Community discussions

 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

PPTP & Routing

Thu May 04, 2017 5:26 pm

Hello,

This is my first time working with Mikrotik hardware so sorry asking basic questions.

I've setup a PPTP connection between the office and "home office" using two hEX gateways.
PPTP VB.png
I have some difficulty connecting from the home network to the office.
If I ping from the Mikrotik device at home and I select PPTP interface I'm able to ping the office 192.168.2.x, but if I ping from my laptop (192.168.88.x) I'm not able to ping the 192.168.2.x network.
The pool used for the PPTP connections is 192.168.2.250-254

Anybody that knows what I'm missing?

Thanks in advance.
You do not have the required permissions to view the files attached to this post.
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: PPTP & Routing

Fri May 05, 2017 4:16 pm

Can you ping the private IP of your PPTP server (I guess it's 192.168.2.1?) using your laptop from home?
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Sat May 06, 2017 9:29 am

No I can't.

I can ping from the hEX at home to 192.168.2.1, not from my laptop.
I'm thinking about an routing error but can't seem to figure it out.
 
Revelation
Member
Member
Posts: 338
Joined: Fri Dec 25, 2015 5:59 am

Re: PPTP & Routing

Sat May 06, 2017 8:29 pm

You're going to have to provide configs for people to figure out what is going on. You simply haven't provided enough information.

When you copy and paste in your configs, change your WAN IPs to a private IP address.
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Tue May 09, 2017 7:54 am

PPTP doesn't traverse a NAT gateway. If you need NAT traversal which your drawing indicates it does switch to a different technology like IPSec w/NAT-T enabled.

Good luck.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Tue May 09, 2017 5:09 pm

This is the config.
You do not have the required permissions to view the files attached to this post.
 
mikronsultiK
just joined
Posts: 23
Joined: Wed Feb 01, 2017 12:57 am
Location: Italy
Contact:

Re: PPTP & Routing

Wed May 10, 2017 1:25 am

No I can't.

I can ping from the hEX at home to 192.168.2.1, not from my laptop.
I'm thinking about an routing error but can't seem to figure it out.

add a NAT rule to masquerade all traffic going trough the PPTP link :
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pptp-out1
IP Networking / Mikrotik Consultant
mikronsultik [at] gmail.com
skype mikronsultik
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Wed May 10, 2017 12:46 pm

No I can't.

I can ping from the hEX at home to 192.168.2.1, not from my laptop.
I'm thinking about an routing error but can't seem to figure it out.

add a NAT rule to masquerade all traffic going trough the PPTP link :
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pptp-out1
I'll do so later today. Keep you posted.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Thu May 11, 2017 11:05 am

Ok, the hEx at home can ping every other device at the office, but my laptop is still not able to access the office network.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Fri May 19, 2017 5:17 pm

Any suggestion? I'm not getting anywhere. Could be my noobism.

Thanks in advance
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Fri May 19, 2017 7:11 pm

rvdvalk, Did you see my comment about PPTP and NAT gateways? Some have helpers that can enable this kind of communication but it isn't guaranteed in the least bit. You likely want to look at switching to a solution that has NAT traversal capabilities. You may want to look at L2TP wrapped in IPSec. Let me know if that's something you'd like to proceed with. You can try the examples on the Wiki and we can go from there.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Fri May 19, 2017 8:05 pm

rvdvalk, Did you see my comment about PPTP and NAT gateways? Some have helpers that can enable this kind of communication but it isn't guaranteed in the least bit. You likely want to look at switching to a solution that has NAT traversal capabilities. You may want to look at L2TP wrapped in IPSec. Let me know if that's something you'd like to proceed with. You can try the examples on the Wiki and we can go from there.
Hello,

I'll look into this.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Thu Jun 01, 2017 7:48 am

rvdvalk, Did you see my comment about PPTP and NAT gateways? Some have helpers that can enable this kind of communication but it isn't guaranteed in the least bit. You likely want to look at switching to a solution that has NAT traversal capabilities. You may want to look at L2TP wrapped in IPSec. Let me know if that's something you'd like to proceed with. You can try the examples on the Wiki and we can go from there.
I've got it up and running. It looks like I made a typo somewhere :S eventhough I was sure I didn't ;)

L2TP and IPSec are working fine. The routing is still an issue though.
I can't ping from my laptop to the office (mikrotik router 192.168.2.x)

Thanks for helping me out.
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Fri Jun 02, 2017 5:30 pm

So you switched to L2TP/IPSec or you stuck with PPTP?
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Sat Jun 03, 2017 12:57 pm

So you switched to L2TP/IPSec or you stuck with PPTP?
Correct I switched to L2TP/IPSEC. that is good because PPTP is less secure as stated by different people on the Internet.

