RB750G VPN not passing through

Hi, im trying to learn about the Mikrotik RB750G after dumping a cisco small business router and am getting a little stuck…

Ive been jumping on youtube etc to figure out setups and managed to get a VPN setup and working (yey!). The trouble is i have now followed another tutorial to setup a dual WAN (https://www.youtube.com/watch?v=BXf9vaevSMI), which works great and even gives me better speeds… But the trouble is now that when i go offsite and connect to the VPN, i cant see anything and I’m at a loss!. I can connect to the router via winbox but anything outside of that just isnt happeneing.

The issues are now, CCTV isn’t forwarding traffic to the DVR so the CCTV app wont work.
With PPP VPN connected when offsite i cannot RDP to the Server, get to the VMWare web UI, connect to the servers files via an explorer window, or connect to the CCTV web UI either?!

port 1 - WAN Static IP
Port 2 - WAN DHCP
Port 3 - LAN to Ubiquiti switch

Any help & guidance is appreciated

Follow the instruction in my automatic signature if you want to get any useful advice.

I didnt even realise that was a thing! haha

maybe add to your signature to use the terminal, i was going through menus looking for an export option But eventually found it. i have replace externals as you suggested and changed usernames to user1 etc. I hope this makes sense to someone to see where ive got wrong! Thanks

       
# jul/08/2020 09:22:42 by RouterOS 6.46.4
# software id = KHPA-LRZY
#
# model = 750G
# serial number = 268D01736223
/interface bridge
add arp=proxy-arp disabled=yes name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ISP1-Static
set [ find default-name=ether2 ] name=ISP2-DHCP
set [ find default-name=ether3 ] name=LAN3
/interface pppoe-client
add add-default-route=yes disabled=no interface=ISP1-Static name=pppoe-out1 \
    use-peer-dns=yes user=xxxxxxxxxxx@talktalkbusiness.net
/interface bonding
add disabled=yes name=bonding1 slaves=ISP1-Static,ISP2-DHCP
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.11.2.230-10.11.2.254
add name=vpn ranges=10.11.2.180-10.11.2.189
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LAN3 name=DHCP-Local
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge1 disabled=yes interface=ISP2-DHCP
add bridge=bridge1 interface=LAN3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip firewall connection tracking
set enabled=yes
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ISP1-Static list=WAN
add interface=LAN3 list=LAN
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.11.2.10/24 interface=LAN3 network=10.11.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ISP1-Static
add disabled=no interface=ISP2-DHCP
/ip dhcp-server lease
add address=10.11.2.141 client-id=1:10:e7:c6:f3:f8:ab comment="Marks Laptop" \
    mac-address=10:E7:C6:F3:F8:AB server=DHCP-Local
add address=10.11.2.191 comment="Datto Backup LAN1" mac-address=\
    00:01:2E:82:75:11 server=DHCP-Local
add address=10.11.2.1 mac-address=80:18:44:F2:7B:70 server=DHCP-Local
add address=10.11.2.82 comment=ukju-winserver01 mac-address=00:0C:29:02:DC:98 \
    server=DHCP-Local
add address=10.11.2.11 comment="24 Port Ubiquiti" mac-address=78:8A:20:C5:D5:60
add address=10.11.2.12 comment="48 Port Ubiquiti" mac-address=FC:EC:DA:02:7E:FC
add address=10.11.2.20 comment="UKJU-WAP01\r\
    \n" mac-address=F0:9F:C2:8E:D4:5B
add address=10.11.2.21 comment=UKJU-WAP02 mac-address=F0:9F:C2:8E:D4:D8
add address=10.11.2.22 comment=UKJU-WAP03 mac-address=F0:9F:C2:8E:D8:72
add address=10.11.2.60 comment="Brother Printer 1" mac-address=\
    00:1B:A9:C9:1E:8B
add address=10.11.2.190 comment="D-Link Nas Drive" mac-address=\
    CC:B2:55:04:BA:BA
add address=10.11.2.192 comment="Datto Backup Lan2" mac-address=\
    00:01:2E:82:75:12
add address=10.11.2.220 comment="CCTV Entrance" mac-address=BC:AD:28:8B:72:E6
add address=10.11.2.221 comment="CCTV Office Side Run" mac-address=\
    00:0F:7C:15:36:B2
add address=10.11.2.52 client-id=1:6c:e8:5c:d5:1f:ee mac-address=\
    6C:E8:5C:D5:1F:EE server=DHCP-Local
add address=10.11.2.140 client-id=1:38:ba:f8:b6:bc:e6 mac-address=\
    38:BA:F8:B6:BC:E6 server=DHCP-Local
add address=10.11.2.50 client-id=1:c2:62:2d:8f:bf:35 comment="Mobile Phones" \
    mac-address=C2:62:2D:8F:BF:35 server=DHCP-Local
add address=10.11.2.51 client-id=1:dc:8:f:6b:52:cb mac-address=\
    DC:08:0F:6B:52:CB server=DHCP-Local
/ip dhcp-server network
add address=10.11.2.0/24 dns-server=10.11.2.82,8.8.8.8 gateway=10.11.2.10 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.11.2.82 disabled=yes name=winserv01
/ip firewall mangle
add action=mark-connection chain=input in-interface=pppoe-out1 \
    new-connection-mark=traffic-wan1 passthrough=yes
add action=mark-connection chain=input in-interface=ISP2-DHCP \
    new-connection-mark=traffic-wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=traffic-wan1 \
    new-routing-mark=to-wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=traffic-wan2 \
    new-routing-mark=to-wan2 passthrough=yes
add action=accept chain=prerouting dst-address=my.public.iprange.0/24 in-interface=LAN3
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=LAN3
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN3 new-connection-mark=traffic-wan1 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN3 new-connection-mark=traffic-wan2 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=traffic-wan1 \
    in-interface=LAN3 new-routing-mark=to-wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=traffic-wan2 \
    in-interface=LAN3 new-routing-mark=to-wan2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
add action=dst-nat chain=dstnat dst-port=8000 log=yes log-prefix=cctv_ \
    protocol=tcp to-addresses=10.11.2.220 to-ports=8000
add action=dst-nat chain=dstnat dst-port=554 in-interface=ISP1-Static protocol=\
    tcp to-addresses=10.11.2.220 to-ports=554
add action=masquerade chain=srcnat out-interface=ISP1-Static
add action=masquerade chain=srcnat out-interface=ISP2-DHCP
add action=dst-nat chain=dstnat dst-port=8240 log=yes log-prefix=cctv_ \
    protocol=tcp to-addresses=10.11.2.220 to-ports=8240
/ip route
add check-gateway=ping distance=1 gateway=static.gateway.ip routing-mark=to-wan1
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to-wan2
add check-gateway=ping distance=1 gateway=static.gateway.ip
add check-gateway=ping distance=2 gateway=192.168.1.1
/ppp secret
add local-address=10.11.2.10 name=user1 profile=default-encryption \
    remote-address=10.11.2.180
add local-address=10.11.2.10 name=user2 profile=default-encryption \
    remote-address=10.11.2.181
add local-address=10.11.2.10 name=user3 profile=default-encryption \
    remote-address=10.11.2.182
add local-address=10.11.2.10 name=user4 profile=default-encryption \
    remote-address=10.11.2.183
add local-address=10.11.2.10 name=user5 profile=default-encryption \
    remote-address=10.11.2.184
add local-address=10.11.2.10 name=user6 profile=default-encryption \
    remote-address=10.11.2.186
add local-address=10.11.2.10 name=user7 profile=default-encryption \
    remote-address=10.11.2.185
add name=vpn
/system clock
set time-zone-name=Europe/London
/system identity

