SSTP Can-t ping local devices

siwy1303 · March 2, 2020, 8:27am

Hi,
I am new to mikrotik routers configuration, previously I had DELL, where everything I do by clicking ,
I have 2 ISPs and 1 LAN, I have set up these two ISPs and LAN, everything works very well, I will make an SSTP connection with my router, but something is not working because I can connect but I cannot connect to any RDP and I can’t ping any devices on my local netwrok. Can somebody help me with what I do wrong in my configuration?

set [ find default-name=ether6 ] arp=proxy-arp name=LAN1
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vpn_pool ranges=192.168.1.20-192.168.1.24
/ppp profile
add dns-server=192.168.1.1 local-address=192.168.1.1 name=vpn_profile remote-address=vpn_pool use-encryption=yes use-mpls=no
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all wan-interface-list=all
/interface ovpn-server server
set auth=sha1 certificate=Server_Cert cipher=aes256 default-profile=vpn_profile require-client-certificate=yes
/interface sstp-server server
set authentication=mschap2 certificate=Server_Cert default-profile=vpn_profile enabled=yes
/ip address
add address=91.236.172.5/24 interface=WAN1 network=91.236.172.0
add address=192.168.1.1/24 interface=LAN1 network=192.168.1.0
add address=91.236.174.80/24 interface=WAN2 network=91.236.174.0
/ip dns
set allow-remote-requests=yes servers=91.236.172.1,8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=443 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=WAN1 nth=2,1 passthrough=yes src-address=192.168.1.0/24
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=WAN2 nth=2,2 passthrough=yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting connection-mark=WAN1 new-routing-mark=WAN1 passthrough=yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting connection-mark=WAN2 new-routing-mark=WAN2 passthrough=yes src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
/ip route
add distance=1 gateway=91.236.172.1 routing-mark=WAN1
add distance=1 gateway=91.236.174.1 routing-mark=WAN2
add check-gateway=ping distance=1 gateway=91.236.172.1
add check-gateway=ping distance=2 gateway=91.236.174.1
/ppp secret
add name=Patryk profile=vpn_profile service=sstp
add name=Gosia profile=vpn_profile service=sstp
/system clock
set time-zone-name=Europe/Warsaw

siwy1303 · March 6, 2020, 8:48am

I use VPN from Windows to connect through network 91.236.172.1
When I connect and run traceroute I have following output:

tracert -d 192.168.1.177

Tracing route to 192.168.1.177 over a maximum of 30 hops

  1     *       48 ms     5 ms  192.168.1.1
  2    87 ms   266 ms     *     91.236.172.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *     192.168.1.234  reports: Destination host unreachable.

Trace complete.

BartoszP · March 6, 2020, 12:46pm

Make src masquarade changing src ip to router’s ip for all connected via VPN.

gulzoo · March 6, 2020, 1:12pm

Hi,

You are using the same subnet addresses for VPN and LAN. It will not work unless you enable proxy-arp on your LAN network.

The computers will not send packets to the router because the computers will think the packets arrive from inside the LAN network.

With proxy-arp enabled the router can catch that packets and send it to the VPN client.

I recommend using a different subnet for the VPN clients and leave the routing do the magic.

It’s easier to implement firewall rules and you don’t need to enable proxy-arp as it can cause some problems in some scenarios.

You can read about proxy-arp in the wiki section of ARP. https://wiki.mikrotik.com/wiki/Manual:IP/ARP

Best regards,
Andrej

siwy1303 · March 9, 2020, 8:58am

Hi Bartosz,
thanks for your answer to my question

I added a new entry as in the quote below and I still can’t connect to RDP via VPN, could you say if I gave the correct entry

/ip firewall nat
add action=masquerade chain=srcnat src-address-list=192.168.1.20-192.168.1.24
add action=masquerade chain=srcnat src-address=192.168.1.0/24