But now I need to get routing to work the right way :)
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Mon Jun 12, 2017 8:42 pm

So you switched to L2TP/IPSec or you stuck with PPTP?
Correct I switched to L2TP/IPSEC. that is good because PPTP is less secure as stated by different people on the Internet.

But now I need to get routing to work the right way :)
Ok, so I can ping from my router to the office network (servers, printers) but I'm unable to ping from my laptop to the office network.

What am I missing?
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Mon Jun 12, 2017 8:45 pm

So you switched to L2TP/IPSec or you stuck with PPTP?
Correct I switched to L2TP/IPSEC. that is good because PPTP is less secure as stated by different people on the Internet.

But now I need to get routing to work the right way :)
Ok, so I can ping from my router to the office network (servers, printers) but I'm unable to ping from my laptop to the office network.

What am I missing?
I'd have to see the configs. Typical mistakes are source NAT exclusion or incorrectly setting up "interesting traffic" rules in the IPSec policy.
 
mducharme
Trainer
Trainer
Posts: 868
Joined: Tue Jul 19, 2016 6:45 pm

Re: PPTP & Routing

Mon Jun 12, 2017 9:17 pm

So you switched to L2TP/IPSec or you stuck with PPTP?
Correct I switched to L2TP/IPSEC. that is good because PPTP is less secure as stated by different people on the Internet.

But now I need to get routing to work the right way :)
Ok, so I can ping from my router to the office network (servers, printers) but I'm unable to ping from my laptop to the office network.

What am I missing?
Your office has no return path to get back to your home. i.e. it doesn't know how to route to 192.168.88.0/24
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Mon Jun 12, 2017 9:40 pm


Your office has no return path to get back to your home. i.e. it doesn't know how to route to 192.168.88.0/24
I've added a route at the office to 192.168.88.0/24 using the L2TP connection as a gateway.
I'm able to acces the router at the office now, 192.168.2.1 but not the server or printer.
 
mducharme
Trainer
Trainer
Posts: 868
Joined: Tue Jul 19, 2016 6:45 pm

Re: PPTP & Routing

Mon Jun 12, 2017 9:46 pm


Your office has no return path to get back to your home. i.e. it doesn't know how to route to 192.168.88.0/24
I've added a route at the office to 192.168.88.0/24 using the L2TP connection as a gateway.
I'm able to acces the router at the office now, 192.168.2.1 but not the server or printer.
Two possibilities:

1. if your server and printer think they are on the same subnet as you, they will send an arp request instead of trying to route the traffic, and nothing will respond. Enabling proxy-arp on your bridge at the office (the bridge that connects to the server and printer subnet) would fix that if that is the case
2. a firewall rule may be blocking this traffic
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Mon Jun 12, 2017 9:58 pm

I've added a route at the office to 192.168.88.0/24 using the L2TP connection as a gateway.
I'm able to acces the router at the office now, 192.168.2.1 but not the server or printer.
Two possibilities:

1. if your server and printer think they are on the same subnet as you, they will send an arp request instead of trying to route the traffic, and nothing will respond. Enabling proxy-arp on your bridge at the office (the bridge that connects to the server and printer subnet) would fix that if that is the case
2. a firewall rule may be blocking this traffic[/quote]

Don't know how to enable proxy-arp though.

I've tested the connection the other way around, from the office to my laptop and the router is able to ping my laptop, the server isn't.
 
mducharme
Trainer
Trainer
Posts: 868
Joined: Tue Jul 19, 2016 6:45 pm

Re: PPTP & Routing

Mon Jun 12, 2017 10:00 pm


Don't know how to enable proxy-arp though.

I've tested the connection the other way around, from the office to my laptop and the router is able to ping my laptop, the server isn't.
In your office, double click on the 'bridge' interface (it will be named that unless you have changed it), and change the ARP setting from 'enabled' to 'proxy-arp'
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Mon Jun 12, 2017 10:03 pm


Don't know how to enable proxy-arp though.

I've tested the connection the other way around, from the office to my laptop and the router is able to ping my laptop, the server isn't.
In your office, double click on the 'bridge' interface (it will be named that unless you have changed it), and change the ARP setting from 'enabled' to 'proxy-arp'
Proxy-arp was already active. So the firewall remains.
 
mducharme
Trainer
Trainer
Posts: 868
Joined: Tue Jul 19, 2016 6:45 pm

Re: PPTP & Routing

Mon Jun 12, 2017 10:17 pm


Don't know how to enable proxy-arp though.

I've tested the connection the other way around, from the office to my laptop and the router is able to ping my laptop, the server isn't.
In your office, double click on the 'bridge' interface (it will be named that unless you have changed it), and change the ARP setting from 'enabled' to 'proxy-arp'
Proxy-arp was already active. So the firewall remains.
Try creating 'accept' rules in the forward chain between subnets with src-address 192.168.2.0/24 and dst-address 192.168.88.0/24 (and vice versa) on both sides, move them above any drop rules.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Mon Jun 12, 2017 10:30 pm


Don't know how to enable proxy-arp though.

I've tested the connection the other way around, from the office to my laptop and the router is able to ping my laptop, the server isn't.
In your office, double click on the 'bridge' interface (it will be named that unless you have changed it), and change the ARP setting from 'enabled' to 'proxy-arp'
Proxy-arp was already active. So the firewall remains.
Try creating 'accept' rules in the forward chain between subnets with src-address 192.168.2.0/24 and dst-address 192.168.88.0/24 (and vice versa) on both sides, move them above any drop rules.
I did, no success.
Clipboard02.jpg
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Posts: 868
Joined: Tue Jul 19, 2016 6:45 pm

Re: PPTP & Routing

Mon Jun 12, 2017 10:33 pm


Don't know how to enable proxy-arp though.

I've tested the connection the other way around, from the office to my laptop and the router is able to ping my laptop, the server isn't.
In your office, double click on the 'bridge' interface (it will be named that unless you have changed it), and change the ARP setting from 'enabled' to 'proxy-arp'
Proxy-arp was already active. So the firewall remains.
Try creating 'accept' rules in the forward chain between subnets with src-address 192.168.2.0/24 and dst-address 192.168.88.0/24 (and vice versa) on both sides, move them above any drop rules.
I did, no success.
Clipboard02.jpg
Not just one rule on the router- two rules, going in both directions. Do this both on your end and on the office side, so four rules total.
 
mducharme
Trainer
Trainer
Posts: 868
Joined: Tue Jul 19, 2016 6:45 pm

Re: PPTP & Routing

Mon Jun 12, 2017 10:38 pm

Also get rid of any masquerade rule you have for the l2tp interface, because it sounds like you want to be able to have connectivity in both directions rather than just the spoke access to the hub.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Mon Jun 12, 2017 10:51 pm

Not just one rule on the router- two rules, going in both directions. Do this both on your end and on the office side, so four rules total.
Looks like I've had every possibility, still no success.
I created both rules like a mirrorred version of itself on both devices.
Clipboard01.jpg
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Posts: 868
Joined: Tue Jul 19, 2016 6:45 pm

Re: PPTP & Routing

Mon Jun 12, 2017 11:07 pm

Not just one rule on the router- two rules, going in both directions. Do this both on your end and on the office side, so four rules total.
Looks like I've had every possibility, still no success.
I created both rules like a mirrorred version of itself on both devices.
Clipboard01.jpg
Do you have a bridge interface? or just ether2-master? if ether2-master is a port of bridge 'bridge' then proxy-arp should have been turned on by turning it on bridge. But if 'bridge' has no ports, proxy-arp would need to be enabled on ether2-master on the office side.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Mon Jun 12, 2017 11:11 pm

Not just one rule on the router- two rules, going in both directions. Do this both on your end and on the office side, so four rules total.
Looks like I've had every possibility, still no success.
I created both rules like a mirrorred version of itself on both devices.
Clipboard01.jpg
Do you have a bridge interface? or just ether2-master? if ether2-master is a port of bridge 'bridge' then proxy-arp should have been turned on by turning it on bridge. But if 'bridge' has no ports, proxy-arp would need to be enabled on ether2-master on the office side.
These are the Interfaces.
Clipboard03.jpg
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Posts: 868
Joined: Tue Jul 19, 2016 6:45 pm

Re: PPTP & Routing

Mon Jun 12, 2017 11:18 pm

These are the Interfaces.
Is proxy-arp enabled on ether2-master?
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Mon Jun 12, 2017 11:22 pm

These are the Interfaces.
Is proxy-arp enabled on ether2-master?
Yes it is.
Clipboard04.jpg
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Posts: 868
Joined: Tue Jul 19, 2016 6:45 pm

Re: PPTP & Routing

Mon Jun 12, 2017 11:38 pm

Yes it is.
Is 'add default route' checked in l2tp client interface on your home router?
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Tue Jun 13, 2017 7:57 am

Yes it is.
Is 'add default route' checked in l2tp client interface on your home router?
No it wasn't but after enabling it nothing changed.
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Tue Jun 13, 2017 8:32 am

Proxy-ARP should only be used if the L2TP client is being given an IP that would otherwise normally reside on the LAN of the server.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Tue Jun 13, 2017 9:33 am

Proxy-ARP should only be used if the L2TP client is being given an IP that would otherwise normally reside on the LAN of the server.
The client is getting an IP in the range 192.168.2.250-254, we only have a few clients.
The rest of the network is operating in the range 192.168.2.1-100

If I use a L2TP connection on my laptop and connect to the office I'm able to connect to the server by IP, not DNS.

I'd prefer to have both routers to be connected by L2TP. Connecting the laptops to the router is my last option.
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Tue Jun 13, 2017 4:12 pm

Proxy-ARP should only be used if the L2TP client is being given an IP that would otherwise normally reside on the LAN of the server.
The client is getting an IP in the range 192.168.2.250-254, we only have a few clients.
The rest of the network is operating in the range 192.168.2.1-100

If I use a L2TP connection on my laptop and connect to the office I'm able to connect to the server by IP, not DNS.

I'd prefer to have both routers to be connected by L2TP. Connecting the laptops to the router is my last option.
Please post both router configs. You can use hide-sensitive or simply modify any values like password or IP.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Tue Jun 13, 2017 6:17 pm

Please post both router configs. You can use hide-sensitive or simply modify any values like password or IP.
As requested.
Office.txt
Client.txt
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Posts: 868
Joined: Tue Jul 19, 2016 6:45 pm

Re: PPTP & Routing

Tue Jun 13, 2017 8:39 pm

Please post both router configs. You can use hide-sensitive or simply modify any values like password or IP.
As requested.
Office.txt
Client.txt
Why do you have a bridge-nat rule? It is 'accept' so theoretically it shouldn't be causing an issue, but I still wouldn't have it there if it is not needed.

Why do you have an ipsec policy on the office router with tunneling when you are using l2tp over ipsec? I worry this may interfere when you want the same client router to connect up simultaneously to one policy with l2tp over ipsec and with another policy to a pure ipsec tunnel. The simplest way to set up ipsec for l2tp is checking the 'ipsec' box in the l2tp configuration on client and server and specifying the secret you wish to use, then it creates dynamic ipsec policy config on both sides, then you do not need these static policies.

Also, this is not acting as the DHCP server for your office it appears - what is? Verify the ip, subnet mask, and gateway configured on the server you cannot access.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Tue Jun 13, 2017 9:03 pm


Why do you have a bridge-nat rule? It is 'accept' so theoretically it shouldn't be causing an issue, but I still wouldn't have it there if it is not needed.
Might be a default setting? I'm not sure. Can't remember setting this, but that doesn't mean anything.
Why do you have an ipsec policy on the office router with tunneling when you are using l2tp over ipsec? I worry this may interfere when you want the same client router to connect up simultaneously to one policy with l2tp over ipsec and with another policy to a pure ipsec tunnel. The simplest way to set up ipsec for l2tp is checking the 'ipsec' box in the l2tp configuration on client and server and specifying the secret you wish to use, then it creates dynamic ipsec policy config on both sides, then you do not need these static policies.
I just used a guide from the web that made sence to me. I'll reconfigure this setting.
Also, this is not acting as the DHCP server for your office it appears - what is? Verify the ip, subnet mask, and gateway configured on the server you cannot access.
The server (SBS2011) is DHCP server. IP settings are correct.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Tue Jun 13, 2017 9:41 pm

