VPN connection

Dilan · March 16, 2018, 3:07pm

Dears Greetings.
can anyone help me on below issue:
I am using PPTP VPN connection between my two routers ( CCR1036-12G-4S “head office” and rb1100ahx2 “site”)
Head office has 172.16.0.X IP range and Site 192.168.0.X
I have IP PBX in head office 172.16.0.8
Users from the site cannot access to IP PBX which is in the same range of 172.16.8.1
Note: Both head office and site has Public IP

CZFan · March 16, 2018, 3:49pm

What are the prefix / subnet of the networks?

If HO is a /16, then I assume IP PBX 172.16.8.1 is hosted at HO?

Dilan · March 16, 2018, 3:56pm

Dear, yes the PBX in the same range /16

CZFan · March 16, 2018, 4:18pm

Can you attach 2 txt file with output of export hide-sensitive from each of the routers so we can check the config on both sides?

Can be routing, firewall, etc so better to get full config

Dilan · March 17, 2018, 8:23am

Dear, please find below scripts for both side server and client

Server:

mar/17/2018 10:45:18 by RouterOS 6.41.3

software id = LVZK-TJE3

model = CCR1036-12G-4S

serial number = xxxxxxxx

/interface bridge
add name=LAN
/interface ethernet
set [ find default-name=sfp1 ] name=ISP1
set [ find default-name=ether2 ] name=ISP2

/ip pool
add name=dhcp ranges=172.16.0.100-172.16.255.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=
LAN name=dhcp1
/ppp profile
set *0 dns-server=172.16.0.5 local-address=dhcp remote-address=dhcp
set *FFFFFFFE dns-server=172.16.0.5 local-address=dhcp remote-address=dhcp

/interface bridge port
add bridge=LAN hw=no interface=ether1
add bridge=LAN hw=no interface=ether3
add bridge=LAN hw=no interface=ether4
add bridge=LAN interface=ether5

/interface bridge settings
set use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=172.16.0.1/16 interface=ether3 network=172.16.0.0
add address=Public IP1/30 interface=ISP1 network=Public IP1 Getway
add address=Public IP2/25 interface=ISP2 network=Public IP2 Getway
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=172.16.0.0/16 dns-server=172.16.0.5 domain=172.16.0.1 gateway=
172.16.0.1
/ip dns
set allow-remote-requests=yes servers=
8.8.8.8,8.8.4.4,95.159.69.140,95.159.69.141

/ip firewall filter
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre

/ip firewall mangle
add action=accept chain=prerouting dst-address=185.14.250.0/24 in-interface=
LAN
add action=accept chain=prerouting dst-address=95.159.69.0/24 in-interface=
LAN
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=LAN new-connection-mark=ISP1_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=LAN new-connection-mark=ISP2_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn
in-interface=LAN new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn
in-interface=LAN new-routing-mark=to_ISP2 passthrough=yes
add action=mark-connection chain=input in-interface=ISP1 new-connection-mark=
WAN1_conn
add action=mark-connection chain=input in-interface=ISP2 new-connection-mark=
WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn
new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn
new-routing-mark=to_WAN2
/ip firewall nat
add action=masquerade chain=srcnat dst-address=172.16.0.0/16 src-address=
172.16.0.0/16
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp to-addresses=
199.85.126.30
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=
95.159.69.93 to-addresses=Public IP2
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=
199.85.126.30
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2
add action=dst-nat chain=dstnat dst-address=Public IP2 src-address=
Public IP2 to-addresses=Public IP1
/ip route
add check-gateway=ping distance=1 gateway=Public IP1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=Public IP1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=Public IP2 Getway routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=Public IP2 Getway routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=Public IP1
add check-gateway=ping distance=1 gateway=Public IP1
add check-gateway=ping distance=2 gateway=Public IP2 Getway
add check-gateway=ping distance=2 gateway=Public IP2 Getway

/ppp secret
add name=test password=test

/system clock
set time-zone-name=Asia/Baghdad

Clint:

oct/21/2017 21:45:56 by RouterOS 6.41.3

software id = 5L5F-CS1F

model = 951G-2HnD

serial number = xxxxxxxxxx

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] mac-address=xxxxxxxxx
set [ find default-name=ether2 ] mac-address=xxxxxxxxx
set [ find default-name=ether3 ] mac-address=xxxxxxxxx
set [ find default-name=ether4 ] mac-address=xxxxxxxxx
set [ find default-name=ether5 ] mac-address=xxxxxxxxx
/interface ethernet switch
set 0 name=switch2
set 1 name=switch1
/interface ethernet switch port
set 5 !egress-rate !ingress-rate
set 6 !egress-rate !ingress-rate
set 7 !egress-rate !ingress-rate
set 8 !egress-rate !ingress-rate
set 9 !egress-rate !ingress-rate
set 10 !egress-rate !ingress-rate
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.2.20-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=3d18h10m
name=dhcp1
/port
set 0 baud-rate=115200 name=serial0
set 1 baud-rate=115200 name=serial1
/interface pptp-client
add add-default-route=yes connect-to=Head Office Public IP default-route-distance=0
disabled=no keepalive-timeout=disabled name=test password=
test profile=default user=hawler
/interface bridge port
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 hw=no interface=*6
add bridge=bridge1 hw=no interface=*7
add bridge=bridge1 hw=no interface=*8
add bridge=bridge1 hw=no interface=*9
add bridge=bridge1 hw=no interface=*A
/ip address
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
add address=192.168.1.20/24 disabled=yes interface=ether1 network=192.168.1.0
/ip dhcp-client
add default-route-distance=2 dhcp-options=hostname,clientid disabled=no
interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=172.16.0.5
/ip dns static
add address=172.16.0.5 name=domain IP address of head office
add address=172.16.0.3 name=webaccess server
add address=172.16.0.5 name=domain IP address of head office
/ip firewall filter
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=drop chain=output connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat
/system clock
set time-zone-name=Asia/Baghdad

