Problem reaching other VLAN's from PPTP VPN Connection

RouterOS General
1

Hello all,

I’ve been working on this for a few days and searched everything I can think of… I had this RB450G working pretty well in my lab, but when it came time to deploy it, I had to add in PPPoE and tweak a few settings. It’s almost where it needs to be, but when I VPN in, I can only reach the management VLAN and I need to be able to reach the “Trusted” VLAN as well. I’m including a good chunk of my config just in case there’s anything else glaring I screwed up during all the changes. Thanks for taking a look!

Essentially I have the untagged (management), 10 (trusted), 20 (voip - future use), and 30 (guest mode) VLAN’s set up. Later I’ll block anyone on VLAN10 from seeing the default VLAN - right now eth5 is tagged for VLAN10 to go to a dumb switch; eth2-4 are plugged into VLAN-Aware equipment so they’re basically trunked. On the LAN side, I seem to be getting the desired results so far - it’s just remote via PPTP-VPN that I’m noticing a problem.

# apr/30/2012 15:21:38 by RouterOS 5.14
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=proxy-arp auto-mac=yes disabled=no forward-delay=15s l2mtu=1516 max-message-age=20s mtu=1500 name=\
    bridge1trusted priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1526 mac-address=00:0C:42:FA:99:BE mtu=1500 name=ether1-gateway speed=\
    100Mbps
set 1 arp=proxy-arp auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1520 mac-address=00:0C:42:FA:99:BF \
    master-port=none mtu=1500 name=ether2-master-local speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1520 mac-address=00:0C:42:FA:99:C0 \
    master-port=ether2-master-local mtu=1500 name=ether3-slave-local speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1520 mac-address=00:0C:42:FA:99:C1 \
    master-port=ether2-master-local mtu=1500 name=ether4-slave-local speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1520 mac-address=00:0C:42:FA:99:C2 \
    master-port=none mtu=1500 name=ether5-trusted speed=100Mbps
/interface pptp-server
add disabled=no name=pptp-in1 user=vpnuser
/interface vlan
add arp=proxy-arp disabled=no interface=ether2-master-local l2mtu=1516 mtu=1500 name=vlan10trusted use-service-tag=no vlan-id=10
add arp=enabled disabled=no interface=ether2-master-local l2mtu=1516 mtu=1500 name=vlan20voip use-service-tag=no vlan-id=20
add arp=enabled disabled=no interface=ether2-master-local l2mtu=1516 mtu=1500 name=vlan30guest use-service-tag=no vlan-id=30
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1 switch-all-ports=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
/ip pool
add name=pool0_management ranges=192.168.100.100-192.168.100.254
add name=pool1_trusted ranges=192.168.101.100-192.168.101.254
add name=pool2_voip ranges=192.168.102.100-192.168.102.254
add name=pool3_guest ranges=192.168.103.25-192.168.103.254
/ip dhcp-server
add address-pool=pool0_management authoritative=after-2sec-delay bootp-support=static disabled=no interface=ether2-master-local lease-time=3d name=\
    default
add address-pool=pool1_trusted authoritative=after-2sec-delay bootp-support=static disabled=no interface=bridge1trusted lease-time=3d name=dhcp1
add address-pool=pool2_voip authoritative=after-2sec-delay bootp-support=static disabled=no interface=vlan20voip lease-time=1d name=dhcp2
add address-pool=pool3_guest authoritative=after-2sec-delay bootp-support=static disabled=no interface=vlan30guest lease-time=4h name=dhcp3
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
add change-tcp-mss=default dns-server=192.168.100.1 local-address=192.168.100.1 name=profile1 only-one=default remote-address=pool0_management \
    use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
set 2 change-tcp-mss=yes name=default-encryption only-one=default use-compression=default use-encryption=yes use-mpls=default use-vj-compression=\
    default
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 dial-on-demand=no disabled=no interface=ether1-gateway max-mru=1480 max-mtu=1480 \
    mrru=disabled name=pppoe-out1 password=****** profile=default service-name="" use-peer-dns=yes user=********@sbcglobal.net
/interface bridge port
add bridge=bridge1trusted disabled=no edge=auto external-fdb=auto horizon=none interface=ether5-trusted path-cost=10 point-to-point=auto priority=\
    0x80
add bridge=bridge1trusted disabled=no edge=auto external-fdb=auto horizon=none interface=vlan10trusted path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=fallback
set 1 vlan-header=leave-as-is vlan-mode=fallback