I have changed the settings/correcte my "mistakes".
The tunnel is up, but still there is only traffice between home router and office and not home computer and office.
So it seems it's not clear to the home router what it should do with the traffice it gets from my laptop.
 
mducharme
Trainer
Trainer
Posts: 868
Joined: Tue Jul 19, 2016 6:45 pm

Re: PPTP & Routing

Tue Jun 13, 2017 9:48 pm

I have changed the settings/correcte my "mistakes".
The tunnel is up, but still there is only traffice between home router and office and not home computer and office.
So it seems it's not clear to the home router what it should do with the traffice it gets from my laptop.
The 'add default route' option should be taking care of that for you by automatically creating a default route to go over the tunnel when the link is up. Even your web browsing should be going through the office internet connection when you are connected via L2TP with that option checked in the L2TP client.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Tue Jun 13, 2017 10:02 pm

I have changed the settings/correcte my "mistakes".
The tunnel is up, but still there is only traffice between home router and office and not home computer and office.
So it seems it's not clear to the home router what it should do with the traffice it gets from my laptop.
The 'add default route' option should be taking care of that for you by automatically creating a default route to go over the tunnel when the link is up. Even your web browsing should be going through the office internet connection when you are connected via L2TP with that option checked in the L2TP client.
I understand that it should, but is doesn't look like it's doing just that.
Clipboard05.jpg
I must be missing something very obvious.
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Posts: 868
Joined: Tue Jul 19, 2016 6:45 pm

Re: PPTP & Routing

Tue Jun 13, 2017 10:52 pm

I have changed the settings/correcte my "mistakes".
The tunnel is up, but still there is only traffice between home router and office and not home computer and office.
So it seems it's not clear to the home router what it should do with the traffice it gets from my laptop.
The 'add default route' option should be taking care of that for you by automatically creating a default route to go over the tunnel when the link is up. Even your web browsing should be going through the office internet connection when you are connected via L2TP with that option checked in the L2TP client.
I understand that it should, but is doesn't look like it's doing just that.
Clipboard05.jpg

I must be missing something very obvious.
Increase the distance of your regular default route.

OR, if you would rather just route the 192.168.2.0/24 over the VPN, disable the 'add default route' option and manually create a route to 192.168.2.0/24 with the l2tp interface as the gateway.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Wed Jun 14, 2017 10:33 pm

I have changed the settings/correcte my "mistakes".
The tunnel is up, but still there is only traffice between home router and office and not home computer and office.
So it seems it's not clear to the home router what it should do with the traffice it gets from my laptop.
The 'add default route' option should be taking care of that for you by automatically creating a default route to go over the tunnel when the link is up. Even your web browsing should be going through the office internet connection when you are connected via L2TP with that option checked in the L2TP client.
I understand that it should, but is doesn't look like it's doing just that.
Clipboard05.jpg

I must be missing something very obvious.
Increase the distance of your regular default route.

OR, if you would rather just route the 192.168.2.0/24 over the VPN, disable the 'add default route' option and manually create a route to 192.168.2.0/24 with the l2tp interface as the gateway.
I changed the route, still unsuccesfull.
Clipboard06.jpg
You do not have the required permissions to view the files attached to this post.
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Thu Jun 15, 2017 12:21 am

Can we get full config dumps for both sides? You can start with /export hide-sensitive and tweak any of the values as needed to protect yourself.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Thu Jun 15, 2017 10:04 am

Can we get full config dumps for both sides? You can start with /export hide-sensitive and tweak any of the values as needed to protect yourself.
I already uploaded them a few posts before.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Mon Jun 19, 2017 11:07 pm

Any new insights in this situation?
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Tue Jun 20, 2017 1:21 am

