Hey guys, first off let me start by saying I’m very new to networking in general so please bare with me. Thank you in advance for any help!
I have set up my new mikrotik router with an SSTP VPN. It is configured correctly, I am able to connect to my network from my work laptop running Windows 10. My issue runs into communicating with my home lab once connected.
I’ve noticed that when connected, IP address is in a /32 subnet. I believe this preventing me from communicated with my servers that are on my /24 subnet. I have tried modifying the way I put in the address pool. I had the range written out as 192.168.88.100 - 192.168.88.105, so I tried adding just /24 to each end of the range. The OS would not allow me to save the config in such a way. My next step was to just put it as 192.168.88.0/24. This allowed me to save, but when reconnecting, it continues to put me in /32.
I have also tried making a firewall srcnat rule, but this is not working either. Granted, there is a good chance I did this wrong I will admit.
As of right now I have made a new pool. All VPN connections are assigned to address 192.168.100.1-192.168.100.5. No matter what I do the subnet for the host connected via VPN is /32
My main network address is 192.168.88.0/24. I’m guessing I have to make some firewall rule so I can reach my servers on my main network, but I’m lost.
If anyone could help me by pointing me in the direction of forcing my VPN connections into the /24 subnet or making it so I can make the two subnets communicate through firewall rules I would be so very grateful!
It’s not because of /32, that’s fine. There can be few problems:
If you give address from LAN subnet to VPN client, other devices in LAN won’t be able to reach it, because they expect it to be in same LAN, but it isn’t. It can be solved by enabling proxy ARP on LAN interface (bridge, or whatever you have).
If you use address from another subnet and on Windows you don’t want to route everything via VPN, Windows won’t have route to LAN subnet. It can be configured on client, search for PowerShell command Add-VpnConnectionRoute.
If it’s neither 1) or 2), then it’s probably firewall. If you don’t see the problem yourself, you can export your config (/export hide-sensitive file=myconfig), post content of resulting file in code tags and someone will probably tell you what exactly is wrong.
Thanks for your response! I actually figured out that applying arp-proxy allows me to reach my other network.. kind of. From my VPN network (192.168.100.x/32) I am able to reach one of 2 devices on my main network. My 192.168.88.9/24 resolves no issue, but I am not able to reach 192.168.88.10/24. Both devices are connected to the same Mikrotik Hex. If it helps both devices are my Dell r720xd. The 88.9 device is the iDRAC and the 88.10 is the ESXI management network IP. It did take about 24 hours for 88.9 to be able to be reached from my VPN client though after setting up the arp-proxy.
I am getting a bit tired of this proxy arp crap.
If your VPN needs access to the LAN, just add a firewall rule allowing VPN to access lan subnet.
Same in wireguard, no need for proxy crap…
I have tried to make a firewall rule to allow my 192.168.100.x/32 devices to talk to my 192.168.88.x/24 devices but im so f’ing noob i couldnt get it right. Maybe you could point me in the right direction?
Are you trying to connect to a server device (IP based) , or shared windows folders etc (MAC based) ?
Typically a forward chain rule should suffice to connect VPN internally to LAN subnet…
Assuming there is no separate software or firewall built into that device, a simple forward chain rule should work
add chain=forward action=accept src-address=vpnIP dst-address=lanDeviceIP
except that both are singular so not /24
add chain=forward action=accept src-address=192.1618.100.x /32 dst-address=192.168.88.10/32
No typo. 192.168.100.x/32 is the SSTP VPN network. 192.168.88.x/24 is my DMZ. There are no devices or software between the two networks. Both are running off my Mikrotik device.
This did not work, Im starting to think ESXI 7 has a firewall thats blocking traffic from my VPN client. Ill have to take a look at this when I get home from work.
Double checked esxi firewall after coming home. Nothing is being blocked. Tried running that command in the RouterOS terminal, says “add” in the very beginning is not a valid command. Im starting to lose hope
Thank you very much to everyone that took the time to try and help me figure this out. After putting up the proxy-arp, I still was able to reach everything but my ESXi server. This ended up not being an issue with anything on my Mikrotik side. I had to add a static route on my server to my VPN client. Everything is working smoothly now!
