SSTP VPN, connected but local server not reachable

mwise · September 1, 2013, 9:27am

First off, I am a complete newby when it comes to RouterOS. I got a RB951G router from my internet provider, pre configured for the internet connection.

Situation:
I have a server running windows server essentials at home on the LAN, which I use to store data and backups on network drives.
When I go out of the house with my laptop I want to connect with VPN connection to reach the servers network drives.

What did I do:
I followed this guide http://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
I installed the certificates and I can get a working VPN connection with the router. I also enabled the proxy-arp on ether2 as suggested in the guide. However I still can not reach the local server when connected.
From the laptop with VPN I can run winbox and connect to the router, I can also ping it.
From within winbox I can not ping the laptop, timeout.
From the laptop I can not ping the server. edit: I CAN ping the server from laptop via VPN, but I can not ping the laptop from the server.

Some more information.
Server IP (static via mikrotik) 192.168.1.250.
Lan DHCP apparently starts from 192.168.1.253 downwards
I made VPN DHCP pool with 192.168.1.50-192.168.1.60
I also made profile for VPN with local address the router WAN Ip and remote address the VPN pool.

Right now Firewall Filter Rules are empty,
On NAT there is the default masquerade on the internet interface the ISP programmed there.
If more information is needed please tell and I will supply.

Who can help to get this to work? I don’t know what to add, firewall rules, nat, routes, mangle??? As we say in Holland, I can not see the forest because of the trees…

pcunite · September 3, 2013, 4:14am

There is lots to learn. Personally, I would install VNC on the server or use RDP session. This way you open one port and go from there.

Watch this.
http://youtu.be/ulDefmf1ces

stmx38 · September 3, 2013, 6:39am

mwise
Please, provide the output of some commands.

RB

/ppp secret export hide-sensitive

When laptop is connected to the VPN
RB

/ip route print

Laptop

route print

mwise · September 3, 2013, 8:54pm

Thanks for the replies. That video was really helpful and clarifying. A lot easier to understand for me than the manual
Before I had different internet with different router and used the built in VPN server from windows. That was automatically configured by windows. But actually I prefer to have VPN to the router so the server doesn’t have to be running all the time and I can connect to the VPN to make a secure connection from an open wifi network. So that is why I choose this new provider with the RouterBoard.

I ran the command and result is as follows:

/ppp secret
add local-address=192.168.1.254 name= xxxxxxxxx profile="VPN profile" \
    service=sstp

When connected with VPN from RB:

/ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; vlan7_Gateway_force
        10.0.0.0/8                         10.111.0.1                1
 1 ADS  0.0.0.0/0                          212.121.121.183           1
 2 ADC  10.111.0.0/24      10.111.0.51     vlan7_Gateway             0
 3 ADC  192.168.1.0/24     192.168.1.254   bridge_Default            0
 4 ADC  192.168.1.59/32    192.168.1.254   sstp-martijnwisse         0
 5 ADC  212.121.121.183/32 37.153.233.30   pppoe-out internet        0

And from the laptop while connected

Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Windows\system32>route print
===========================================================================
Interface List
 39...........................VPN Connection
 14...3c a9 f4 18 65 31 ......Microsoft Wi-Fi Direct Virtual Adapter
 13...3c a9 f4 18 65 30 ......Intel(R) Centrino(R) Ultimate-N 6300 AGN
 12...00 90 f5 e6 74 2f ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
 16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.178.1   192.168.178.32   4245
          0.0.0.0          0.0.0.0         On-link      192.168.1.59     21
    37.153.233.30  255.255.255.255    192.168.178.1   192.168.178.32   4246
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4531
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4531
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
     192.168.1.59  255.255.255.255         On-link      192.168.1.59    276
    192.168.178.0    255.255.255.0         On-link    192.168.178.32   4501
   192.168.178.32  255.255.255.255         On-link    192.168.178.32   4501
  192.168.178.255  255.255.255.255         On-link    192.168.178.32   4501
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4531
        224.0.0.0        240.0.0.0         On-link    192.168.178.32   4501
        224.0.0.0        240.0.0.0         On-link      192.168.1.59     21
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
  255.255.255.255  255.255.255.255         On-link    192.168.178.32   4501
  255.255.255.255  255.255.255.255         On-link      192.168.1.59    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 16    306 2001::/32                On-link
 16    306 2001:0:5ef5:79fb:1003:dfa:3f57:fec4/128
                                    On-link
 12    276 fd00::/64                On-link
 12    276 fd00::/64                fe80::c225:6ff:fe5e:4826
 12    276 fd00::30fd:a007:736:c8a0/128
                                    On-link
 12    276 fd00::b077:158f:56a6:3396/128
                                    On-link
 12    276 fe80::/64                On-link
 16    306 fe80::/64                On-link
 16    306 fe80::1003:dfa:3f57:fec4/128
                                    On-link
 12    276 fe80::30fd:a007:736:c8a0/128
                                    On-link
  1    306 ff00::/8                 On-link
 16    306 ff00::/8                 On-link
 12    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\Windows\system32>

So is this enough information or what else do you need to help me?

stmx38 · September 4, 2013, 12:42pm

mwise
All is seems to be fine.
Maybe this ?

I also enabled the proxy-arp on > ether2 > as suggested in the guide

3 ADC 192.168.1.0/24 192.168.1.254 > bridge_Default > 0

Try to enable proxy-arp on bridge_Default port.

mwise · September 5, 2013, 7:50pm

Try to enable proxy-arp on > bridge_Default > port.

Thanks for the suggestion, I tried but that also doesn’t help to get through to the local network

mwise · September 14, 2013, 12:02pm

I was out of the house, back now and did a little bit more testing.
With VPN connected I can ping from laptop to local computers, server and the router itself. But I can not ping the other way round to the laptop, it gives a request time out.
Anybody know what is going wrong here and how I can fix it?