Its may also worth noting that we have a static WAN and a DHCP WAN (192.168.1.xxx given form the dhcp modem) The static is the one we use for the vpn and for the cameras and the DHCP is just there as load balancing/failover so the site can keep running if one of the lines go down.

So most important, your firewall is nonexistent in the sense of protecting the router itself from unauthorized access at network level. As there is nothing in chain=input of /ip firewall filter, and as you haven’t at least configured allowed ranges for the individual management services (winbox, api, http, telnet, ssh - but this way is not as safe as firewall rules), the only thing that stands between full access to management of your router and the attacker is the username and password. So it is quite likely that by now you are not the only administrator of your router any more.

Regarding your original issue, both the VPN types you use are L3 point-to-point tunnels, and thus assigning IP addresses from the LAN subnet to the clients causes routing issues - the LAN clients assume that the VPN clients are in the same subnet, so they send ARP requests for them and get no response. This can be addressed in two ways, each has its advantages and disadvantages. The cleaner one is to use an address pool outside the LAN subnet for the VPN clients, but then Windows hosts on LAN with default firewall configuration do not respond pings from VPN clients; the other one is to set the arp property of the LAN interface of the router to proxy-arp; with this setting, the router responds to ARP requests coming from LAN if the queried IP address is directly reachable via another interface (in this case, the VPN tunnel) with its own MAC address, so the LAN hosts sends the packet to the router and the router can deliver it to the actual destination.

But this “cannot reach LAN hosts from VPN clients” issue has nothing to do with the dual WAN setup - the part of your configuration which is related to the dual WAN looks fine to me. Regarding “CCTV isn’t forwarding traffic to the DVR”, where are these two devices connected? Both are in LAN or the CCTV is on LAN of this Mikrotik and the DVR is on another site and should be accessible through VPN?

Hi, thanks for the response.

I followed a basic setup i found online and presumed some basic firewall would have been in place, Thanks for pointing it out, i will do some googling to look at firewall setups.

when I setup the VPN there was a ‘local address’ and ‘remote address’ . the local i set as the gateway Ip and the remote i set as the IP i want the connecting VPN to be assigned, are those correct or should i leave the remote one blank (or both) as the masquerade is set to 192.168.89.0 for VPN traffic so will this conflict?

the DVR and IP cameras are on the same plan. The CCTV has an app to connect to the local unit and was just port forwarded (so basically put the static IP in the app with the port number and the router forwards to the CCTV DVR) so no VPN was involved. this worked fine and the cameras could be viewed via the phone app, but since adding the dual wan using instructions from the youtube vid this has now stopped. the app shows the cameras like it knows they are there, but no video is being show. Similarly, with the VPN, when i was offsite and connected to the VPN i could get to the server, local network, etc etc. but since the Dual WAN setup, this has stopped. i can still connect to the VPN, i can access the router via winbox, but accessing the local network just isn’t happening.

ive just connected on the vpn and looked at the connections details, it says:

DHCP Enabled: No
IPv4 Default Gateway: (BLANK)
IPv4 DNS: 10.11.2.10 (mikrotik router IP)
192.168.1.1

Is that correct?
I will connect when I’m offsite and test the VPN to see if i can connect to the fileserver

You can also “marry” your Cisco with the Mikrotik in terms of VPN
https://administrator.pro/contentid/2145635754