I have an issue with MikroTik RB760iGS (RouterOS v6.44.6 (long-term)) creating VPN. We have our internal network, where I need VPN service to access all internal network. Now I configured VPN service ant it works (users can authenticate themselves, can use internet and so on), but unfortunately I can’t access my internal network when using VPN (check attached scheme below).
Maybe there is any step by step configuration documentation how configure VPN in order to reach internal comany’s network.
Unfortunatel there is none, as most vendors’ documentation assumes that the reader already understands the networking principles in general and only explains how to apply them on a particular product.
As for your case, too few information is provided - I can see that all everything in the internal network is in a /20 subnet, but you haven’t stated whether the VPN clients connecting to the RB760iGS get addresses from the same subnet or from a different one, how is routing configured on the devices inside the network etc., not even what type of VPN you have set up - this also has an impact.
Hence follow the suggestion in my automatic signature below, this will answer most of the questions, except how the routing is configured on the other devices in the internal network.
Hi, Sindy, I was wondering if any detailed configuration exist, unfortunately - not.
Detailed configuration:
VPN type: L2TP and PPTP (authentication works perfectly, users get addresses and can use internet with no limits).
Mikrotik internal network eth1 IP (as in the picture above): 172.168.5.1 and eth1 is connected to our internal network 172.168.0.0/20 where 172.168.5.1-172.168.5.250 addresses are allocated by Microtic for VPN users (internal network DHCP automatically allocate addresses 172.168.0.1-172.168.4.254 and 172.168.6.1-172.168.16.254).
There are firewall rules to accept 1723 port; and also there is src-nat rule.
My reply is a little offtopic, but I do hope that the internal subnet you are using (172.168.0.0/20) is fictional and you aren’t realy using that range.
Because, well, that range isn’t part of the private IPv4 ranges defined in RFC1918.
And it looks like it belongs to OATH/yahoo, not good.
What you’ve posted is not exactly a complete configuration, but /interface bridge set bridge arp=proxy-arp should resolve your issue.
Other than that, if L2TP/IPsec is working, disable PPTP, there is no reason to use it and the security is much weaker than with LT2P/IPsec. Without IPsec, L2TP has no advantage over PPTP security-wise.
Sindy, your suggestion didn’t resolved my problem. /IP ARP I can see all devices in my local network, but users connected via VPN can’t use local resources.
This rule causes connections initiated by the VPN clients to be src-nated to the WAN IP of the “DHCP server” on the drawing in your OP, which makes no sense (changing it to XXX.XXX.XXX.XXX would at least allow them to access the internet), and as it is not restricted to match any out-interface, it affects also connections initiated by the VPN clients towards devices in the LAN, so the LAN devices send their responses to YYY.YYY.YYY.YYY. And as the LAN devices’ default routes (which are used to route traffic to YYY.YYY.YYY.YYY) go via the “DHCP server” machine, the 760 doesn’t receive the responses, so it cannot “un-dst-nat” them and forward them to the clients.
So changing to to-addresses to XXX.XXX.XXX.XXX and adding out-interface=sfp1 should help.
I just hope you actually have more firewall rules in place, as if there are only those you’ve posted, your 760 is exposed to attacks on all management interfaces including telnet.
Also, what you’ve posted cannot be an export of the actual configuration, because in such an export a place-before can never appear. So there may be some settings you do not expect to be the reason why it doesn’t work, but no one can spot them because you’ve decided to post only what you assume to be related.
Hey, Sindy, that made my day - following your suggestion eliminated the problem and the internal network is reachable now
And answering to your questions - yes, firewall contains much more rules blocking incoming traffic and so on, but they are not related with this problem.
