I can connect successfully to the VPN and can get to the Webfig of the 2011. The network looks like this. The 2011 is in bridge mode behind a cable router. The cable router is the DHCP server and gives out 192.168.1.0 addresses. The cable between the 2011 and the cable router is plugged into ether1 of the 2011.
The problem I have is that I cannot get to any other machines on the network (can’t ping them) and I can’t get internet access.
I have put my config below and wonder if anyone can spot where I am going wrong.
Thanks in advance.
Charles
[admin@MikroTik] > /ip export
# aug/16/2017 05:55:13 by RouterOS 6.40.1
# software id = 65FW-3KRA
#
# model = 2011UiAS-2HnD
# serial number = 52CF04D88C3A
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn-pool ranges=192.168.99.2-192.168.99.100
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=bridge-local name=default
/ip address
add address=192.168.1.203/8 comment="default configuration" disabled=yes interface=ether6-master-local network=192.0.0.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=bridge-local
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.203 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=bridge-local
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=yes out-interface=ether1-master-local
/ip route
add disabled=yes distance=1 gateway=192.168.1.1
########
/ppp export
# aug/16/2017 05:56:09 by RouterOS 6.40.1
# software id = 65FW-3KRA
#
# model = 2011UiAS-2HnD
# serial number = 52CF04D88C3A
/ppp profile
set *0 local-address=192.168.99.1 remote-address=vpn-pool
/ppp secret
add name=W10 password=xxx
add name=Nexus password=xxx
########
/interface export
# aug/16/2017 05:56:45 by RouterOS 6.40.1
# software id = 65FW-3KRA
#
# model = 2011UiAS-2HnD
# serial number = 52CF04D88C3A
/interface bridge
add admin-mac=4C:5E:0C:B8:9D:92 auto-mac=no fast-forward=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master-local
set [ find default-name=ether2 ] master-port=ether1-master-local name=ether2-slave-local
set [ find default-name=ether3 ] master-port=ether1-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether1-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether1-master-local name=ether5-slave-local
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country="united kingdom" disabled=no distance=indoors frequency=2422 mode=ap-bridge ssid=xxxx-2G wireless-protocol=802.11 wps-mode=disabled
/interface wireless
add disabled=no mac-address=4E:5E:0C:B8:9D:9B master-interface=wlan1 name=wlan2 security-profile=Guest ssid=xxxx-guest wds-default-bridge=bridge-local wps-mode=disabled
/interface bridge port
add bridge=bridge-local interface=ether1-master-local
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=wlan2
/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=xxxxxxxx use-ipsec=yes
you need to set “arp=proxy-arp” on the bridge interface in your mikrotik device.
then communication in the same subnet will be possible.
the reason it is not working right now is that the server connected to the lan cannot talk to the VPN clients. they seem to have an IP address from a range that is “connected” on the server (i.e. part of the subnet and covered by the netmask), so what the server does is just to issue an ARP lookup what MAC address should be used to talk to this specific IP that your VPN client has. since no one is having this address on the subnet, there will be no reply, so the packet cannot be sent out from the server.
with proxy arp enabled the router that terminates the VPN sessions will reply to those ARP queries with its own MAC address, so the frames will be sent to this device, who knows exactly how to reach the connected VPN clients.
but i’m not quite sure whether non routable protocols (like mDNS and similar) will work this way, most probably not at all. but you will have IP level reachability.
The above two replies are not correct, as the VPN client clearly gets an address from a separate range than
the local network, so all replies should be sent via the router without using proxy arp.
It is only required to use proxy arp when the clients use a network address within the LAN range.
Do some packet sniffing to see where it goes wrong.
I agree with pe1chl. Proxy-Arp is not required if on a different subnet. The Virgin Media Router is set up correctly as connections are being made.
One other thing I’ve noticed is that the Windows machine I connect with does not have a “Gateway” for the VPN connection (when using ipconfig). Should it have?
And I’ve never sniffed packets before so will need to do some reading. Or are there a couple of simple tests I could do?