set 2 vlan-header=leave-as-is vlan-mode=fallback
set 3 vlan-header=leave-as-is vlan-mode=fallback
set 4 vlan-header=leave-as-is vlan-mode=fallback
/interface ethernet switch vlan
add disabled=yes ports=ether2-master-local,ether3-slave-local,ether4-slave-local switch=switch1 vlan-id=10
add disabled=yes ports=ether2-master-local,ether3-slave-local,ether4-slave-local switch=switch1 vlan-id=20
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/ip address
add address=192.168.100.1/24 comment="Default Interface - for Management Traffic Only!" disabled=no interface=ether2-master-local network=\
    192.168.100.0
add address=192.168.101.1/24 comment="Trusted Computer/Camera VLAN" disabled=no interface=vlan10trusted network=192.168.101.0
add address=192.168.102.1/24 comment="VOIP VLAN (Future Use)" disabled=no interface=vlan20voip network=192.168.102.0
add address=192.168.103.1/24 comment="Guest VLAN (isolated)" disabled=no interface=vlan30guest network=192.168.103.0
add address=99.155.144.54/32 disabled=no interface=ether1-gateway network=255.255.255.248
add address=99.155.144.48/32 disabled=no interface=ether1-gateway network=255.255.255.248
add address=99.155.144.49/32 disabled=no interface=ether1-gateway network=255.255.255.248
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.100.0/24 comment="default configuration" dhcp-option="" dns-server=192.168.100.1 gateway=192.168.100.1 ntp-server="" wins-server=\
    ""
add address=192.168.101.0/24 dhcp-option="" dns-server=192.168.101.1 gateway=192.168.101.1 ntp-server="" wins-server=""
add address=192.168.102.0/24 dhcp-option="" dns-server=192.168.102.1 gateway=192.168.102.1 ntp-server="" wins-server=""
add address=192.168.103.0/24 dhcp-option="" dns-server=192.168.103.1 gateway=192.168.103.1 ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 servers=68.94.156.1,68.94.157.1
/ip dns static
add address=192.168.100.1 disabled=no name=router ttl=1d
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=pppoe-out1 to-addresses=0.0.0.0
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip neighbor discovery
set ether1-gateway disabled=yes
set ether2-master-local disabled=no
set ether3-slave-local disabled=no
set ether4-slave-local disabled=no
set ether5-trusted disabled=no
set vlan10trusted disabled=yes
set vlan20voip disabled=yes
set vlan30guest disabled=yes
set bridge1trusted disabled=no
set pptp-in1 disabled=yes
set pppoe-out1 disabled=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=no max-cache-size=none max-client-connections=600 \
    max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=********** password=**************** profile=profile1 routes="" service=pptp
/queue interface
set ether1-gateway queue=only-hardware-queue
set ether2-master-local queue=only-hardware-queue
set ether3-slave-local queue=only-hardware-queue
set ether4-slave-local queue=only-hardware-queue
set ether5-trusted queue=only-hardware-queue
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s multiplier=5
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m gateway-selection=no-gateway origination-interval=5s preferred-gateway=0.0.0.0 \
    timeout=1m ttl=50
/routing pim
set switch-to-spt=yes switch-to-spt-bytes=0 switch-to-spt-interval=1m40s
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
    redistribute-connected=no redistribute-ospf=no redistribute-static=no routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-generators="" trap-target="" trap-version=1
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
2

Hi. Sorry, bit short on time to have a decent look, but maybe look at this http://blog.butchevans.com/2010/06/when-and-why-proxy-arp/ sound like this might be your problem

3

Thanks for the reply. I believe I already have arp-proxy enabled correctly; that was required to even access the local VLAN from the PPTP connection; however enabling it only fixed access to the same subnet I VPN in on - it’s not letting me reach the other VLAN’s/Subnets.

Any other ideas? Thx!

4

Then it would probably be a routing problem. In firewall/ nat, Masquerade using the Vlan as the incoming interface. Not the right way , but should eliminate routing problem.

5

Thanks for your help… file this under the “I’m a dumba$$” file.

Without either setting my computer to send all traffic through the tunnel OR setting static routes, it’s only going to use the VPN for the primary subnet. Fixing that allowed me to get to everything else as expected. With Windows, send-all-traffic is the default; with OSX, it is not.

6

Great. Enjoy. :sunglasses: