Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

No access to LAN over SSTP VPN (can only ping router)

Locked
 
User avatar
xaviernuma
newbie
Topic Author
Posts: 45
Joined: Tue Feb 16, 2016 11:27 am
Location: France

No access to LAN over SSTP VPN (can only ping router)

Tue Nov 08, 2016 12:37 pm

Hi,

Context :
On one hand, I have a client PC somewhere on the Internet, on the other I have a RouterBoard connected behind a box at the Office.

I mounted the SSTP server, the client PC connects correctly, when I https://www.whatismyip.com/, the client PC obtains the IP Office.

When I'm on the client PC, I can ping the Routerboard, and the box. But I can not ping the LAN side of the RouterBoard.

I enabled proxy-arp on the LAN side of the bridge, but without success ...

Question :

I would like to :
  • access the LAN side of the machine since RouterBoard over my VPN client machine.
    Do not go through the VPN in terms of Internet traffic when I'm on my client machine

Fill in the following information:
MikroTik LAN IP: 192.168.1.1
LAN DHCP Range: 192.168.1.0/24
Code: Select all
[admin@MikroTik] > /ip pool print
 # NAME                                                                                                                                                                                                                     RANGES                         
 0 dhcp_pool1                                                                                                                                                                                                               192.168.1.2-192.168.1.254      
 1 VPN                                                                                                                                                                                                                      10.10.10.11-10.10.10.20        
 2 pool1                                                                                                                                                                                                                    192.168.0.0/24
Code: Select all
[admin@MikroTik] > /ppp profile print detail
Flags: * - default 
 0 * name="default" use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down="" 

 1   name="test" local-address=10.10.10.10 remote-address=VPN use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down="" 

 2 * name="default-encryption" use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""
Code: Select all
[admin@MikroTik] > /ppp secret print detail 
Flags: X - disabled 
 0   name="mickael" service=any caller-id="" password="xxxx" profile="test" routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=nov/08/2016 11:16:43
Code: Select all
[admin@MikroTik] > /interface sstp-server server print  
                    enabled: yes
                       port: 443
                    max-mtu: 1500
                    max-mru: 1500
                       mrru: disabled
          keepalive-timeout: 60
            default-profile: test
             authentication: pap,chap,mschap1,mschap2
                certificate: cert1
  verify-client-certificate: no
                  force-aes: no
                        pfs: no
                tls-version: any
Thanks you for your help.

Best regard
Top
 
Rudios
Forum Veteran
Forum Veteran
Posts: 973
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: No access to LAN over SSTP VPN (can only ping router)

Tue Nov 08, 2016 4:00 pm

how about any firewall filter rules?

For only routing the traffic to the office over the SSTP connection, you have to connect to your office without supplying a default gateway to the connection.
Additionally you have to manually put a route on your desktop for the network segment(s) used on your office to point to the far end-point of your SSTP connection
Top
 
User avatar
xaviernuma
newbie
Topic Author
Posts: 45
Joined: Tue Feb 16, 2016 11:27 am
Location: France

Re: No access to LAN over SSTP VPN (can only ping router)

Tue Nov 08, 2016 4:36 pm

how about any firewall filter rules?

For only routing the traffic to the office over the SSTP connection, you have to connect to your office without supplying a default gateway to the connection.
Additionally you have to manually put a route on your desktop for the network segment(s) used on your office to point to the far end-point of your SSTP connection
Hi Rudios,

I have no filter rules.

It's not possible add static route on routerboard directly ?

Image

Image
Top
 
Rudios
Forum Veteran
Forum Veteran
Posts: 973
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: No access to LAN over SSTP VPN (can only ping router)

Tue Nov 08, 2016 6:02 pm

What if you do a trace route towards the server?
Top
 
User avatar
xaviernuma
newbie
Topic Author
Posts: 45
Joined: Tue Feb 16, 2016 11:27 am
Location: France

Re: No access to LAN over SSTP VPN (can only ping router)

Tue Nov 08, 2016 6:32 pm

What if you do a trace route towards the server?
Image
Top
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7054
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:
Contact mrz

Re: No access to LAN over SSTP VPN (can only ping router)

Tue Nov 08, 2016 6:36 pm

It looks like servers do not know how to reach your VPN network.
Top
 
Rudios
Forum Veteran
Forum Veteran
Posts: 973
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: No access to LAN over SSTP VPN (can only ping router)

Tue Nov 08, 2016 9:10 pm

You should add a route to your remote network on your RB1100
Top
 
User avatar
xaviernuma
newbie
Topic Author
Posts: 45
Joined: Tue Feb 16, 2016 11:27 am
Location: France

Re: No access to LAN over SSTP VPN (can only ping router)

Wed Nov 09, 2016 11:49 am

Hello everyone,

I tried several combinations of static route, without success :(
Top
 
Rudios
Forum Veteran
Forum Veteran
Posts: 973
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: No access to LAN over SSTP VPN (can only ping router)

Wed Nov 09, 2016 12:47 pm

on your RB1100 put the following
/ip route
add dst-address=192.168.0.0/24 gateway=10.10.10.11
Top
 
Siona
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Thu Jan 29, 2015 11:56 am

Re: No access to LAN over SSTP VPN (can only ping router)

