I have a customer that I have connected via RB112 with Src and Dst Nat and given his ‘Hot Brick’ VPN router a private address. On the other end, his ‘Hot Brick’ has a public IP. He has enabled IPsec and Netbios on his routers.
Much to his dismay, the VPN established just fine. However, it drops the connection whenever he tries to pull a file across the VPN. (It’s not the wireless link, he’s holding 4mb each way with 20ms ptp.)
The “Hot Brick” maker says you can’t NAT an IPsec VPN, and that’s the problem.
I believe that it’s the cheap ‘Hot Brick’ router.
I’m new to Mikrotik, and it’s my first attempt at providing NAT’d addresses to customers.
IPSec does not work for natted hosts without special implementations.
Router should support NAT-T, if you want to forward data between PC1 and PC2 in the following diagram (PC1—>Router_perfroming_NAT—>Internet—>PC2). MikroTik RouterOS has NAT-T support in RouterOS3, RouterOS3 is on beta stage now.
You can use alternative VPN protocols L2TP or L2TP/IPSec. L2TP tunnel works trough NAT.
PPTP also requires special helpers to work trough NAT.
The customers’ ‘hot bricks’ are actually using L2TP/IPSec. So does that mean it should be working. Again, the vpn tunnel is up, but crashes when they try to open files.
I have RB112 in place at one end, and was planning on replacing Karlnet radio with RB112 on other end.
Have thought about setting up EoIP tunnnel and do away with customer’s "hot brick’ routers.
Or I could change to RB532 and implement L2TP from MT to MT… Would that be the best solution?
What do you mean by tunnel crash ?
Do you have L2TP tunnel established between RouterOS and your router ?
L2TP should work fine as between two MikroTik routers, as between MikroTik router and any other third-part router.
EoIP tunnel works only between two MikroTik routers.
I may have found my problem… The customer said he could ping the other side, but when he tried to transfer files, it would hang.
I setup and tested a Ipip tunnel from two test radios. I noticed that when I transfered files, it was on port 445, which I had put a filter on our core router to block back when the sasser worm was bad. (I’m bad!)
I also had put a rule to allow my to get to port 8291 for Winbox, and apparently it was forwarding all traffic to the radio.
The filter was removed and the firewall rule was removed and they are working.