Hello world,

this is my first post and my first contact with RouterOS. I inherited a project where two Mikrotik RB2011UiAS (and 5 APs) are in use.
After a first look I’m impressed and overwhelmed by the number of possibilitys this system offers and I started by using the GUI (winbox). For some reason there is no web-interface, maybe that is switched off. It looks like someone did a very very basic “assisted” config for everything. No segmentation/VLANs, no RADIUS, no Capsman no nothing here.

Both sites are connected by a side2side VPN and people use only side A to dial in. Once they established their VPN tunnel they can access only hosts in the subnet of side A but not in that of side B.

Side A, 192.168.10.0/24:
two IFs: LAN and WAN
one PPP profile
ppp adress pool is 10.10.10.0/24

Side B, 192.168.30.0/24
two IFs: LAN and WAN

side 2 side via same ppp profile as clients login.

It looks like the VPN clients don’t get a route from A to B where as LAN clients do.

Where can I start to look?
I checked IP → routes but don’t think that’s what I want.

Maybe someone here help me out and tell me where to start?
I’d appreciate not to get kicked to a basic course because this is productive environment and it hurrys a bit. Please help to keep these nice little boxes.

Best regards
Holger

A Network diagram and your Configuration export (with hide-sensitive) obviously would help…
Also information about what VPN the clients are using…

Hello Zacharias! THX for the quick reply.
The network is simple.

There are a few services in site A that are published but there is not even a proper DMZ.
There are a few VLANs I added but didn’t assign yet. BTW RADIUS seems not to work yet but that’s another issue.
CFG of site A:
site_a.txt (7.89 KB)
Is that enough input?

Best regards
Holger

The route under ppp secret is wrong… the correct syntax is 192.168.10.0/24 Gateway Distance…
So, fix the route and then add a dst NAT rule on site A so that you will be dstNated on site B for specific IPs…
Also dont forget you need a static route on Site B for the Site’s A subnet…

I am wondering why traffic from site a to site b is routed correctly through the L2TP connection which uses the same ppp profile the clients use.
???
I thought there is a proper route defined here: WebFig IP → Routes → DAS|192.168.10.0/24|Gateway reachable|Distance 1| NO Pref. Source

ROUTE:
I’ll try to follow your hint but I can’t find the route to modify in WebFig.

NAT:
I’d look for firewall/nat usually.

Sorry for thoise stupid beginners questions. I’m used to other brands but fascinated by the possibiltys RouterOS offers.

I thought there is a proper route defined here: WebFig IP → Routes → DAS|192.168.10.0/24|Gateway reachable|Distance 1| NO Pref. Source

If you see that route then its ok. Maybe it is hidden from the export.

I am wondering why traffic from site a to site b is routed correctly through the L2TP connection which uses the same ppp profile the clients use.
???

The VPN Client most likely does not have a default Gateway configured. So unless an IP is at the 10.10.10.0/24 it will not get looked up at the Router.
So, if for example you want to reach the IP 192.168.10.15 at site B, add a dst NAT Rule at site A to dst-NAT the dst-Address 10.10.10.15 to Adress 192.168.10.15. So the VPN Client will hit the address 10.10.10.15 and will be forwarded to 192.168.10.15. Try that…

we could also add a static route on the VPN Client for the subnet 10.10.10.0/24…

Sorry I was not aware of what is included in the export and what is not. I removed a few informations like usernames and public IPs only.

I agree that there SHOULD be a route from 10.10.10.0/24 to 192.168.10.0/24 "somewhere".
Also there MUST be an existing route from 10.10.10.0/24 into 192.168.30.0/24 because the VPN clients can access this SN.

The routing table (/ip route print where !routing-mark) looks like this:

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 xxx.xxx.xxx.xxx 1
1 ADC 10.10.10.57/32 10.10.10.58 0
2 ADC 10.10.10.98/32 10.10.10.64 0
3 ADC 10.10.10.98/32 10.10.10.65 0
4 ADS 192.168.10.0/24 1
5 ADC 192.168.30.0/24 192.168.30.254 bridge 0
5 ADC yyy.yyy.yyy.yyy/21 xxx.xxx.xxx.xxx ether1 0

Where xxx.xxx.xxx.xxx ist the public IP of site_a and yyy.yyy.yyy.yyy is that of site_b

I think this is still not "everything". Should I post the NAT table too?

THX

The route for site B is fine…
Why dont you try the dst nat i suggest at my previous post ?

sorry for the delay, things are a bit difficult these days…

I looked into the cfg and expected to need this::

add action=dst-nat chain=dstnat dst-port=any in-interface=ether1 protocol=tcp
to-addresses=192.168.10.0/24 to-ports=any

and on the remote box:

add action=dst-nat chain=dstnat dst-port=any in-interface=ether1 protocol=tcp
to-addresses=192.168.30.0/24 to-ports=any

Firewall:

add action=dst-nat chain=dstnat dst-port=any in-interface=ether1 protocol=tcp
to-addresses=192.168.30.1 to-ports=any

and on the remote box:

add action=dst-nat chain=dstnat dst-port=any in-interface=ether1 protocol=tcp
to-addresses=192.168.10.1 to-ports=any

I didn’t do any cfg for udp but will probably need that too…

First attempt: no success. Maybe I am thinking in a wrong direction.. maybe I am just not used to the Mirotic syntax.

I tried to do that in GUI mode after failing in CLI:

Firewall->NAT-New NAT rule-> chain: dstnat-> Src. Address 10.10.10.0/24 → Dst. Address 192.168.10.0/24 → Prot TCP (blank eqals “any” ?) → In. Interface: ether1 → Action: accept
Added FW Rules like the NAT rule to chain input next.

No succes…

Maybe you can tell me where to click what…

THANK YOU!

Try this…

add action=dst-nat chain=dstnat  dst-address=10.10.10.x
to-addresses=192.168.30.1

Can I use 192.168.30.x instead? I actually need to access the whole subnet. THX!!!

You can use netmap for that…
But why don’t you go step by step first and see if you can reach at least on host behind the VPN ?
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#1:1_mapping

The suggested solution:

add action=dst-nat chain=dstnat dst-address=10.10.10.x to-addresses=192.168.30.1
caused error value of range expects range of ip-addresses

add action=dst-nat chain=dstnat dst-address=10.10.10.0 to-addresses=192.168.30.1
and on the other site:
add action=dst-nat chain=dstnat dst-address=10.10.10.0 to-addresses=192.168.1.1
-didn't help
used 10.10.10.0/24 instead
-didn't help, can't access remote site (.1) ressources, can't ping or tracert

I looked in the GUI (see attachment) and maybe I missed the point but shouldn't there be a source address listed?

dst-nat1.JPG1064×257 42 KB

The suggested solution:

add action=dst-nat chain=dstnat dst-address=10.10.10.x to-addresses=192.168.30.1
caused error value of range expects range of ip-addresses

“x” is a number from 1 to 254…! Obviously you did write something else…

You can either use dst-nat and create a port forward rule for every host you want to reach
or
You can use netmap e.g

/ip firewall nat
add action=netmap chain=dstnat dst-address=192.168.100.0/24 \
    to-addresses=192.168.30.0/24

The above rule will actually dst-nat the whole subnets 1:1. For example, 192.168.100.1 is dst-nated to 192.168.30.1 and so on…