Hello,
I’m being a noob in Mikrotik and in English so please forgive me
Our network due to some historical decision (company from 5 persons grew up to 70 employees) use very common IP range - i.e 192.168.0.0/24.
Some fileshares, domain controllers, internal DNS etc use static ip. We have a lot of things like business application etc configured to use those static IPs and we cannot quickly change our IP range for this time.
We also have configured VPN server in our Mikrotik. VPN users are given with address from another IP pool but in the same subnet i.e 192.168.0.80-192.168.0.99. All computers are configured to NOT use VPN connection as default gateway (we don’t want to have their traffic when they visit facebook ) and they have static ip to our internal DNS server to resolve server’s names in our network. Everything works fine besides one exception:
Many users have problems with connecting to fileshare because they private network at home is also 192.168.0.0/24. Those users can’t connect with fileshare for example \fs1\shared_folder because DNS is not working. Connection is possible only when they use static ip for example \192.168.0.2\shared_folder .
I assume that to solve that issue I need to give VPN users another IP pool like for example 192.168.130.0/24. I created pool “vpnpool2” with this IP range, I get good IP while connecting, but my traffic is not routed when I want ping for example fs name is not resolved. Even when I want to ping fs’s ip it’s not possible.
Hope my situation and my description is understandable. I don’t know how to make route between 192.168.130.0/24 and 192.168.0.0/24. Could you be so kind and help me? Of course I’ve tried to follow tutorial found on the Internet but unfortunately it don’t work for me: https://rbgeek.wordpress.com/2014/08/26/pptp-server-setup-on-mikrotik/
Thank you in advance.
I’d say you’re lost.
There’s no way the VPN client could judge if it’s a local or remote IP the DNS server provided.
I absolutely understand that it’s hard to readdress your whole company - but I’m afraid you don’t have a choice.
Or you tell all your VPN guys to change their subnets…
For migrating your companies IP range you could consider tow L3 networks on one L2 domain - so add another IP address in a different range (like 172.17.16.0/23) to your router and then, one by one, change the static addresses of your machines (be sure you keep track of DNS records).
So in the hybrid state the traffic will be routed. The final flick of the switch would then be the migration of your DHCP server(s) to the new range.
This should lead to an almost seamless transition.
I did this way of migratoin in a couple of networks in all sizes from tiny (/28) to big (/21) and it worked perfectly.
Of course I do not take into account users That we will change Their home subnets, they are not IT guys In Addition I Know That there is no way and I need to readdress whole company. There are just few free IP address for next servers, printers, cameras etc … I plan to do it in this year (I hope I will get enough project time to do it). Thank you very much for your tips, it will help me in it!
So my plan to give them another subnet will fail, it’s not possible at all? I thought it will be just quick workaround.
When you give the clients another range for the VPN, you also need to install a route towards the original range so that it is reachable.
This is a reason why so many networks use the method of “VPN addresses inside the network” (and proxy-arp).
You can extend the network when you like, then it will still be working. E.g. 192.168.0.0/20
However you will have to do that everywhere (in configs).
This is the reason why it is such a good idea to always use DHCP even for static addresses, with static entries in the DHCP server.
(e.g. for your printers, servers etc)
Then you can change the config of the DHCP server and wait half the lease interval and everything is automatically reconfigured.
Very good plan
If you’re running short in your address space already, you should strongly consider a /23 or even /22 network.
Well, having a dedicated VPN pool and have the traffic routed is always the better choice in comparison of handing out local addresses and dealing with proxy arp.
For the time being, you don’t get any benefit from this because the dst address is still in the same segment as the road warriors local subnet :-/
I had the same problem when one of our guys was out on production and had to VPN into our office - and of course the location had the same subnet as his desired dst-addresses.
It only was one particular host so I created a temporary dst-nat rule on our VPN router (a local bridge as dst-address, dst-natted to our local server).
Maybe this is an option for you?
This should work for all users.
For convenience, you can add a single local-address to your ppp profile for the vpn users and use this address as dst-address for the NAT rule.
Not smart, but working
-Chris
Maybe also quick solution will be to create another LAN with bigger subnet and move there all necessary servers and my users will have access to fileshares. I know how to make it working in local network but I’m not sure it will work with VPN.
That is the reason why this usually isn’t such a good idea.
When you completely manage the clients it is no problem, but when not this will be a permanent cause of headaches.
The reason that it is not a good idea is that it is quite difficult to automatically add routes to your VPN users.
(within the limitations of MilkroTik and typical VPN user software)
