Maybe it is very simple routing question but once i have mixed my mind.. I cant figure out how to do.
Simply i have 3-4 locations and i need to access servers when i am outside of company network. From any point of network location i can access to all servers. But at one location i dont have public ip and i need to access there when i am outside.
How should i write routing path for both side to gain access to my server from wan? For example if i am accessing to
xx.yy.vv.zz:4000 - Mikrotik should route me to 192.168.7.95:3500
Here is simple schema. Any help or idea appreciated.
On Mikrotik Main i have these rules for this.
I’ve created my WAN using L2TP in a fully meshed setup. The site without the public address dials out to the other two sites. Site C is my main site, so it waits for connections.
I’ve activated OSPF on the WAN links so no matter where I am, I have full access to the ressources of all three sites. I’ve configured a “Road Warrior” router (L2TP VPN again) so that it participates in the OSPF network and gets all the routes. This, in turn, gives me full access to all ressources.
Sites “B” and “C” have dynamic addresses assigned by the ISPs, so I needed to setup a No-IP script on their head routers. Examples of those scripts can be found on MT’s website BTW.
I started out with static routes, but I didn’t like it because of the overhead and bad adaptability.
I very happy with the results. Only thing I need now are hEXs or other stronger routers, otherwise performance DROPS because of the CPU load caused by IPSec.
The problem is most likely with reply packets. If you just forward port from Mikrotik Main to Mikrotik A and keep client’s original source address (i.e. some random public address), server sends reply there (that’s fine), but Mikrotik A won’t sent it back to tunnel and instead will use its default gateway and it can’t work.
You need to either mark (on Mikrotik A) incoming connections from tunnel and then mark routing for replies, to use different routing table with default route going to tunnel.
Or if you don’t care about seeing real source addresses, then just masquerade connections on Mikrotik Main:
Thanks for the ideas, yes, i have problem with reply, because i am seeing that connection is coming up to mikrotik A but i can not sent reply back correctly.
Just adding masquerade is not helping - i tried now.
Would you give some example about marking route for replies?
Masquerade should help, it will change source addresses of forwarded connections to whatever address is on the other end of sstp tunnel and Mikrotik A knows route to that. You can check with Tools->Torch if it happens.
The other way is to define new default route in different routing table:
–
(*1) I’m not exactly sure if you can use sstp interface as gateway or if it needs to be address on the other end, and I’m too lazy to test it. But you’ll figure it out.
After Masquerade i am seeing that request coming to sstp interface of mikrotik A from 10.10.10.10. But server connection is still not available. I dont understand one thing, Mikrotik A has routing rule to access 10.10.10.10 back. Why it is still not working?
Second option give error on me. On connection mark rule, it is saying that on prerouting chain i can not use sstp interface since it is slave.
Seems like this one is going down the rabbit whole rather quickly. I guess I’m just weird but I like to keep things fairly straight forward.
Create two PPP secrets at your main location; one for each site
Pick a range of IPs not in use, it appears that is 10.10.10.0/24 for your.
Assign each PPP secret a local and remote address so the MikroTik has a unique IP for each remote site. Alternatively you can assign a remote-address to each via a pool.
You will then have the necessary meat to get your site-to-site connections working. In addition you can use the routes function to set routes dynamically into the main site for each of the remote site’s local networks that will only appear when they are online. This can be used in place of dynamic routing especially if you are setting a default route in the PPP client to send all traffic over the tunnel back to the main site.
If you prefer dynamic routing, remember that most VPNs are unicast only. You’ll need to define NBMA neighbors on each side to allow them to form neighbor relationships and exchange routes.
Properly establish your firewall rules, particularly for your masquerade. Make sure it targets only traffic egressing (out-interface) your WAN interface and preferably match the source-address too. All of your traffic will make routing decisions based on either PPP generated routes (both default at the clients and specific routes back to the clients at the head-end) or dynamic routes from OSPF.
If you are taking a default route at a client to the head-end (routing internet back through the head-end):
Adjust the default route distance received from your ISP (ip dhcp-client can do this)
Add a specific, /32, route to your VPN server using your outside interface
Tell the VPN client (interface l2tp-client) to set a default-route-distance lower than what you set in the DHCP client
This will keep the tunnel up and send all traffic that is not the tunnel itself (all your clients Internet for example) back over the tunnel to the head-end.
Done right, none of this should require masquerade rules specific to the VPN itself. Routing is beautiful and firewall rules should always be as specific as possible.
Actually my settings are same as you explain. Here is my ppp secret :
As i said before, from inside network, everything is working. I can access site to site - site to Main Mikrotik. But i need to access Mikrotik A over Mikrotik Main, since i dont have public ip for Mikrotik A.
If “Mikrotik A” activates SSTP links to the other sites, and do proper routing, you’ve just created your totally reachable network. That’s exactly what I’m doing with my rented office space.You wont need to do anything else to work on your devices. Not NATing, masquerading or anythig else. If you want to reach your network when travelling, create a “travel router” with its own SSTP tunnels.
No i have server behind of Mikrotik A - i need to connect port tcp 3500 - for specific reason. But it is not important, actually i can not access Mikrotik A over Wan side of mikrotik main currently. If i can resolve this, i can configure for any port/application.
Looks like you didn’t share enough info about your config. Details are important. If you’re not sure what is and isn’t important, you can post everything (“/export hide-sensitive” command in terminal) and hopefully it’s not too long.
Thanks for your advice, yes, i am doing the same actually, i have with me RB750up always, and connecting to this network is not a problem for me. But i need to make this connection available for client. For specific port only.
Reading an older post in this thread, you’re binding your SSTP to a bridge (I assume) that’s why you’re getting an error about a rule being applied to a slaved port.
My suggestion: Start from scratch! Do not slave SSTP to anything, just route through them. Before offering the services to your client, make it work for you. It’s a very simple setup. Once you have it working, then create ppp secrets for clients and think about FW filters to secure your network.
I’ve seen many people shoot in all directions and it doesn’t work. Look at my 1st post and make THAT work. The rest will come easy, I promise
Yup, ideally start from scratch. If that can’t be done or heck, even if you do, post all the configurations using /export hide-sensitive here. In the past I’ve helped others by removing unnecessary configurations along with the commands to get it up and running. Having a clean configuration really helps with both readability and security.
What you’re trying to do isn’t impossible by any means. Additionally, take advantage of the MikroTik CHR and it’s free licensing. I do this all the time. Load up GNS3 with a few MikroTiks and mock-up what you’re trying to do. You can then take what you learn and transport it to the live devices.
Thanks a lot for advice.Actually here is late, i , by mistake, disabled sstp call from mikrotik A now. I can not totally access. Tomorrow, i am gonna fix this first, and with clear mind i will make it work.
In any case (work or not) i will write results here.
