No access to LAN over SSTP VPN (can only ping router)

xaviernuma · November 8, 2016, 10:37am

Hi,

Context :
On one hand, I have a client PC somewhere on the Internet, on the other I have a RouterBoard connected behind a box at the Office.

I mounted the SSTP server, the client PC connects correctly, when I https://www.whatismyip.com/, the client PC obtains the IP Office.

When I’m on the client PC, I can ping the Routerboard, and the box. But I can not ping the LAN side of the RouterBoard.

I enabled proxy-arp on the LAN side of the bridge, but without success …

Question :

I would like to :

access the LAN side of the machine since RouterBoard over my VPN client machine.
Do not go through the VPN in terms of Internet traffic when I’m on my client machine

Fill in the following information:
MikroTik LAN IP: 192.168.1.1
LAN DHCP Range: 192.168.1.0/24

[admin@MikroTik] > /ip pool print
 # NAME                                                                                                                                                                                                                     RANGES                         
 0 dhcp_pool1                                                                                                                                                                                                               192.168.1.2-192.168.1.254      
 1 VPN                                                                                                                                                                                                                      10.10.10.11-10.10.10.20        
 2 pool1                                                                                                                                                                                                                    192.168.0.0/24

[admin@MikroTik] > /ppp profile print detail
Flags: * - default 
 0 * name="default" use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down="" 

 1   name="test" local-address=10.10.10.10 remote-address=VPN use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down="" 

 2 * name="default-encryption" use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""

[admin@MikroTik] > /ppp secret print detail 
Flags: X - disabled 
 0   name="mickael" service=any caller-id="" password="xxxx" profile="test" routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=nov/08/2016 11:16:43

[admin@MikroTik] > /interface sstp-server server print  
                    enabled: yes
                       port: 443
                    max-mtu: 1500
                    max-mru: 1500
                       mrru: disabled
          keepalive-timeout: 60
            default-profile: test
             authentication: pap,chap,mschap1,mschap2
                certificate: cert1
  verify-client-certificate: no
                  force-aes: no
                        pfs: no
                tls-version: any

Thanks you for your help.

Best regard

Rudios · November 8, 2016, 2:00pm

how about any firewall filter rules?

For only routing the traffic to the office over the SSTP connection, you have to connect to your office without supplying a default gateway to the connection.
Additionally you have to manually put a route on your desktop for the network segment(s) used on your office to point to the far end-point of your SSTP connection

xaviernuma · November 8, 2016, 2:36pm

Hi Rudios,

I have no filter rules.

It’s not possible add static route on routerboard directly ?

Rudios · November 8, 2016, 4:02pm

What if you do a trace route towards the server?

xaviernuma · November 8, 2016, 4:32pm

mrz · November 8, 2016, 4:36pm

It looks like servers do not know how to reach your VPN network.

Rudios · November 8, 2016, 7:10pm

You should add a route to your remote network on your RB1100

xaviernuma · November 9, 2016, 9:49am

Hello everyone,

I tried several combinations of static route, without success

Rudios · November 9, 2016, 10:47am

on your RB1100 put the following
/ip route
add dst-address=192.168.0.0/24 gateway=10.10.10.11

Siona · November 9, 2016, 11:13am

You have to use proxy-arp mode in your bridge.

xaviernuma · November 9, 2016, 2:44pm

Hi Rudios,

I have add this route :

[admin@MikroTik] > /ip route
[admin@MikroTik] /ip route> add dst-address=192.168.0.0/24 gateway=10.10.10.11
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.10.1              1
 1 ADS  0.0.0.0/0                          192.168.10.1              0
 2 ADC  10.10.10.11/32     10.10.10.10     <sstp-mickael>            0
 3 ADC  10.10.10.12/32     10.10.10.10     <sstp-vivien>             0
 4 A S  192.168.0.0/24                     10.10.10.11               1
 5 ADC  192.168.1.0/24     192.168.1.1     VLAN2                     0
 6 ADC  192.168.10.0/24    192.168.10.150  WAN1                      0

Same problem

Hi Siona,

Yes it’s active :

name="VLAN2" mtu=auto actual-mtu=1500 l2mtu=1596 arp=proxy-arp 
      arp-timeout=auto mac-address=00:0C:42:EB:2B:E9 protocol-mode=rstp 
      priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 
      max-message-age=20s forward-delay=15s transmit-hold-count=6 
      ageing-time=5m

xaviernuma · November 10, 2016, 9:04am

Hi everyone,

I found my mistake, actually everything worked well from the start, without having to add route.
The packed arrived well in my LAN, but could not return to the VPN, because I marked packets in my LAN to WAN1.
I therefore excluded marking packets for the VPN:

chain=prerouting action=mark-routing new-routing-mark=to_WAN1 
      passthrough=yes dst-address=!10.10.10.0/24 in-interface=VLAN2 log=no 
      log-prefix=""

So, I have 2 questions :

How to prevent the client from accessing the Internet via the VPN? Customer will have access only to the office LAN and Internet resources via its ISP OTHER ?

When the client accesses the office via VPN, it has access to the PC server (192.168.1.20), only by IP. How to tell the RouterBoard it should display the names of the machines on the network?

Thank you,

Best regard.

Rudios · November 10, 2016, 7:19pm

xaviernuma:

Hi everyone,

I found my mistake, actually everything worked well from the start, without having to add route.
The packed arrived well in my LAN, but could not return to the VPN, because I marked packets in my LAN to WAN1.
I therefore excluded marking packets for the VPN:
chain=prerouting action=mark-routing new-routing-mark=to_WAN1 
      passthrough=yes dst-address=!10.10.10.0/24 in-interface=VLAN2 log=no 
      log-prefix=""

Good to hear you solved your problem

So, I have 2 questions :

How to prevent the client from accessing the Internet via the VPN? Customer will have access only to the office LAN and Internet resources via its ISP OTHER ?

You have to make sure that the SSTP connection is not supplying a gateway towards the client, however you have then to manually configure a route to your 192.168.1.0/24 network.

When the client accesses the office via VPN, it has access to the PC server (192.168.1.20), only by IP. How to tell the RouterBoard it should display the names of the machines on the network?

I guess this has to do with DNS / ARP and I’m not sure how to solve this

Rudios · November 10, 2016, 7:21pm

Rudios:

xaviernuma:
Hi everyone,

I found my mistake, actually everything worked well from the start, without having to add route.
The packed arrived well in my LAN, but could not return to the VPN, because I marked packets in my LAN to WAN1.
I therefore excluded marking packets for the VPN:
chain=prerouting action=mark-routing new-routing-mark=to_WAN1 
      passthrough=yes dst-address=!10.10.10.0/24 in-interface=VLAN2 log=no 
      log-prefix=""
Good to hear you solved your problem

So, I have 2 questions :

How to prevent the client from accessing the Internet via the VPN? Customer will have access only to the office LAN and Internet resources via its ISP OTHER ?

You have to make sure that the SSTP connection is not supplying a gateway towards the client, however you have then to manually configure a route to your 192.168.1.0/24 network.
[EDIT]
Just quickly checked the possibilities on a RouterBoard and have seen an option at the ppp secret called routes, maybe that’s something to look into.

When the client accesses the office via VPN, it has access to the PC server (192.168.1.20), only by IP. How to tell the RouterBoard it should display the names of the machines on the network?

I guess this has to do with DNS / ARP and I’m not sure how to solve this