=vpn_pool
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=CAPs
/interface bridge port
add bridge=bridge-datel comment=defconf interface=ether2
add bridge=bridge-datel comment=defconf interface=ether3
add bridge=bridge-datel comment=defconf interface=ether4
add bridge=bridge-datel comment=defconf interface=ether5
add bridge=bridge-home comment=defconf interface=ether6
add bridge=bridge-home comment=defconf interface=ether7
add bridge=bridge-home comment=defconf interface=ether8
add bridge=bridge-home comment=defconf interface=ether9
add bridge=bridge-home comment=defconf interface=ether10
add bridge=bridge-home comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-datel list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=Server enabled=yes force-aes=yes pfs=yes
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge-datel network=\
192.168.100.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA" list=Bogons
/ip firewall filter
add action=drop chain=forward comment="Disable Internet Remote Desktop" \
dst-port=3389 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=443 protocol=tcp
add action=accept chain=forward comment="Allow Always On VPN Connections" \
dst-port=500,4500 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
Bogons
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ip service
set telnet disabled=yes port=2301
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.100.0/24 port=2201
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=stats read-only-mode=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=DatelRouterBoard
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Ok, let’s say that my LAN subnet is 192.168.100.0/24 and my VPN subnet will be 192.168.101.0/24.
Can you please advise how I would set the routing and firewall for this?
Also, what role will my Windows DHCP Server play in this scenario? Currently it assigns 192.168.100.100-192.168.100.149 to everything connected to bridge-datel.
Post full configuration export, screen shots shows only part of config
But there 2 things you really need to look at after separating the subnets.
One being that the vpn subnet is allowed in relevant chains in firewall on mikrotik, and second is you will need to add the vpn subnet on the windows firewall as by default, the windows firewall will block all traffic initiated outside its local ip range
Do something similar for other services, e.g. if you want to access shared files, find “File and Printer Sharing (SMB-In)”, open its properties and look at “Remote IP address” on “Scope” tab. By default there’s only “Local subnet”. Add 192.168.101.0/24 and it should work.
