A friend of mine uses a car dealership service (ODIS) which consists of a “Cisco box” with a WAN and a LAN connection. This box is connected from WAN to ether2 of the mikrotik HEX to connect to the internet. It then automatically creates a secure connection to the ODIS service. Any internet connection will do.
He then connects a laptop to the lan port of this Cisco box and the software on the laptop logs in to the ODIS service.
The software seems to connect via HTTP to addresses like ws-gateway.cpn.vwg.
He now want’s to be able to use this service “on the road” so I created a L2TP-IPSEC VPN for him. I connected the LAN port of the Cisco box to ether 5, took ether 5 out of the bridge and activated a DHCP client on ether5. Ether5 now get’s this from the Cisco box (like the laptop would):
very interesting case so I will kick start. It might take me few attempt to get it working but I’d think it’s possible.
first try to set the VPN in the way that local address is that of the ether5, and VPN pool is in the same range as that of the Cisco box.
when connected via VPN, the laptop should be able to ping ether5, and the Cisco box
you would need nat rule like mascurade , src-address=VPN range out-interface=ether5
also your DHCP client should enable add default route.
This is how I have it setup now:
/ip pool
add name=VAG-kastje ranges=10.10.10.200-10.10.10.205
/ppp profile
add dns-server=10.10.10.1 local-address=10.10.10.1 name=SSTP-profile \
remote-address=VAG-kastje use-encryption=required
/ip address
add address=10.10.10.199 comment="VAG VPN ding" interface=ether5 network=\
10.10.10.0
/ip dhcp-client
add comment="VAG VPN kastje" dhcp-options=hostname,clientid disabled=no \
interface=ether5
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade VAG-kastje" \
out-interface=ether5 src-address=10.10.10.0/24
I can ping 10.10.10.6 from the SSTP VPN, but I can’t ping 10.112.198.40 and 10.112.198.255 (the addresses ws-gateway.cpn.vwg resolves to when the laptop is plugged straight into the Cisco box).
Please do not set the ip addresses of your vpn (neither local nor the remote one) to one of the ips from the cisco net (10.10.10.0/28). You should just setup the vpn as you would do for a normal road-warrior routed setup (example: https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Basic_L2TP.2FIpSec_setup)
Afterwards you should be able to allow connections via firewall filter from vpn → ether5 and vice versa with nat enabled
not sure why you cannot use 10.10.10.0/28 range as VPN Local address, I don’t think it matters but happy to learn otherwise.
in my view, you can use either 192.168.78.1 or 10.10.10.1 as local IP for VPN. use the matching pool .
double check you have Add Default route and user peer DNS on the DHCP client at ether5
then
can you ping 8.8.8.8 on the VPNed laptop?
can you ping 10.10.10.1 ? ( I think that’s the cisco box LAN IP?)
trace route to 10.112.198.40, where does it stop?
it might be, that when you ping this IP addresses, it is routed to the main gateway, instead of ether5. so you can add static route like this:
/ip route
add distance=1 dst-address=10.112.198.40 gateway=10.10.10.1