You should first investigate if it is the forward or the reverse path that does not work, e.g.
by tracing packets on a server or on the LAN port of the router to check if you see the incoming SYN
and the return SYN ACK packet passing by. It could be that the server does not have a return route
for the packet.
ok, right now i had my focus together.
the issue is that i guess the server has a default gw setting that points to the “virgin router” at 192.168.1.1.
that alone would not be an issue, but i guess the virgin box does not have the route for the VPN address pool, but just a single default route that points towards the internet.
so as the server tries to reply to the packets, it will send it to the virgin, then the virgin will send them along the default route towards the internet, so the packets never arrive back to the VPN clients.
one way to fix that is to put a static route in the server for the VPN address pool that points to the mikrotik device (192.168.1.200?), but this is not very scalable as you’d need the same trick for all devices in the LAN if they wanna reach/be reached by the VPN connected clients.
the one liner to solve the issue is to put the above mentioned static route into the virgin box. this will fix the problem, and after the first packet is routed through it, it will send an ICMP redirect back to the server to use the mikrotik’s MAC address as ethernet DST, so it will be eliminated from the actual fwding path.
if you don’t have access to the virgin box, or it does not allow to install any extra static routes, there is a dirty workaround:
you can install a masquerade rule in the mikrotik firewall nat config for each packet with out-interface=bridge. so essentially all traffic from the VPN clients will be source-natted to the mikrotik’s IP, so the server and all other devices can reply to them. it will work for all traffic that originates from the VPN clients, but obviously they will not be reachable from the LAN as their address will not be exposed… so this one is just a half-baked “solution”
Thanks for the suggestion. The rule sounds complicated!
I thought that if I changed the vpn-pool to 192.168.1.100-110 then I’d be in the same range as the Virgin router (i put proxy-arp on the bridge). That didn’t give me access to the internet but when I put in 192.168.1.1 I get to the 2011, not the Virgin Router.
Also
If I do a traceroute from the VPN Client to 8.8.8.8, it gets through.
If I do a traceroute from the VPN Client to www.bbc.co.uk, it DOES NOT get through.
judging by the fact that you can do a traceroute successfully to 8.8.8.8 from a connected VPN client, you do have internet access.
as you correctly pointed out it seems to be a DNS issue, like your remotely clients do not have proper DNS entry when they are connected to your VPN.
do you send DNS info to them via ppp profiles? from the previous config it seems you do not. just put this it to make sure you’re actually doing it
/ppp profile set <insert the profile name you use> dns-server=8.8.8.8
It can be that the remote devices already received (via DHCP or from another operator) a different DNS server IP which is either
not reachable if they are connected to your VPN
is blocking DNS request coming from foreign address space (a common approach done by many access providers as DDoS countermeasure)
Also
If I do a traceroute from the VPN Client to 8.8.8.8, it gets through.
If I do a traceroute from the VPN Client to http://www.bbc.co.uk, it DOES NOT get through.
this last one is strange. i guess you use your browser to access the address. where does the issue happen, from VPN clients or from the LAN?
looking at your previous config it has this line:
/ppp profile set *0 local-address=192.168.99.1 remote-address=vpn-pool
i’m not sure how it is right now, but if the issue is affecting the VPN clients, i guess you mistakenly used 192.168.1.1 as local-address in the ppp profile.
change this address to 192.168.1.203 (as far as i remember this was your router’s IP on the LAN) and you’re good to go. or you can have there anything “private” as long it does not overlap with anything else. if my theory is right, it is right now overlapping with the IP of the virgin router.
Adding dns-server=8.8.8.8 to the /ppp profile meant I could access the internet. So the vpn client doesn’t know where to go without the DNS address
and
changing to local-address=192.168.1.203 meant I could see all local addresses. I presume this is because the local-address needs to be the vpn server (the 2011), not the router on 192.168.1.1 ass implied in the tutorial.
Also, arp=proxy-arp is needed if the vpn pool is in the same range as the local pool.
The original tutorial may need to change to reflect the vpn server sitting behind a router which is more normal in a home environment where “retail” routers are usually not clever enough to receive vpn connections themselves.
Additionally, I reset the whole config from the start and chose to not install the default config. That means I’m running with no firewall which means the setup was easier. The 2011 is behind another my router firewall, so I hope I’m safe!!
The code I ended up with is below.
Thanks for the help!
Charles
/interface bridge
add arp=proxy-arp name=bridge
/ip pool
add name=vpn-pool ranges=192.168.1.100-192.168.1.110
/ppp profile
set *0 dns-server=8.8.8.8 local-address=192.168.1.203 remote-address=vpn-pool
/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=secret use-ipsec=yes
/ppp secret
add name=W10 password=xxxxxx
add name=Nexus password=xxxxxx