CZFan · March 17, 2018, 5:43pm

Had a quick look through config, not sure if I missed it but I don’t see where you are routing between these subnets, so that might very well be your problem

Dilan · March 18, 2018, 8:29am

Dear once you have the VPN connection client router can use server-side resources why we need to have routing path if they are already connected

sindy · March 18, 2018, 10:34am

Have you tried whether the users from the remote site can access anything else than the Mikrotik itself in the HQ? I mean, is the issue limited only to the PBX or may it be that the devices connected to the branch office LAN are actually unable to talk to anything in the HQ office except the router, but you only mention the PBX as you have never tried to make them talk to any other device in the HQ than the PBX?

Looking at your configurations, your intention seems to be to have the LAN of the branch office visible to the HQ as a single address in its 172.16.0.0/16 range. This is a possible but unusual solution, I cannot see clearly the purpose, especially since VoIP, for which NAT always adds some headache, is a part of the game. You can configure the ppp secret at the HQ side to dynamically add a route to 192.168.2.1/24 to the HQ machine whenever the PPTP tunnel towards the BO gets established. In such case, you don’t need to masquerade the BO LAN by the address assigned using PPTP

If you do have reasons to keep it that way, you have to activate arp-proxy at the LAN bridge of the HQ because even though both ends of the PPTP tunnel get an IP address from 172.16.0.0/16, the tunnel is not part of the bridge:****

/interface bridge set [find name=LAN] arp=proxy-arp

.

It seems to me that you’ve attempted to resolve this using the strange masquerade rule****

/ip firewall nat add action=masquerade chain=srcnat dst-address=172.16.0.0/16 src-address=172.16.0.0/16

, but this can work only for connections initiated from the HQ side.

Other than that, you seem to neglect security or maybe miss the basics of Mikrotik’s firewall, as your firewall filter rules on the HQ say “accept TCP/1723 and GRE” but there is no “drop the rest” rule, which not only makes those two “accept” rules redundant but it also means that the router is open for access from anywhere. The default handling in Mikrotik’s firewall is “accept”, so any packet which does not match any rule in a chain is accepted. PPTP is also anything but secure these days, while L2TP/IPsec would provide you with the same philosophy of configuration but significantly higher security.

Dilan · March 18, 2018, 6:51pm

I have IP PBX in head office 172.16.0.8
Users from the site cannot access to IP PBX which is in the same range of 172.16.8.1

Have you tried whether the users from the remote site can access anything else than the Mikrotik itself in the HQ? I mean, is the issue limited only to the PBX or may it be that the devices connected to the branch office LAN are actually unable to talk to anything in the HQ office except the router, but you only mention the PBX as you have never tried to make them talk to any other device in the HQ than the PBX?

Looking at your configurations, your intention seems to be to have the LAN of the branch office visible to the HQ as a single address in its 172.16.0.0/16 range. This is a possible but unusual solution, I cannot see clearly the purpose, especially since VoIP, for which NAT always adds some headache, is a part of the game. You can configure the ppp secret at the HQ side to dynamically add a route to 192.168.2.1/24 to the HQ machine whenever the PPTP tunnel towards the BO gets established. In such case, you don’t need to masquerade the BO LAN by the address assigned using PPTP

If you do have reasons to keep it that way, you have to activate arp-proxy at the LAN bridge of the HQ because even though both ends of the PPTP tunnel get an IP address from 172.16.0.0/16, the tunnel is not part of the bridge:****
/interface bridge set [find name=LAN] arp=proxy-arp
.

It seems to me that you’ve attempted to resolve this using the strange masquerade rule****
/ip firewall nat add action=masquerade chain=srcnat dst-address=172.16.0.0/16 src-address=172.16.0.0/16
, but this can work only for connections initiated from the HQ side.

Other than that, you seem to neglect security or maybe miss the basics of Mikrotik’s firewall, as your firewall filter rules on the HQ say “accept TCP/1723 and GRE” but there is no “drop the rest” rule, which not only makes those two “accept” rules redundant but it also means that the router is open for access from anywhere. The default handling in Mikrotik’s firewall is “accept”, so any packet which does not match any rule in a chain is accepted. PPTP is also anything but secure these days, while L2TP/IPsec would provide you with the same philosophy of configuration but significantly higher security.

Dear Sindy,
Thank you for replying, after a long search I found that this issue will be solved by creating EoIP tunnel in both HQ and Branches.

sindy · March 18, 2018, 7:13pm

So the new plan is to bridge the LANs of the BOs with the LAN of the HQ using EoIP tunnels?