VPN client acces to LAN pc

RouterOS Beginner Basics
1

Hello,
I have a mikrotik with a working vpn (ovpn)server with this configurations:
WAN : xxx.xxx.xxx.xxx
LAN : 192.168.1.0/24 (ip range 192.168.1.50-192.168.1.100)
VPN: 192.168.1.0/24 ( ip range 192.168.1.240-192.168.1.250)
With this configurations i can access the LAN computers from a VPN client connection.


In some situation i cannot use the same ip form mikrotik lan to vpn users, so i change it from 192.168.1.0/24 to 10.0.0.0/24.
In this case VPN connection is ok, but i can only ping computers form VPN network
ex: ping from mikrotik to 10.0.0.2 ok
ping from 10.0.0.2 (vpn client) to 10.0.0.1 ok
ping from 10.0.0.2 (vpn client) to 192.168.1.1 time out # 192.168.1.1 is the mikrotik lan ip
ping from 10.0.0.2 (vpn client) to 192.168.1.10 time out # 192.168.1.10 is a pc from lan

In this case what should i do to have access from 10.0.0.0/24 (vpn users) to 192.168.1.0/24 ( lan pc) ?

Thank you!

2

NAT/Masquerade 10.0.0.x users to your 192.168.1.x interface address.
Most desktop machine firewalls (especially Windows) expect all others to be on the same LAN to access their services.
And make sure to have forward rules in both directions between the two networks.

3

Thats happens because by default Windows does not pass all traffic from VPN interface. You need to set it up manually https://seed4.me/blog/send-all-traffic-over-vpn-windows/
So when you ping 10.10.10.1 traffic go from VPN interface, when you ping 192.168.1.0/24 it go from LAN Interface Default Gateway!

4

Good point. You need the proper routes on the client machine, or use the VPN as the default gateway.

5

Thank you for your answers.
I think i'm doing something wrong, because i put forward and nat rules and it still doesn't work. I think you should knov that client is connecting to miktorik using open vpn. Client are also using windows 10 and on windows 10 i didn't find (VPn connection - Properties - Networking - TCP/IPv4 -Properties - Advanced - IP Settings .....)" Use default gateway on remote network ". My firewall setup is:

/ip firewall filter
add action=accept chain=forward comment="forward esrablished, related connections" connection-state=established,related
connection-type=""
add action=accept chain=forward comment="forward ISP_1 to LAN" in-interface=ISP_1 out-interface=LAN
add action=accept chain=forward comment="forward ISP_2 to LAN" in-interface=ISP_2 out-interface=LAN
add action=accept chain=forward comment="forward LAN to ISP_1" in-interface=LAN out-interface=ISP_1
add action=accept chain=forward comment="forward LAN to ISP_2" in-interface=LAN out-interface=ISP_2
add action=accept chain=forward out-interface=LAN src-address=10.1.0.0/24
add action=accept chain=forward dst-address=10.1.0.0/24 in-interface=LAN
add action=drop chain=forward comment="forward invalid connection" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=wlan2
add action=add-src-to-address-list address-list=ssh_login_1 address-list-timeout=1m chain=input comment="ssh login fail 1"
connection-state=new connection-type="" dst-port=20,22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_login_2 address-list-timeout=1m chain=input comment="ssh login fail 2"
connection-state=new connection-type="" dst-port=20,22 protocol=tcp src-address-list=ssh_login_1
add action=add-src-to-address-list address-list=ssh_login_3 address-list-timeout=1m chain=input comment="ssh login fail 3"
connection-state=new connection-type="" dst-port=20,22 protocol=tcp src-address-list=ssh_login_2
add action=add-src-to-address-list address-list=ssh_login_black_list address-list-timeout=4w2d chain=input comment=
"ssh login fail black list" connection-state=new connection-type="" dst-port=20,22 protocol=tcp src-address-list=
ssh_login_3
add action=drop chain=input comment="DROP ssh login black list" src-address-list=ssh_login_black_list
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade ISP_1" out-interface=ISP_1
add action=masquerade chain=srcnat comment="Masquerade ISP_2" out-interface=ISP_2
add action=masquerade chain=srcnat out-interface=LAN src-address=10.1.0.0/24

6

What do the counters on these rules say?
action=accept chain=forward out-interface=LAN src-address=10.1.0.0/24
action=accept chain=forward dst-address=10.1.0.0/24 in-interface=LAN

Any traffic going on?

Optionally try add action=accept chain=forward protocol=icmp so all icmp is allowed for the beginning to pinpoint the issues.

7

Hello,

No, there is no traffc going on forward or nat rules ( VPN to LAN or LAN to VPN), counters show 0 bytes and 0 packets.

:frowning:

8

Please help me! I need to connect to my Office computers to LAN shared folders from Home.

