Is it possible with Mikrotik: Your support required please.

miankamran7100 · August 25, 2023, 3:18pm

Dear all,
I have 2 site
Site A will be the VPN server
I want Site B to be connected with Site A through a VPN. and I will dial Windows client VPN on my desktop and will be able to access site B Lan resource.
How I can deploy this..?
Please suggest any idea for that

Thanks
Regards

fragtion · August 25, 2023, 4:55pm

Yes, it’s possible.

miankamran7100 · August 25, 2023, 5:14pm

Dear Sir,
how I can deploy this?
Regards

tdw · August 26, 2023, 4:29pm

Your picture is incorrect, PPP-based connections are assigned /32 addresses so the L2TP client and server will be 192.168.88.2/32 and 192.168.88.1/32.

Add a static route for 192.168.10.0/24 to the PPP secret for site B on site A, the L2TP server - this allows site A to forward traffic for that subnet via the VPN tunnel.
Add a static route for 192.168.88.0/29 on site B using the l2tp-client interface as the gateway - this allows site B to forward traffic for that range of addresses via the VPN tunnel.
If using not using the VPN as the default gateway on the PC add a static route for 192.168.10.0/24 via the VPN connection, you can use powershell to make this permanent rather than adding it each time a VPN connection is established.

Change any firewall rules to permit forwarding via the interfaces involved.

miankamran7100 · August 26, 2023, 6:27pm

Your picture is incorrect, PPP-based connections are assigned /32 addresses so the L2TP client and server will be 192.168.88.2/32 and 192.168.88.1/32.

Add a static route for 192.168.10.0/24 to the PPP secret for site B on site A, the L2TP server - this allows site A to forward traffic for that subnet via the VPN tunnel.
Add a static route for 192.168.88.0/29 on site B using the l2tp-client interface as the gateway - this allows site B to forward traffic for that range of addresses via the VPN tunnel.
If using not using the VPN as the default gateway on the PC add a static route for 192.168.10.0/24 via the VPN connection, you can use powershell to make this permanent rather than adding it each time a VPN connection is established.

Change any firewall rules to permit forwarding via the interfaces involved.

Dear Sir,
I have configured this.

miankamran7100 · August 27, 2023, 4:16am

I have followed all procedures.
static routing
also power shall in windows

But only able to ping the gateway. 192.168.94.1
not able to ping other Ubiquiti PowrBeam M5 AC IP e.g(192.168.94.83 not able to ping)
mikrotik vvvv.PNG

anav · August 27, 2023, 1:55pm

If using wireguard, there is no need to dial any VPN client.
Simply go to the LAN resource you wish to access.

Requirements, Either Site A or Site B has either
a. a public WANIP
b. can forward a port on the upstream router if not directly connected to the ISP.

Wireguard tutorials are available fm MT and others

Lite reading - https://forum.mikrotik.com/viewtopic.php?t=182340

miankamran7100 · August 27, 2023, 2:10pm

I have 2 Sites. sit A has public ip and site B behind the ISP router (no public ip).
so I want to access Site B Lan network all
but i want to access my remote networknon my Laptop. when I’m outside.
then I will. need desktop wireguard ???

anav · August 27, 2023, 4:27pm

All very doable and not difficult.

Site A will be the “server” for the handshake and site B will be the “client” for the handshake and then traffic can be viewed as peer to peer between the two routers. This means any device on either router can have access to any device on the other router.
Any remote devices can connect to site A and access the local subnets on site A or site B, and use the internet of site A.

For remote devices, apple have wireguard apps, for windows laptops get the wireguard client from the wireguard website (not microsoft).

miankamran7100 · August 27, 2023, 5:50pm

No No No…!
Only reachable Gateway: 192.168.94.1
My Ubiquiti APs like Airfiber is not reachable at 192.168.94.56
Not able to ping/Access my LAN network on Wireguard site to site Tunnel

anav · August 27, 2023, 8:08pm

I am saying that its all doable, via firewall rules and allowed IPs etc, you as the admin determine what is accessed.
Take chill pill and do a much better job explaining the requirements clearly.

miankamran7100 · August 28, 2023, 1:57am

I have tried forward accept dst and src address rule.
but couldn’t able to access.

according to this video
https://www.youtube.com/watch?v=vn9ky7p5ESM&t=1s

please guide me which firewall rule I need to apply?
thanks

anav · August 28, 2023, 11:49am

Both routers.
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)

miankamran7100 · August 28, 2023, 11:58am

this is the problem.
if I disable WAN2. everything is working fine.

It’s due to PCC

http://forum.mikrotik.com/t/route-same-lan-on-wan1-but-also-with-pcc/169136/1

please suggest me

anav · August 28, 2023, 3:46pm

If your such the expert fix it yourself and stop posting.
I provided reading material that described every issue your talking about,where is the effort on your part?

