Cannot connect to other LAN via VPN

SilverNodashi · May 30, 2018, 7:26am

Hi,

Can someone please help?

The setup is as follows:

We use PPTP VPN on internal IP range 172.16.16.0/24. My house IP range is 192.168.10.0/24. The HQ is on 192.41.100.0/24 and the other on 192.168.6.0/24. I setup NAT and routing on both ends, but cannot connect to PC’s and printers on the 192.168.6.0/24 range, i.e. 192.168.6.101 and 192.168.6.20 from my laptop on 192.168.10.13. I can connect to the HQ equipment on 192.41.100.0/24

i.e. the connection is as follows: My Laptop (192.168.10.100) → VPN (172.16.16.103) → Internet → HQ via VPN (172.16.16.1)
Remote branch is as follows: Printer (192.168.6.20) → VPN (172.16.16.106) → Internet - HQ via VPN

Running a traceroute to the networks from my laptop:

C:\Users\Rudi>tracert 192.41.100.250

Tracing route to 192-41-100-250.c7dc.com [192.41.100.250]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  192.168.10.1
  2    36 ms    30 ms    47 ms  172.16.16.1
  3    31 ms    30 ms    44 ms  192-41-100-250.c7dc.com [192.41.100.250]
  
  
  C:\Users\Rudi>tracert 192.168.6.20

Tracing route to 192.168.6.20 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  192.168.10.1
  2    31 ms    31 ms    28 ms  172.16.16.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

Please see attached the network diagram.
WAN Layout.jpg

solar77 · May 30, 2018, 9:37am

traffic towards 192.168.6.20 should be routed to 172.16.16.106, not 172.16.16.1
change your static routing at home router

CZFan · May 30, 2018, 10:57am

You will need the following routes at:

HQ:
192.168.6.0/24 via PPTP-1 (To Remote)
192.168.10.0/24 Via PPTP-2 (To Home)

Home:
192.168.1.0/24 via PPTP-1 (To HQ)
192.168.6.0/24 via PPTP-1 (To Remote via HQ)

Remote:
192.168.1.0/24 via PPTP-1 (To HQ)
192.168.10.0/24 via PPTP-1 (To Home via HQ)

SilverNodashi · May 30, 2018, 8:58pm

That doesn’t make sense. 172.16.16.106 sits on the other network and cannot be reached from 1921.168.10.1 directly. Even adding it as a route shows it as unreachable

SilverNodashi · May 30, 2018, 9:12pm

I have these routes already, thought the IP’s are slightly different from yours. Look at the attached image to see.

So I have:
HQ:
192.168.6.0/24 via PPTP-1 (To Remote)
192.168.10.0/24 Via PPTP-2 (To Home)

[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          x.x.x.x           1
 1 X S  0.0.0.0/0                          y.y.y.y            2
 2 X S  0.0.0.0/0                          afrihost                  3
25 ADC  172.16.2.0/24      172.16.2.1      ether1-Fiber              0
26 X S  172.16.16.0/24                     172.16.16.1               1
27 ADC  172.16.16.44/32    172.16.16.1     <pptp-RudiA>              0
28 ADC  172.16.16.101/32   172.16.16.1     <pptp-CTVPN>              0
29 ADC  172.16.16.102/32   172.16.16.1     <pptp-DBNVPN-1>           0
30 ADC  172.16.16.106/32   172.16.16.1     <pptp-VERVPN>             0
31 ADC  192.41.100.0/24    192.41.100.1    ether4                    0
32 A S  ;;; DBN VPN
        192.168.1.0/24                     172.16.16.102             1
33 A S  ;;; Cape Town Network via Bitco Fiber
        192.168.4.0/24                     <pptp-CTVPN>              1
34   S  ;;; Cape Town Network via LTE
        192.168.4.0/24                     172.16.16.101             2

Home:
192.41.100.0/24 via PPTP-1 (To HQ)
192.168.6.0/24 via PPTP-1 (To Remote via HQ)

[admin@MT] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.18.1              1
 1 ADC  172.16.16.1/32     172.16.16.44    HST                       0
 2 A S  192.41.100.0/24                    HST                       1
 3 A S  192.168.1.0/24                     HST                       1
 4 A S  192.168.6.0/24                     HST                       1
5 ADC  192.168.10.0/24    192.168.10.1    bridge                    0
6 ADC  192.168.18.0/24    192.168.18.2    ether1                    0

HST is the VPN connection name.

Remote:
192.41.100.0/24 via PPTP-1 (To HQ)
192.168.10.0/24 via PPTP-1 (To Home via HQ)

[admin@Vereeniging] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          x.x.x.x            1
 1 ADC  154.127.113.72/29  x.x.x.y  ether1-Fiber              0
 2 ADC  172.16.16.1/32     172.16.16.106   JHB-VPN                   0
 3 A S  192.41.100.0/24                    JHB-VPN                   1
 4 ADC  192.168.6.0/24     192.168.6.1     bridge                    0
 5 A S  192.168.10.0/24                    JHB-VPN                   1

CZFan · May 30, 2018, 10:27pm

The IP subnets I got from the description in your original post

The home and remote sides looks ok.

There are 2 different route prints for HQ, not sure why. Also, if I follow the route numbers, there seems to be routes missing as it jumps from number 3 to a big number, I assume the reason is there are some dynamics c routes not shown in print of routes.

I also do not see where you are routing to either .192.168.10x or .6.x in the print for HQ?

SilverNodashi · May 31, 2018, 4:53pm

The 3 main subnets are:
home: 192.168.10.0/24
HQ: 192.41.100.0/24
Remote Office: 192.168.6.0/24

I took out some sensitive routes, but that has nothing todo with the routes I cannot get to work right now.

Hmm, it seems it got cut off when I copied from Winbox. Here it is:

38 A S  ;;; Vereeniging VPN
        192.168.6.0/24                     <pptp-VERVPN>             1
39   S  192.168.8.0/24                     10.1.1.1                  1
40 A S  192.168.10.0/24                    <pptp-RudiA>              1
41  DC  192.168.20.0/24    192.168.20.1    ether10-VOIP            255

CZFan · May 31, 2018, 5:23pm

What does firewall filter rules look like, anything that will block comms between these subnets?

CZFan · May 31, 2018, 11:39pm

Just reread your OP, you mention you have enabled NAT, is this NATing through the vpn? If so, that might be your problem, remove this and use routing only