Hello,

I have Mikrotik at home.
I want to use it as a SSTP client to my work location - I’ve done it over PPP and i’ts connected.
I’ve added routes for that SSTP connection for the work location subnets - they are 10.79.0.0/20 - I can ping stuff over Mikrotik terminal normally.
Mikrotik at home is also my local network router with 192.168.10.0/24 subnet.

What I really want?

I want to access my work environment from my 192.168.10.0/24 home subnet (from couple of PC’s on this network) while using Mikrotik as a Point to Site connection over SSTP - I din’t want to
use my PC and it’s VPN client.

As I said, i CAN ping everything from Mikrotik on that 10.79.0.0/20 subnet, I CAN’T ping that subnet over my home PC connected to that Mikrotik.

What do I need to do to access that range 10.79.0.0./20 over my PC? I suppose I need to add something, but really don’t know or understand what at this moment?

Thanks,
MuWu

Post your current configuration following the hints in my automatic signature below. There may be multiple reasons which we cannot guess.

dec/13/2020 13:34:28 by RouterOS 6.47.8

serial number = xxxxx

/interface bridge
add admin-mac=xxxxxxxxxx auto-mac=no comment=defconf name=Guest_Bridge
add admin-mac=xxxxxxxxxxxx arp=proxy-arp auto-mac=no comment=defconf name=Main_Bridge
/interface ethernet
set [ find default-name=ether1 ] name=Ether1_BnetUplink speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys name=MainSecWifiProfile supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys name=GuestSecWiFiProfile supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=croatia disabled=no distance=indoors frequency=auto hide-ssid=yes mode=ap-bridge name=Master_Wireless_Interface security-profile=MainSecWifiProfile ssid=xxxx station-roaming=enabled wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=4E:5E:0C:B2:DA:13 master-interface=Master_Wireless_Interface multicast-buffering=disabled name=Guest_Wireless_Interface_Virtual security-profile=GuestSecWiFiProfile ssid=MuWuGuest station-roaming=enabled wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=Main_DHCP_Pool ranges=192.168.10.150-192.168.10.200
add name=Guest_DHCP_Pool ranges=192.168.15.2-192.168.15.254
/ip dhcp-server
add address-pool=Main_DHCP_Pool disabled=no interface=Main_Bridge lease-time=1d name=Main_DHCP_Server
add address-pool=Guest_DHCP_Pool disabled=no interface=Guest_Bridge lease-time=1d name=Guest_DHCP_Server
/ppp profile

/interface sstp-client
add connect-to=WORK VPN SERVER ADDRESS name=sstp-out1 profile=SSTP_Work_Profile user=xxxxxxx
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=Main_Bridge comment=defconf interface=ether2
add bridge=Main_Bridge comment=defconf interface=ether3
add bridge=Main_Bridge comment=defconf interface=ether4
add bridge=Main_Bridge comment=defconf interface=ether5
add bridge=Main_Bridge comment=defconf interface=Master_Wireless_Interface
add bridge=Guest_Bridge interface=Guest_Wireless_Interface_Virtual
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/interface detect-internet
set detect-interface-list=all

/interface list member
add comment=defconf interface=Main_Bridge list=LAN
add comment=defconf interface=Ether1_BnetUplink list=WAN
/interface wireless access-list
add comment=“xxxx\E2\80\99s xxxxx” interface=Master_Wireless_Interface mac-address=xxxxxxxxxx
add comment=“xxxxx” interface=Master_Wireless_Interface mac-address=xxxxxxxxxx
/ip address
add address=192.168.10.1/24 comment=defconf interface=Main_Bridge network=192.168.10.0
add address=192.168.15.1/24 comment=defconf interface=Guest_Bridge network=192.168.15.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=Ether1_BnetUplink
/ip dhcp-server lease
add address=192.168.10.200 client-id=xxxxxxxxxxx mac-address=xxxxxxxx server=Main_DHCP_Server
add address=192.168.10.55 client-id=xxxxxxxxx mac-address=xxxxxx server=Main_DHCP_Server
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1,8.8.8.8,8.8.4.4 domain=muwu gateway=192.168.10.1
add address=192.168.15.0/24 comment=defconf dns-server=192.168.15.1,8.8.8.8,8.8.4.4 gateway=192.168.15.1
/ip dns
set allow-remote-requests=yes servers=192.168.10.1,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=drop chain=forward comment=“DROP GUEST TO MAIN TRAFFIC” dst-address=192.168.10.0/24 src-address=192.168.15.0/24
add action=accept chain=input in-interface=Ether1_BnetUplink protocol=gre
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=input comment=“defconf: drop all not coming from LAN” disabled=yes in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface=Ether1_BnetUplink

/ip route
add distance=1 dst-address=10.79.0.0/20 gateway=sstp-out1
/ip service
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=xxxxxxxxxx
/system logging
add topics=e-mail
add topics=script
add topics=write
add topics=wireless
/system ntp client
set enabled=yes primary-ntp=xxxxxx secondary-ntp=xxxxxx
/system scheduler
/tool e-mail
set address=xxxx from=xxxxx port=587 start-tls=yes user=xxxxx
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

If it is enough that clients in your home subnet can initiate connections to servers in the office subnet, and not vice versa, it is sufficient to add a masquerade rule at the home router:
/ip firewall nat add chain=srcnat action=masquerade out-interface=sstp-out1

If you want that also clients in the office could connect to servers in your home subnet, you have to set up routing in the office so that it knew that 192.168.10.0/24 and 192.168.15.0/24 are accessible via the SSTP tunnel; if you do that, the masquerade rule above will not be necessary. If there are more routers in the office than just that Mikrotik, this may be a more complex task.

