Unavailabilty to LAN Resources While Sharing VPN over VLAN Interfaces

Hello,

I have a problem accessing LAN resources on VLAN interfaces with PPTP VPN client set up as it seems like that all traffics are to be routed through the VPN tunnel. Could anyone please tell me that how to configure the settings by commands so that I can access to my LAN resources over the VLAN interfaces while the VPN is connected?

Below is how I configured the VPN over the VLAN:

1. Network Conditions:

Clients are connected on a switch which routes to ether2-master on a Mikrotik router for network access as ether1 is for PPPoE client connection. While no VLAN ID is specified, clients will get IPv4 addresses from 192.168.2.0/24 subnet. Here you can see much clearer details below:

ether2-master without VLAN ID: 192.168.2.0/24
VLAN on ether2-master: 100.64.0.0/10
PPTP VPN Assigned IP Address: 10.0.0.0/24

2. Configuration Steps:

i} Set up VLAN and bridge it to change its MAC address.

/interface vlan
add arp=enabled disabled=no interface=ether2-master mtu=1500 name=vlan1 vlan-id=2
/ip address
add address=100.75.15.1/24 network=100.75.15.0 interface=vlan1
/ip pool
add name=vlan1_pool ranges=100.75.15.2-100.75.15.254
/ip dhcp-server
add name=vlan1_dhcp interface=vlan1 address-pool=vlan1_pool disabled=no
/ip dhcp-server network
add address=100.75.15.0/24 gateway=100.75.15.1 netmask=24 dns-server=208.67.222.222,208.67.220.220
/interface bridge
add name=bridge1 admin-mac=60:18:2E:D0:3F:02 auto-mac=no disabled=no
/interface bridge port
add bridge=bridge1 interface=vlan1 disabled=no
/ip dhcp-server
set vlan1_dhcp interface=bridge1

ii) Enable access to 192.168.2.0/24 subnet on VLAN

/ip firewall nat
add chain=srcnat action=masquerade to-addresses=0.0.0.0 src-address=192.168.2.0/24
add chain=srcnat action=masquerade to-addresses=0.0.0.0 src-address=100.64.0.0/10

→ Now I can access LAN resources over the VLAN with different MAC addresses.

iii) Configure PPTP VPN client on VLAN

/interface pptp-client
add name=Office_Access connect-to=1.2.3.4 user=Andy password=thisisthepassword disabled=no
/ip firewall nat
add chain=srcnat out-interface=Office_Access action=masquerade
/ip firewall mangle
add chain=prerouting src-address=100.75.15.2-100.75.15.254 action=mark-routing new-routing-mark=Office_Access
/ip route
add dst-address=0.0.0.0/0 gateway=Office_Access routing-mark=Office_Access

→ Now I can no longer access LAN resources over the VLAN though the VPN access is now available directly with just the correct VLAN ID settings.


Could anyone please help me with the issue by telling me commands of what to do next?


Thanks! Much appreciated!

Regards,


Andy

Hello, I have the same problem and seems that to many people its the same, nobody can help with this problem. if you know the solution, please tell me, thanks

Step 2 ii … You are using Source NAT, masquerade, with the the to-address being set to 0.0.0.0 … I think you meant or wanted dst-address=0.0.0.0/0 or ideally just blank.

Thanks for your suggestion! After struggling to find answers and experiment with RouterOS for weeks, the issue has finally been solved!

@ lukkes

Simply add IP addresses to exclude with the “!” mark in the destination address list, and I found that I could access network resources now.