I’m configuring sstp vpn server for remote users in a way traffic from remote users will be tunneled and access to the internet should go trough another firewall in my network. I got stuck i a situation where ping packets from vpn user go to the internet goes trough the company firewall. The reply comes back to the inside interface of Mikrotik VPN server and then it is lost somewhere. There is no NAT on Mikrotik router and one mangle rule adding mark to packet going from vpn to the internet. Packet capture from inside interface shows echo request and echo reply with correct addreses, but packet capture from sstp interface shows only echo request packets, the reply is lost somewhere. Communication to/from lan network is correct and possible both ways (i can ping lan adreses from vpn client and vpn client from lan machine.
A simple diagram of this setup:
Could someone help me find the (possibly stupid) fault in my config (below)?
Important parts of the config:
VPN clinets get IP from
/ip pool
add name=vpn-pool1 ranges=10.104.17.10-10.104.17.250
routing mark
/ip firewall mangle
add action=mark-routing chain=prerouting connection-state="" dst-address=\
!10.0.0.0/8 in-interface=all-ppp log=yes log-prefix=MANGLE1 \
new-routing-mark=vpn-users passthrough=no src-address=10.104.17.0/24
routing
/ip route
add distance=1 gateway=<internal_router> routing-mark=vpn-users
add distance=2 gateway=<internet_gateway>
add distance=1 dst-address=10.0.0.0/8 gateway=<internal_router>
add distance=1 dst-address=172.16.0.0/12 gateway=<internal_router>
and an active routing table
[admin@VPN] > /ip ro pr
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 <internal_router> 1
1 A S 0.0.0.0/0 <internet_gateway> 1
2 A S 10.0.0.0/8 <internal_router> 1
3 ADC 10.104.17.250/32 10.104.17.1 <sstp-ppp1> 0
4 A S 172.16.0.0/12 <internal_router> 1