At home I have the local ip: 192.168.0.30
At work I have local Ips: 192.168.6.18…

I connect now through VPN to the mikrotik router and I get the IP for VPN 192.168.100.30

What IP should I use in explorer in order to see the lan PCs from work?

Also, please take a look to my settings and tell me - did I do all right? I did all I could till now, but I cant go on without help.


/interface bridge
add admin-mac=6C:3B:6B:05:16:B8 arp=proxy-arp auto-mac=no comment=defconf \
    fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether2-master
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce country=no_country_set disabled=no distance=indoors frequency=\
    auto frequency-mode=manual-txpower mode=ap-bridge ssid=FULLHOUSEDESIGN \
    wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des name=profile_1
/ip ipsec peer
# This entry is unreachable
add name=peer1 passive=yes profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
/ip pool
add name=dhcp ranges=192.168.6.10-192.168.6.254
add name=L2TP-Pool ranges=192.168.100.10-192.168.100.30
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge name=defconf
/ppp profile
add local-address=192.168.6.18 name=FHD_L2TP remote-address=L2TP-Pool
set *FFFFFFFE bridge=bridge dns-server=192.168.6.1 local-address=192.168.100.1 \
    remote-address=L2TP-Pool
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip settings
set accept-redirects=yes
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=wlan1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.6.1/24 comment=defconf interface=ether2-master network=\
    192.168.6.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.6.17 always-broadcast=yes client-id=1:30:85:a9:94:71:8f \
    mac-address=30:85:A9:94:71:8F server=defconf
add address=192.168.6.31 client-id=1:e8:40:f2:5:f4:bd mac-address=\
    E8:40:F2:05:F4:BD server=defconf
add address=192.168.6.39 client-id=1:e8:40:f2:5:f3:ee mac-address=\
    E8:40:F2:05:F3:EE server=defconf
add address=192.168.6.45 client-id=1:e8:40:f2:5:f8:73 mac-address=\
    E8:40:F2:05:F8:73 server=defconf
add address=192.168.6.15 client-id=1:bc:ee:7b:9e:b6:c6 mac-address=\
    BC:EE:7B:9E:B6:C6 server=defconf
add address=192.168.6.13 client-id=1:d8:cb:8a:1c:5d:8f mac-address=\
    D8:CB:8A:1C:5D:8F server=defconf
add address=192.168.6.23 client-id=1:8:60:6e:eb:82:4f mac-address=\
    08:60:6E:EB:82:4F server=defconf
add address=192.168.6.53 client-id=1:ac:9e:17:b3:e6:ee mac-address=\
    AC:9E:17:B3:E6:EE server=defconf
add address=192.168.6.16 client-id=1:d8:cb:8a:14:2a:d3 mac-address=\
    D8:CB:8A:14:2A:D3 server=defconf
add address=192.168.6.36 client-id=1:bc:5f:f4:f:70:2f mac-address=\
    BC:5F:F4:0F:70:2F server=defconf
add address=192.168.6.40 always-broadcast=yes client-id=1:ac:22:b:cc:b6:db \
    mac-address=AC:22:0B:CC:B6:DB server=defconf
add address=192.168.6.26 client-id=1:e8:40:f2:5:f3:6e mac-address=\
    E8:40:F2:05:F3:6E server=defconf
add address=192.168.6.11 client-id=1:d8:cb:8a:17:98:d3 mac-address=\
    D8:CB:8A:17:98:D3 server=defconf
add address=192.168.6.14 client-id=1:44:8a:5b:a0:74:73 mac-address=\
    44:8A:5B:A0:74:73 server=defconf
add address=192.168.6.34 client-id=1:bc:5f:f4:1c:c2:af mac-address=\
    BC:5F:F4:1C:C2:AF server=defconf
add address=192.168.6.38 client-id=1:e8:40:f2:5:f3:f0 mac-address=\
    E8:40:F2:05:F3:F0 server=defconf
add address=192.168.6.18 always-broadcast=yes client-id=1:e8:40:f2:5:f8:72 \
    mac-address=E8:40:F2:05:F8:72 server=defconf
add address=192.168.6.20 client-id=1:ac:9e:17:b3:ec:c mac-address=\
    AC:9E:17:B3:EC:0C server=defconf
add address=192.168.6.21 client-id=1:e8:40:f2:5:f4:bc mac-address=\
    E8:40:F2:05:F4:BC server=defconf
/ip dhcp-server network
add address=192.168.6.0/24 comment=defconf gateway=192.168.6.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=195.182.128.53,195.182.159.53
/ip dns static
add address=192.168.6.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
    ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
    ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip ipsec identity
add generate-policy=port-override peer=peer1
/ip route
add disabled=yes distance=1 gateway=195.182.132.193
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=fhd profile=FHD_L2TP service=l2tp
add name=vpn profile=default-encryption
/system clock
set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

Thak you in advance!