VPN connection issues.

RouterOS Beginner Basics
1

I have a vpn connection into an rb750 which lets me configure the board and also see a local plc device. A second local display device does not respond when I am connected though the vpn.

If my laptop is connected to one of the rb750 ports I can see the web server pages from both the idec display and the plc.

If I VPN into the rb750 the Idec Display web pages are not found but the web pages from the idec plc are ok.

The idec display also will ask for a login screen before showing the web pages - could this be an issue going back over the vpn connection?

Thanks for your help
Bruce

Network Connections during the failed vpn attempts:

192.168.11.6 --- rb750 ether1 local network
192.168.88.10 --- rb750 ether2 Idec Display - static IP address
192.168.88.11 --- rb750 ether3 Idec plc - lease ip address fixed to mac address
192.168.88.21 -- rb750 side of pptp vpn to laptop


192.168.11.8 --- laptop local network
192.168.88.20 --- laptop side of pptp vpn to rb750


[admin@AquaTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0
interface=ether2-local-master actual-interface=ether2-local-master

1 D address=192.168.11.6/24 network=192.168.11.0 interface=ether1-gateway
actual-interface=ether1-gateway

2 D address=192.168.88.21/32 network=192.168.88.20 interface=
actual-interface=
[admin@AquaTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=192.168.11.1
gateway-status=192.168.11.1 reachable ether1-gateway distance=1
scope=30 target-scope=10 vrf-interface=ether1-gateway

1 ADC dst-address=192.168.11.0/24 pref-src=192.168.11.6
gateway=ether1-gateway gateway-status=ether1-gateway reachable
distance=0 scope=10

2 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1
gateway=ether2-local-master
gateway-status=ether2-local-master reachable distance=0 scope=10

3 ADC dst-address=192.168.88.20/32 pref-src=192.168.88.21
gateway= gateway-status= reachable
distance=0 scope=10
[admin@AquaTik] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="ether1-gateway" type="ether" mtu=1500 l2mtu=1526

1 R name="ether2-local-master" type="ether" mtu=1500 l2mtu=1524

2 R name="ether3-local-slave" type="ether" mtu=1500 l2mtu=1524

3 name="ether4-local-slave" type="ether" mtu=1500 l2mtu=1524

4 name="ether5-local-slave" type="ether" mtu=1500 l2mtu=1524

5 DR name="" type="pptp-in" mtu=1400
[admin@AquaTik] > /in find
bytes disabled dynamic l2mtu name running type
comment drops errors mtu packets slave where
[admin@AquaTik] > /ip firewall export

jan/02/1970 04:25:05 by RouterOS 5.2

software id = TAYS-HCZ3

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=30s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no
protocol=icmp
add action=accept chain=input comment="default configuration"
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration"
connection-state=related disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" disabled=no
dst-port=1723 in-interface=ether1-gateway protocol=tcp
add action=accept chain=input disabled=no in-interface=ether1-gateway
protocol=gre
add action=accept chain=input disabled=no in-interface=ether1-gateway
protocol=udp
add action=accept chain=forward disabled=no protocol=gre
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=
no out-interface=ether1-gateway
add action=passthrough chain=srcnat disabled=no dst-address=192.168.88.20
src-address=192.168.88.10
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@AquaTik] >

2

As I look at the filter rules I see one I added that had no effect:

add action=passthrough chain=srcnat disabled=no dst-address=192.168.88.20
src-address=192.168.88.10

I will remove that.

perhaps I need an accept for established and related connections? ( I saw this in a post from tjc )

would it look something like this?

add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept

I will try this later today, but replies are encouraged :slight_smile: Thanks

3

Still no joy. I can see the attempted connections in the firewall connection tracking list listed as Unreplied. It works great when the laptop is plugged right into the routerboard.