Wed Nov 09, 2016 1:13 pm

You have to use proxy-arp mode in your bridge.
Top
 
User avatar
xaviernuma
newbie
Topic Author
Posts: 45
Joined: Tue Feb 16, 2016 11:27 am
Location: France

Re: No access to LAN over SSTP VPN (can only ping router)

Wed Nov 09, 2016 4:44 pm

on your RB1100 put the following
/ip route
add dst-address=192.168.0.0/24 gateway=10.10.10.11
Hi Rudios,

I have add this route :
Code: Select all
[admin@MikroTik] > /ip route
[admin@MikroTik] /ip route> add dst-address=192.168.0.0/24 gateway=10.10.10.11
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.10.1              1
 1 ADS  0.0.0.0/0                          192.168.10.1              0
 2 ADC  10.10.10.11/32     10.10.10.10     <sstp-mickael>            0
 3 ADC  10.10.10.12/32     10.10.10.10     <sstp-vivien>             0
 4 A S  192.168.0.0/24                     10.10.10.11               1
 5 ADC  192.168.1.0/24     192.168.1.1     VLAN2                     0
 6 ADC  192.168.10.0/24    192.168.10.150  WAN1                      0
Same problem :(
You have to use proxy-arp mode in your bridge.
Hi Siona,

Yes it's active :
Code: Select all
name="VLAN2" mtu=auto actual-mtu=1500 l2mtu=1596 arp=proxy-arp 
      arp-timeout=auto mac-address=00:0C:42:EB:2B:E9 protocol-mode=rstp 
      priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 
      max-message-age=20s forward-delay=15s transmit-hold-count=6 
      ageing-time=5m
Top
 
User avatar
xaviernuma
newbie
Topic Author
Posts: 45
Joined: Tue Feb 16, 2016 11:27 am
Location: France

Re: No access to LAN over SSTP VPN (can only ping router)

Thu Nov 10, 2016 11:04 am

Hi everyone,

I found my mistake, actually everything worked well from the start, without having to add route.
The packed arrived well in my LAN, but could not return to the VPN, because I marked packets in my LAN to WAN1.
I therefore excluded marking packets for the VPN:
Code: Select all
chain=prerouting action=mark-routing new-routing-mark=to_WAN1 
      passthrough=yes dst-address=!10.10.10.0/24 in-interface=VLAN2 log=no 
      log-prefix=""
So, I have 2 questions :

How to prevent the client from accessing the Internet via the VPN? Customer will have access only to the office LAN and Internet resources via its ISP OTHER ?

When the client accesses the office via VPN, it has access to the PC server (192.168.1.20), only by IP. How to tell the RouterBoard it should display the names of the machines on the network?


Thank you,

Best regard.
Top
 
Rudios
Forum Veteran
Forum Veteran
Posts: 973
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: No access to LAN over SSTP VPN (can only ping router)

Thu Nov 10, 2016 9:19 pm

Hi everyone,

I found my mistake, actually everything worked well from the start, without having to add route.
The packed arrived well in my LAN, but could not return to the VPN, because I marked packets in my LAN to WAN1.
I therefore excluded marking packets for the VPN:
Code: Select all
chain=prerouting action=mark-routing new-routing-mark=to_WAN1 
      passthrough=yes dst-address=!10.10.10.0/24 in-interface=VLAN2 log=no 
      log-prefix=""
Good to hear you solved your problem
So, I have 2 questions :

How to prevent the client from accessing the Internet via the VPN? Customer will have access only to the office LAN and Internet resources via its ISP OTHER ?
You have to make sure that the SSTP connection is not supplying a gateway towards the client, however you have then to manually configure a route to your 192.168.1.0/24 network.
When the client accesses the office via VPN, it has access to the PC server (192.168.1.20), only by IP. How to tell the RouterBoard it should display the names of the machines on the network?
I guess this has to do with DNS / ARP and I'm not sure how to solve this
Top
 
Rudios
Forum Veteran
Forum Veteran
Posts: 973
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: No access to LAN over SSTP VPN (can only ping router)

Thu Nov 10, 2016 9:21 pm

Hi everyone,

I found my mistake, actually everything worked well from the start, without having to add route.
The packed arrived well in my LAN, but could not return to the VPN, because I marked packets in my LAN to WAN1.
I therefore excluded marking packets for the VPN:
Code: Select all
chain=prerouting action=mark-routing new-routing-mark=to_WAN1 
      passthrough=yes dst-address=!10.10.10.0/24 in-interface=VLAN2 log=no 
      log-prefix=""
Good to hear you solved your problem
So, I have 2 questions :

How to prevent the client from accessing the Internet via the VPN? Customer will have access only to the office LAN and Internet resources via its ISP OTHER ?
You have to make sure that the SSTP connection is not supplying a gateway towards the client, however you have then to manually configure a route to your 192.168.1.0/24 network.
[EDIT]
Just quickly checked the possibilities on a RouterBoard and have seen an option at the ppp secret called routes, maybe that's something to look into.
When the client accesses the office via VPN, it has access to the PC server (192.168.1.20), only by IP. How to tell the RouterBoard it should display the names of the machines on the network?
I guess this has to do with DNS / ARP and I'm not sure how to solve this
Top
Locked

Who is online

Users browsing this forum: holvoetn, PavelRadvan, trmns, zabu and 58 guests
  4. RouterOS
  5. Beginner Basics