Mikrotik as PP2P client to expose pc to the master network ?

RouterOS General
1

Hello.
I am pretty new on all of this, and probably messed it up somewhere.
I have the follow problem :

  • I have a computer in different town which must become part of the network of my company, and be accessed trough Remote Desktop from within the company.
    So I’ve setup the Mikrotik as PPTP client to the VPN of the company, and put Proxy ARP on the bridge. The Mikrotik connects to the VPN of the company, and I am able to work with the computers there trough it. Yet I can not see the PC or even ping it from the computers there.

I’ve check all related topics on the forum which I were able to find, but most likely my lack of understanding got me nowhere.

Please help. :neutral_face: Guide me to proper solution. :neutral_face:
vpn client.png

2

Thanks for the nice network schema.

It is easy to explain, as in that drawing there is also Internet (in RED).

Well the VPN story is very similar to the Internet story.

For Internet, your PC can work with public web servers, but the web servers cannot initiate connectin with your PC. The reason for this is that the internet access is done through NAT/masquerade, and there is (should be) a Firewall protecting your LAN environment. The NAT/masquerade is needed so you PC uses your the public IP address for accessing the webserver. Multiple NAT levels may be used (one in the Mikrotik router, and another in the TP Link router.) The webservers can answer using the initiated connection by the PC, as long as the NAT tracking is still valid, and the firewall allows answers for ‘established’ connections.

Connecting initially from the web server to the PC, would require the webserver to use your public IP address, and port-forwarding and access rules must have been set.

The VPN connection is very similar. (Maybe the firewall will allow more), But the company servers need to use a company IP address to point to the PC. If NAT was used, the PPTP link would have been with a company IP address, but still port forwarding is needed to do the correct reverse-NAT to your PC, through the Mikrotik router. The TP Link router still has the open established VPN connection, so that NAT is bypassed.
To avoid port forwarding, one could work without NAT for the VPN. But then the home LAN subnet must be known to the corporate network, and routes must be set to find your PC with a home IP address. If there are many home users, then they probably all use 192.168.0.0/24 as local network. So NAT is handy to masquerade this.

If it is only a limited number of PC’s at home, they could be mapped on some extra PPTP IP addresses on the Mikrotik router (IP addresses are in the corporate network range, so they know the route to them). The Mikrotik home router then does the forwarding.

So an established VPN creates an open path from the company to your Mikrotik router. (even passing the TP Link firewall and NAT). You need a corporate IP address for the PC if you want full access to it from the company, or you could just forward some ports to the PC.