Hi gurus
I’ve got a RB installation that I’m having a little trouble figuring out. I’m using a RouterBoard 1100Hx2 with only 2 NICs in use; Port 1 is connected to the LAN and port 10 is a gateway for a fiber connection. I am not routing anything on the local net through this device; it’s there purely for remote access purposes.
The RB device has a LAN ip of 10.111.102.254 and the router for the rest of the network is at 10.111.102.1. A local machine pointing at this router can access devices across the network without a problem (10.111.100.1-10.111.103.254)
My issue is that when I connect to the PPTP VPN I can successfully access devices from 10.111.102.1-254 but nothing from 10.111.100.1-254. Note there’s also an LT2P site-to-site VPN configured which has the same problem.
Here’s my config.
[admin@MikroTik] > export
# oct/08/2013 16:05:37 by RouterOS 6.2
# software id = 6VV8-GYPA
#
/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
set 6 disabled=yes
set 7 disabled=yes
set 8 disabled=yes
set 9 name=ether10-gateway
set 10 disabled=yes
set 11 disabled=yes
set 12 disabled=yes
/interface l2tp-server
add disabled=yes name=l2tp-VPN user=VPN
/ip pool
add name="pptp pool" ranges=10.111.102.31-10.111.102.40
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes dns-server=10.111.102.10 local-address=10.111.102.30 name=client-remote remote-address="pptp pool" use-encryption=required
add name=VPN only-one=yes use-encryption=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether10-gateway max-mru=1500 max-mtu=1492 name=pppoe-ISP-2mb password=******** profile=default-encryption user=\
username
/ip neighbor discovery
set pppoe-ISP-2mb discover=no
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface l2tp-server server
set default-profile=VPN enabled=yes keepalive-timeout=disabled max-mru=1460 max-mtu=1460
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes max-mru=1460 max-mtu=1460
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes interface=ether1 network=192.168.88.0
add address=10.111.102.254/22 interface=ether1 network=10.111.100.0
/ip dns
set allow-remote-requests=yes servers=10.111.102.10,10.111.100.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=forward disabled=yes in-interface=ether1 out-interface=l2tp-VPN
add chain=forward disabled=yes in-interface=l2tp-VPN out-interface=ether1
add chain=input in-interface=l2tp-VPN
add action=drop chain=input in-interface=ether10-gateway
/ip firewall mangle
add action=change-mss chain=forward new-mss=1452 out-interface=all-ppp protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=pppoe-ISP-2mb
add action=masquerade chain=srcnat out-interface=l2tp-VPN
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
/ip ipsec peer
add address=172.16.28.2/32 dpd-interval=disable-dpd dpd-maximum-failures=1 hash-algorithm=sha1 secret=test
/ip ipsec policy
add dst-address=192.168.0.0/24 sa-dst-address=172.16.28.2 sa-src-address=172.16.28.1 src-address=10.111.100.0/22 tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=10.111.100.0/22 gateway=10.111.102.1 pref-src=10.111.102.254
add comment=VPN disabled=yes distance=1 dst-address=192.168.0.0/24 gateway=172.16.28.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=internal
add interface=pppoe-ISP-2mb type=external
/ppp secret
add name=user1 password=******** profile=client-remote routes=10.111.102.1 service=pptp
add comment="client-provider Tunnel" local-address=172.16.28.1 name=VPN password=******** profile=VPN remote-address=172.16.28.2 routes=10.111.102.1 \
service=l2tp
add name=user2 password=******** profile=client-remote routes=10.111.102.1 service=pptp
/system clock
set time-zone-name=Asia/Bangkok
/system ntp client
set enabled=yes primary-ntp=103.6.16.254 secondary-ntp=131.113.63.2
When I connect to the VPN using a windows machine, the IP configuration comes up as:
IP: 10.111.102.38
Mask: 255.255.255.255
Gateway: 0.0.0.0
This looks wrong to me. The mask should be 255.255.252.0 however I can’t see where to set this in the RB, or I’m missing some vital piece of networking knowledge.
Could someone with a bit more knowledge than me please take a look and let me know where I went wrong?
Thanks!