Routing issue with PPTP site to site

RouterOS General
1

Hello

I’m having a routing issue with a PPTP site to site VPN (between a USG pro and a Mikrotik, and I feel the issue is on the Mikrotik side).

  • On the USG side I have subnet 172.16.107.0/24 with GW 254
  • On the Mikrotik side I have subnet 172.16.100.0/24 with GW 254

The tunnel comes up without problem and from 107 I can reach every host on 100

However from subnet 100 I can only reach the gateway on 107.254 but not any other host.

Interestingly I have the following traceroutes (from a host on .100):

C:\Windows\System32>tracert 172.16.107.254

Tracing route to 172.16.107.254 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  172.16.100.254
  2     5 ms     5 ms     5 ms  172.16.107.254

Trace complete.

C:\Windows\System32>tracert 172.16.107.200

Tracing route to 172.16.107.200 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  172.16.100.254
  2     5 ms     5 ms     5 ms  172.16.255.100
  3     *        *        *     Request timed out.

So it would seem that I don’t have the right routing table to reach 107 subnet..

Here is my routes on the Mikrotik. The one I “need” would be presumably #6

 1 ADC  94.230.*.*/27     94.230.*.*       wan                       0
 2 ADo  172.16.23.0/24                     172.16.255.98           110
 3 ADC  172.16.100.0/24    172.16.100.254  Host A                    0
 4 A S  ;;; Subnet G 
        172.16.103.0/24                    172.16.255.100            1
 5 A S  ;;; Subnet O 
        172.16.105.0/24                    172.16.255.100            1
 6 A S  ;;; Subnet Q 
        172.16.107.0/24                    172.16.255.100            1
 7 ADC  172.16.109.147/32  172.16.109.254  <sstp-remoteuse...        0
 8 ADC  172.16.109.150/32  172.16.109.254  <sstp-remoteuser>         0
 9 ADC  172.16.110.0/24    172.16.110.254  Host C                    0
10 ADC  172.16.110.200/32  172.16.110.254  <sstp-mailgate-1>         0
11 A S  ;;; Subnet D 
        172.16.111.0/24                    192.168.199.107           1
12 A S  ;;; Subnet B 
        172.16.200.0/24                    192.168.199.107           1
13 A S  ;;; Subnet I 
        172.16.210.0/24                    192.168.199.104           1
14 A S  ;;; Subnet J 
        172.16.211.0/24                    192.168.199.104           1
15 A S  ;;; Subnet Y 
        172.16.215.0/24                    192.168.199.104           1
16 A S  ;;; Subnet for remote routers connected 
        172.16.253.0/24                    192.168.199.104           1
17 ADo  172.16.255.1/32                    172.16.255.98           110
18 ADC  172.16.255.98/32   172.16.255.1    <sstp-aaa>                0
19 ADC  172.16.255.99/32   172.16.255.1    <sstp-bbb>                0
20 ADC  172.16.255.100/32  172.16.255.105  <pptp-ccc-usg>            0
21 ADC  172.16.255.104/32  172.16.255.1    <sstp-CCR>                0
22   S  192.168.0.0/24                     *F0039A                   1
23 A S  ;;; Subnet K 
        192.168.28.0/24                    192.168.199.104           1
24 A S  ;;; Subnet N 
        192.168.66.0/24                    192.168.199.104           1
25 A S  192.168.100.0/24                   Host A                    1
26 A S  192.168.168.0/24                   <sstp-zzz>                1
27 ADC  192.168.199.0/24   192.168.199.106 interrouter               0

Can you spot something incorrect ?

2

hmm can’t seem to figure it out. I would really appreciate any suggestion

3

To find out whether the issue is at Mikrotik side or the USG side, run /tool sniffer quick interface= ip-protocol=icmp while pinging something else than 172.16.107.254 in 172.16.107.0/24 from 172.16.100.0/24. If you can see ICMP packets towards the pinged IP, the issue is at USG side; if you don’t, the issue is at Mikrotik side.

4

You may need to enable proxy-arp on the lan-interfaces. Check this explanation: http://forum.mikrotik.com/t/is-it-possible-to-communicate-pppoe-to-an-ipv4-network-when-they-are-in-the-same-subnet/86450/1

5

Thanks - good idea !

Interestingly “out of the box” with no “check gateway” active I still see some ICMP traffic on that interface

[at@mikrotik] > /tool sniffer quick interface=<pptp-ccc-usg> ip-protocol=icmp
INTER...     TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                        
<pptp...    9.611     27 ->                                            192.168.199.107                    
<pptp...   12.312     28 ->                                            192.168.199.104                    
<pptp...    12.62     29 ->                                            192.168.199.107                    
<pptp...   12.621     30 ->                                            192.168.199.107                    
<pptp...   12.621     31 ->                                            192.168.199.107                    
<pptp...   12.621     32 ->                                            192.168.199.107                    
<pptp...   12.621     33 ->                                            192.168.199.107                    
<pptp...   12.621     34 ->                                            192.168.199.107                    
<pptp...    15.64     35 ->                                            192.168.199.107                    
<pptp...   15.641     36 ->                                            192.168.199.107                    
<pptp...   15.641     37 ->                                            192.168.199.107                    
<pptp...   15.641     38 ->                                            192.168.199.107                    
<pptp...   15.641     39 ->                                            192.168.199.107                    
<pptp...   15.641     40 ->                                            192.168.199.107                    
<pptp...    18.65     41 ->                                            192.168.199.107                    
<pptp...   18.651     42 ->                                            192.168.199.107                    
<pptp...   18.651     43 ->                                            192.168.199.107                    
<pptp...   18.651     44 ->                                            192.168.199.107                    
<pptp...   18.651     45 ->                                            192.168.199.107                    
<pptp...   18.651     46 ->                                            192.168.199.107

Any idea what is generating that traffic ? Is PPTP producing “keep alive” ICMP pings ?

In any case I am seeing my outgoing ping to an IP behind the USG


[at@mikrotik] > /tool sniffer quick interface=<pptp-ccc-usg> ip-protocol=icmp
IN     TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                        
<p    1.592      1 ->                                            192.168.199.107                     172.16.255.100                     
<p    1.592      2 ->                                            192.168.199.107                     172.16.255.100                     
<p    1.592      3 ->                                            192.168.199.107                     172.16.255.100                     
<p    1.592      4 ->                                            192.168.199.107                     172.16.255.100                     
<p    1.592      5 ->                                            192.168.199.107                     172.16.255.100                     
<p    1.592      6 ->                                            192.168.199.107                     172.16.255.100                     
<p    2.593      7 ->                                            192.168.199.104                     172.16.105.34                      
<p    2.594      8 ->                                            192.168.199.104                     172.16.105.34                      
<p    2.594      9 ->                                            192.168.199.104                     172.16.105.34                      
<p    4.612     10 ->                                            192.168.199.107                     172.16.255.100                     
<p    4.612     11 ->                                            192.168.199.107                     172.16.255.100                     
<p    4.612     12 ->                                            192.168.199.107                     172.16.255.100                     
<p    4.612     13 ->                                            192.168.199.107                     172.16.255.100                     
<p    4.612     14 ->                                            192.168.199.107                     172.16.255.100                     
<p    4.612     15 ->                                            192.168.199.107                     172.16.255.100                     
<p    4.839     16 ->                                            172.16.100.30                       172.16.107.40  <--- here                    
<p    6.093     17 ->                                            192.168.199.104                     172.16.105.34                      
<p    7.622     18 ->                                            192.168.199.107                     172.16.255.100                     
<p    7.622     19 ->                                            192.168.199.107                     172.16.255.100

So I guess I will have to get a close look there