Off topic, it is better to place configuration exports between [****code] and [/****code] tags.

Thanks man, I thought of the masquerade rule but didn’t know where and how to apply it, I can now ping the subnet in the office from my home PC’s but the problem is I can’t access anything via RDP?
Do you have an idea how to solve that?

The firewall in the home router doesn’t block connections from LAN to any destination, so it is either the firewall on some of the routers in the office or a firewall on the destination machine itself. So post the export of the configuration of the Mikrotik in the office, but if there are other routers between it and the PC you want to RDP to, you may have to configure those as well.

hmm..

let me try to explain.

When I use this same SSTP VPN config on my Win 10 pc at home, I can access everything through RDP in that 10.79.0.0 range. So the Work FW or VM FW is not blocking since I use the RDP connections regulary.

Currently, with the PPP connection for that SSTP VPN going on my Mikrotik, I’ve added the masquerade rule you provided and now I can ping the 10.79.0.0 machines like I told you from my PC, but when I try to telnet to them through port 3389 that doesn’t get passthrough - seems to me, If I’m not mistaking, that my home Mikrotik needs one more rule or setting for that tunnel or something ?

Any ideas?
Thanks

For instance:

I connect to VPN from my Win 10 machine - try telnet from my PC to 10.79.0.xxx 3389 and it passes
I connect to that same VPN through Mikrotik - try to telnet from my PC to 10.79.0.xxx 3389 and it doesn’t pass

What exactly means “doesn’t get passthrough”, what error message do you get when trying the telnet? There is nothing in the firewall of the home router that could block connections to TCP port 3389 from LAN through the SSTP tunnel, so I can only imagine some PMTU discovery issue causing larger packets not to get through (whereas the virtual interface at the Windows embedded VPN client reports a low enough MTU to the application so there is no issue). You can check this by adding two mangle rules:

/ip firewall mangle
add chain=forward in-interface=Main_Bridge out-interface=sstp-out1 protocol=tcp tcp-flags=syn action=change-mss new-mss=1300
add chain=forward in-interface=sstp-out1 out-interface=Main_Bridge protocol=tcp tcp-flags=syn action=change-mss new-mss=1300

I don’t know how exactly the RDP initial exchange looks like at application level (after the TCP session establishment) - if the server side is the first one to send some payload data, this could explain why even the telnet “fails”.

So this is the error:

telnet 10.79.0.xxx 3389
Connecting To 10.79.0.xxx…Could not open connection to the host, on port 3389: Connect failed

I’ve added those mangle rules, still nothing…

So it’s time to start sniffing. On the Mikrotik, make the command line window as wide as your screen allows and run /tool sniffer quick ip-address=10.79.0.xxx in it, run the telnet command on Windows, and post the output ot the sniffer.

image

/interface bridge settings set use-ip-firewall=no and try again.

Tried it .. still the same

Another blind shot: /interface detect-internet set detect-interface-list=none (and keep the use-ip-firewall set to no as well). The “detect internet” function has been reported to cause various kinds of surprises.

Unless you have removed something when posting the configuration, there is nothing in the firewall rules that could prevent TCP from being routed from bridge (ether5) to sstp-out1, whereas the sniff shows it is not forwarded (unless you’ve added some additional condition to the /tool sniffer command).

What does /ip route check 10.79.0.150 show?

sindy - thank you very very much for your help!
It’s my bad - I’ve noticed I had a NAT rule for RDP later on which I didn’t posted where I didn’t put an Input interface on it and it was applied for all RDP traffic internally and externally and that’s why I couldn’t go through Mikrotik via RDP.

Nevertheless, your skills are very high, you helped me with your advices and of course with your first one where you posted to set a masquerade rule for the SSTP OUT interface which was realistically 100% of the problem.

I’m sorry I took your time but I’m grateful you thought me something new and helped me understand Mikrotik syntax and config a little bit more.

Have a great day and thank you once more! I’m so happy right now!
MuWu

To ti je tipičan primjer zašto je uvijek potrebno pokazati kompletnu konfiguraciju - u gotovo svim slučajevima je problem u dijelu koji ne objavljaš jer misliš da nije povezan.

Slazem se - nemam tu sta nadodati nego se ispricati, svakako si problem rjesio

Hvala ti na pomoci!

Mogao si napisat odmah na hrv, mozda bi i ja prije shvatio neke stvari :)