Hello and forgive my ignorance.
I’m pretty sure that the thing my boss is trying to achieve is a no go but figured out that it wouldn’t hurt to ask here.
Here you can see a basic diagram of what I’m trying to achieve(everything you see on diagram are the local addreses)
The SSTP VPN is up and running and I can ping from 192.168.88.254 to 192.168.1.250(ISP 1) and to 192.168.89.145 and vice versa
I Can ping from 192.168.89.145 to 192.168.1.30(ISP 2) and to 192.168.88.254.
My boss would like to Ping the ISP 1 devices while connected to VPN client and vice versa.
I told him that with my knowledge its not possible and the local subnet for one ISP should be different.
He keeps insisting that a simple firewall rule will do the trick.
Any ideas would be appreciated.
Thanks
Edit : Could I perhaps make a firewall rule to mikrotik client so any traffic towards 192.168.1.0/24 be routed to mikrotik server?
So 192.168.89.0/24 could ping 192.168.1.0/24 but only on Server side?
Yes it seems rather dumb (although my experience is limited) to have the same subnets behind the ISP router on both ends. Furthermore then he wants clients on one device to connect to the far end ISP subnet and possibly the ISP devices on the local subnet at the same time… both have the same IP addresses makes for a shit show.
The mikrotiks are they in router mode or simply ap/switch?
Yeah seems dumb also to me. But who am I to judge the almighty boss huh, who is btw a “network specialist” and I’m a mere web developer.
Mikrotiks are simply AP/switch, they both are Hap AC2.
Could I perhaps make a firewall rule to mikrotik client so any traffic towards 192.168.1.0/24 be routed to mikrotik server?
So 192.168.89.0/24 could ping 192.168.1.0/24 but only on Server side?
So to be clear the Boss wants the ability for
a. local clients on 88.X (under MT1) to be able to ping ISP2 local clients
b. local cliens on 89.X (under MT2) to be able to ping ISP1 local clients
The issue is that each mikrotik has a directly connected route to 192.168.1.0/24 and will use ARP to resolve any addresses within that subnet.
There are a couple of options:
Use netmap to do a 1:1 mapping to a different /24 and static routes, you access the devices at the other side using these addresses.
If there are a small number of devices with static addresses which do not overlap you can add individual /32 static routes. From your diagram on mikrotik 1 a static route for 192.168.1.30/32 via the SSTP address on mikrotik 2, and on mikrotik 2 a static route for 192.168.1.250 via the SSTP address on mikrotik 1.
Thats true.
But option a. only would be enough.
He doesn’t care much to access devices connected to ISP 2 from the server side but he wants to access devices connected to ISP while he is connected to client mikrotik.
here are the configs
Server Config
# may/26/2022 17:20:40 by RouterOS 7.2.3
# software id = 7DN2-160L
#
# model = RBD52G-5HacD2HnD
# serial number = E5780FD83A89
/interface bridge
add arp=proxy-arp name=bridge-lan
add name=bridge-wan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-isp
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-lan name=dhcp1
/interface bridge port
add bridge=bridge-wan interface=ether1-isp
add bridge=bridge-wan interface=ether2
add bridge=bridge-wan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=wlan1
add bridge=bridge-lan interface=wlan2
/interface sstp-server server
set authentication=mschap2 certificate=Server enabled=yes port=9443
/ip address
add address=192.168.88.1/24 interface=bridge-lan network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=bridge-wan
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge-wan
add action=masquerade chain=srcnat src-address=10.10.10.2
add action=masquerade chain=srcnat src-address=10.10.10.1
/ip route
add disabled=no dst-address=192.168.89.0/24 gateway=10.2.2.2 routing-table=\
main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ssh disabled=yes
/ppp secret
add local-address=10.2.2.1 name=name remote-address=10.2.2.2 service=sstp
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=VpnServer
Client
# may/26/2022 17:18:02 by RouterOS 7.2.3
# software id = TGZY-64AJ
#
# model = RBD52G-5HacD2HnD
# serial number = E5780FF93182
/interface bridge
add name=bridge_lan
add name=bridge_wan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-isp
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTikC
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.89.2-192.168.89.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge_lan name=dhcp1
/interface sstp-client
add authentication=mschap2 connect-to=random.sn.mynetname.net:9443 \
disabled=no http-proxy=0.0.0.0:9443 name=sstp-out1 pfs=yes profile=\
default-encryption user=verify-server-address-from-certificate=\
no
/interface bridge port
add bridge=bridge_wan interface=ether1-isp
add bridge=bridge_wan interface=ether2
add bridge=bridge_wan interface=ether3
add bridge=bridge_lan interface=ether4
add bridge=bridge_lan interface=ether5
add bridge=bridge_lan interface=wlan1
add bridge=bridge_lan interface=wlan2
/ip address
add address=192.168.89.1/24 interface=bridge_lan network=192.168.89.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=bridge_wan
/ip dhcp-server network
add address=192.168.89.0/24 gateway=192.168.89.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge_wan
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=10.2.2.1 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=Client
I already have setted addresses for the SSTP ,10.2.2.1 and 10.2.2.2 for each end (configs are pasted before the quote), can I use netmap on them or do I have to reconfigure?
I’m sorry ,not sure if my basic knowledge allows me to understand what you are saying, and probably I got it wrong.
…
/interface bridge
add arp=proxy-arp name=bridge-lan # proxy ARP is not required
…
/interface sstp-server
add name=sstp-in1 user=name # name should match the PPP secret username
…
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge-wan
add action=masquerade chain=srcnat src-address=10.10.10.2 #no idea what this is for
add action=masquerade chain=srcnat src-address=10.10.10.1 #no idea what this is for
add action=netmap chain=dstnat dst-address=192.168.101.0/24 to-addresses=192.168.1.0/24
add action=netmap chain=srcnat out-interface=sstp-in1 src-address=192.168.1.0/24 to-addresses=192.168.101.0/24
/ip route
add disabled=no dst-address=192.168.89.0/24 gateway=10.2.2.2 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.102.0/24 gateway=10.2.2.2 routing-table=main suppress-hw-offload=no
…
From 192.168.88.254 you can reach 192.168.1.30 at site 2 using the address 192.168.102.30, similarly from 192.168.89.145 you can reach 192.168.1.250 at site 1 using 192.168.101.250