If you want assistance then post your config, how many times does one need to as?
This is my last time.
For BOTH routers.
/export file=anynameyouwish (minus router serial number, public WANIP information, keys etc.

miankamran7100 · August 29, 2023, 7:43am

Site A
/interface bridge
add name=Bridge_LAN
add name=“Bridge_LAN Central Park”
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
/interface pppoe-client
add disabled=no interface=ether1_WAN name=PPPoE_PTCL user=ABC
/ip pool
add name=dhcp_pool ranges=192.168.110.11-192.168.110.250
/ip dhcp-server
add address-pool=dhcp_pool interface=Bridge_LAN name=dhcp1

/routing table
add disabled=no fib name=VPN

/ipv6 settings
set disable-ipv6=yes

/interface l2tp-server server
set enabled=yes one-session-per-host=yes use-ipsec=yes

/ip address
add address=192.168.110.1/24 interface=Bridge_LAN network=192.168.110.0
add address=192.88.16.1/24 interface=Bridge_LAN network=192.88.16.0

/ip dhcp-server lease
add address=192.168.110.101 always-broadcast=yes comment=“Windows 10 Laptop”
mac-address=74:70:FD:1D:CE:23
add address=192.168.110.102 always-broadcast=yes comment=“Windows 11 Laptop”
mac-address=74:E5:F9:D1:59:F2
/ip dhcp-server network
add address=192.168.110.0/24 dns-server=192.168.110.1,8.8.8.8,8.8.4.4
gateway=192.168.110.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.110.3 name=airavenue.contegris.com

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.110.0/24

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=PPPoE_PTCL routing-table=main
suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=192.168.94.0/24
gateway=192.88.16.2%*F00024 pref-src=“” routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.94.0/24 gateway=
192.88.16.3%*F0002D routing-table=main scope=10 suppress-hw-offload=no

/ppp secret
add local-address=192.88.16.1 name=XYZ profile=default-encryption
remote-address=192.88.16.2 routes=192.168.94.0/24 service=l2tp
add local-address=192.88.16.1 name=XZZ profile=default-encryption
remote-address=192.88.16.3 service=l2tp

R2
/interface bridge
add name=Bridge_LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-LAN
set [ find default-name=ether2 ] name=ether2-WAN1
set [ find default-name=ether3 ] name=ether3-WAN2
set [ find default-name=ether4 ] name=“ether4-TRUNK to Switch”
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface l2tp-client
add connect-to=xx.xx.xx.xx disabled=no name=L2TP_Client use-ipsec=yes
user=ronaldo
/interface vlan
add interface=“ether4-TRUNK to Switch” name=vlan10 vlan-id=10
add interface=“ether4-TRUNK to Switch” name=vlan20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.94.2-192.168.94.254
add name=dhcp_pool3 ranges=10.10.10.10-10.10.10.254
add name=dhcp_pool4 ranges=20.20.20.10-20.20.20.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Bridge_LAN lease-time=10m name=dhcp1
add address-pool=dhcp_pool3 interface=vlan10 lease-time=10m name=dhcp2
add address-pool=dhcp_pool4 interface=vlan20 lease-time=10m name=dhcp3

/routing table
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
add disabled=no fib name=vpn_WAN1
/interface bridge port
add bridge=Bridge_LAN interface=ether1-LAN
add bridge=Bridge_LAN interface=“ether4-TRUNK to Switch”

/ip address
add address=192.168.94.1/24 interface=Bridge_LAN network=192.168.94.0
add address=192.168.56.11/24 comment=WAN-1 interface=ether2-WAN1 network=
192.168.56.0
add address=192.168.57.11/24 comment=WAN-2 interface=ether3-WAN2 network=
192.168.57.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=20.20.20.1/24 interface=vlan20 network=20.20.20.0

/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=20.20.20.0/24 gateway=20.20.20.1
add address=192.168.94.0/24 gateway=192.168.94.1
/ip dns
set allow-remote-requests=yes cache-size=10000KiB servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.94.247 list=LORETTA
add address=192.168.94.110 list=“Block Internet”
add address=192.168.94.0/24 list=VPN

/ip firewall mangle
add action=mark-connection chain=input in-interface=ether2-WAN1
new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=input in-interface=ether3-WAN2
new-connection-mark=wan2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_conn
new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=wan2_conn
new-routing-mark=to_WAN2 passthrough=no
add action=accept chain=prerouting dst-address=192.168.56.0/24 in-interface=
Bridge_LAN
add action=accept chain=prerouting dst-address=192.168.57.0/24 in-interface=
Bridge_LAN
add action=mark-connection chain=prerouting dst-address-type=!local
new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=
both-addresses:2/0 src-address=192.168.94.0/24
add action=mark-connection chain=prerouting dst-address-type=!local
new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=
both-addresses:2/1 src-address=192.168.94.0/24
add action=mark-routing chain=prerouting connection-mark=wan1_conn
new-routing-mark=to_WAN1 passthrough=yes src-address=192.168.94.0/24
add action=mark-routing chain=prerouting connection-mark=wan2_conn
new-routing-mark=to_WAN2 passthrough=yes src-address=192.168.94.0/24

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2-WAN1 src-address=
192.168.94.0/24
add action=masquerade chain=srcnat out-interface=ether3-WAN2 src-address=
192.168.94.0/24
add action=masquerade chain=srcnat src-address=10.10.10.0/24
add action=masquerade chain=srcnat src-address=20.20.20.0/24
add action=masquerade chain=srcnat out-interface=L2TP_Client src-address=
192.168.94.0/24

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.56.1%ether2-WAN1 pref-src=“” routing-table=to_WAN1 scope=30
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.57.1%ether3-WAN2 pref-src=“” routing-table=to_WAN2 scope=30
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.56.1%ether2-WAN1 pref-src=“” routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=
192.168.57.1%ether3-WAN2 pref-src=“” routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
L2TP_Client pref-src=“” routing-table=main scope=30 suppress-hw-offload=
no target-scope=10
add comment=“Static Routing” disabled=no distance=1 dst-address=
192.88.16.3/24 gateway=L2TP_Client pref-src=“” routing-table=main scope=
30 suppress-hw-offload=no target-scope=10