Hi
I’ve got a simple setup where the bridge interface on my LAN side is 10.10.10.1/24 and the IP on my WAN interface is 192.168.1.2/24
I have a DLS modem which is the gateway setup on 192.168.1.1/24 reachable via WAN interface.
I’ve put in a static route on the DSL modem to reach 10.10.10.0/24 via 192.168.1.1
From the LAN side (when using an address in the 10.10.10.0/24 range) I can reach the DSL modem.
my internet connection is a pppoe connection
The problem I have is that when I’ve VPN’ed to the internet interface I can reach all LAN addresses but I can get to the DSL modem of 192.168.1.1
I have two NAT rules setup:
chain=srcnat action=masquerade out-interface=DSL log=no log-prefix=“” (this one allows me to browse the internet)
chain=srcnat action=masquerade out-interface=Internet log=no log-prefix=“” (this one allows me to reach the modem from my LAN)
What do I need to setup so that I can VPN in and reach the modem?
if you need extra info pls shout and I’ll post it,
many thanks.
Magchiel: I tried setting ARP on the WAN interface to proxy-arp and I still had no replies but thanks for the suggestion.
Sob:
Yes you’re right, turns out my static route on the DSL modem was set to use PVC0 instead of the IP address but I have corrected the static route to use the correct IP address of 192.16.1.2
The “WAN” interface is the ethernet interface (with IP 192.168.1.2) that is connected to the DSL modem (on IP 192.168.1.1).
The pppoe is being done on the mikrotik and this interface is called “internet”.
Here are the NAT rules:
chain=srcnat action=masquerade out-interface=Internet log=no log-prefix=“” (this is the pppoe interface that allows me to browse the internet)
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=“” (this one allows me to reach the modem from my LAN)
Sorry I confused the issue earlier.
My LAN network is 10.10.10./24 and the bridge interface (I have a wireless router so bridged the two wlan interfaces and ether2) is 10.10.10.1/24
VPN pool is 10.10.10.150-10.10.10.200
Now that modem has working route to 10.10.10.0/24, this one should not be needed anymore:
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix="" (this one allows me to reach the modem from my LAN)
How exactly is your VPN set up? Are VPN interfaces (static or dynamic) bridged with other LAN interfaces? If so, it should just work. If they are independent, just share the address space and you connect them to LAN with proxy ARP, then you probably need a rule in /ip firewall filter (chain=forward) allowing communication from VPN to DSL interface.
thanks Sob.
I’ve removed the second NAT rule (for the WAN interface) and can still reach the DSL modem from the LAN side.
The bridge interface includes two wireless interfaces and the one LAN interface (ether2) and has IP 10.10.10.1/24
To get to the DSL modem I need to go through the WAN interface which is 192.168.1.2/24
The VPN is PPTP and it creates dynamic interfaces for each pptp connection.
I have proxy-arp enabled on WAN interface, didn’t help VPN users to get back to DSL modem.
I tried to add the dynamic VPN interface ‘pptp-vpnuser’ to the bridge but it wasn’t an available option, that vpn interface isn’t available to select.
VPN users are allocated an IP in the same network as the LAN users.
So I tried the other option of creating a new filter rule
chain=forward action=accept in-interface= out-interface=WAN log=no log-prefix=“”
This didn’t work either.
interface summary:
bridge (ether2, wlan1, wlan2): 10.10.10.1
WAN: 192.168.1.2
Internet (pppoe connection to ISP): dynamic public IP
Thanks for your suggestions, much appreciated! Hoping to find the key to getting this working, pls keep them coming.
you’re a champ Sob! nailed it.
I added a static route on my PC with the VPN connection through to 192.168.1.0 and I can now reach that node. thanks very much for the tips, much appreciated!!
Subsequent to further testing I found the following:
I added a persistent route on the vpn client (windows 7) and during that VPN session, I could reach the DSL modem in the other network. When I disconnected the VPN session and reconnected it again, even though the persistent route was still there, I couldn’t reach the other network. I had to go back to the command line and re-add the route (that was already there) to allow me to reach the other network.
This is the command that was run on the vpn client
user>route add 192.168.1.0 mask 255.255.255.0 10.10.10.1 -p
Strange that i had to run the command again just to make this route active again?
Apart from the fact that it appears that we have no way to hand out static routes via DHCP to our pptp clients on mikrotik, how do you guys manage getting static routes to your VPN clients?
I disabled the default route of sending all traffic down the VPN tunnel (VPN client properties> untick ‘use default gateway on remote network’) as this was slower for internet browsing so I’ve enabled split-tunneling but want to hand out a static route from the mikrotik ideally, or have another way of enabling this route dynamically on each VPN connect. Any ideas?
Many thanks.
That persistent route not working might be some Windows limitation. I never tried adding a route with not always available gateway, so I can’t tell for sure.
About routes to VPN clients, I’m OpenVPN fan, so if static routes are enough for me and I want to use RouterOS, I add them to client’s config file. If I want dynamic routes, I have to use full featured OpenVPN server on Linux and push routes from there. Hopefully there will be some progress with this in mythical RouterOS 7 when it gets out.