First, let's get things set back to a semblance of a default configuration:
/interface ethernet set Internet arp=enabled
/interface ethernet set ether2-master arp=enabled
/ip route remove [ find dst-address=192.168.88.0/24 ]
/ip firewall filter remove [ find disabled=yes action=accept chain=forward dst-address=192.168.88.0/24 in-interface=ether2-master src-address=192.168.2.0/24]
/ip firewall filter remove [ find disabled=yes action=accept chain=forward dst-address=192.168.2.0/24 out-interface=ether2-master src-address=192.168.88.0/24]
/interface pptp-server server set enabled=no
/interface l2tp-server server set default-profile=default
/ppp secret remove [ find name=vriesbouw ]
/ppp profile remove L2TP
/ip pool remove L2TP-pool
/ip ipsec peer remove [ find address=0.0.0.0/0 exchange-mode=main-l2tp ]
/ip ipsec policy remove [ find dst-address=0.0.0.0/0 src-address=0.0.0.0/0 template=yes ]
We want to use the NAT-Traversal functionality of a L2TP/IPSec VPN to enable a MikroTik behind a NAT to be able to form a secure connection with a MikroTik at an office location. We'll use what looks like a road-warrior setup to make this happen. We'll also add some additional addresses to safely address the VPNs without requiring proxy-ARP. In the case of this demonstration I've allocated 172.31.255.0/24, specifically .11 and .61 of that network.

MikroTik at Main Office (Head End):
/ppp profile add name=l2tp-nat-traversing-s2s use-compression=yes use-encryption=yes
/ppp secret add profile=l2tp-nat-traversing-s2s service=l2tp name=vriesbouw password=VerySecret123! local-address=172.31.255.11 remote-address=172.31.255.61 routes="192.168.88.0/24 172.31.255.61 1"
/interface l2tp-server server set enabled=yes default-profile=l2tp-nat-traversing-s2s
/ip firewall filter add action=accept chain=input comment="(vpn) allow ike, l2tp and nat-t" dst-port=500,1701,4500 in-interface=Internet protocol=udp place-before=0
/ip firewall filter add action=accept chain=input comment="(vpn) allow ipsec" in-interface=Internet protocol=ipsec-esp place-before=0
MikroTik at Remote Office (Client):
/interface l2tp-client add disabled=no connect-to=145.131.83.14 user=vriesbouw password=VerySecret123!
/ip route add dst-address=192.168.2.0/24 gateway=172.31.255.11
You shouldn't need to do any tricks with NAT accepting the networks because routing will be preferred and your masquerade rules only apply to traffic leaving the "Internet" interface on both ends. You can scale this if you have multiple remote devices behind a NAT on IPv4 by adding additional PPP secrets and altering the local and remote addresses. Just adding one like .12 and .62 to each and up.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Wed Jun 21, 2017 11:04 pm

That did it. Works like a charm.
I'm able to access everything based on IP-address.

How do I get DNS to work correctly? I still don't have access to the Internet.
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Thu Jun 22, 2017 12:21 am

You can specify a DNS server in the PPP profile on the head-end. I'm not sure how the L2TP client in RouterOS behaves though. You may have to manually add it as a resolver in ip dns servers on the client side.

I'm glad it worked out! Thought I lost you when you didn't pop right back. Welcome to the world of MikroTik, VPNs and all.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Thu Jun 29, 2017 11:18 am

Hello,

DNS still doesn't seem to be working.
I've added the internal DNS servers to the PPP Profile.
Can this have something to do with firewall rules?

I've made a VPN connection from windows to the router and the VPN works but there is no gateway assigned.

I do get DNS server though.

PPP adapter Vriesbouw:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Vriesbouw
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.31.255.61(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 192.168.2.2
192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled
You do not have the required permissions to view the files attached to this post.
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Thu Jun 29, 2017 5:26 pm

From the hex are you able to ping the DNS servers by IP? What does the hex see under /ip dns print? If your DNS servers at your main office is a the MikroTik you may need to set allow-remote-requests to yes.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Thu Jun 29, 2017 5:43 pm

From the hex are you able to ping the DNS servers by IP? What does the hex see under /ip dns print? If your DNS servers at your main office is a the MikroTik you may need to set allow-remote-requests to yes.
This is my config @ home.
/ip dns print
servers: 192.168.2.2
dynamic-servers: 192.168.1.2,192.168.1.1
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 45KiB
This is the config @ the Office
/ip dns print
servers: 192.168.2.2 (local dns), ISP DNS
dynamic-servers:
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 57KiB
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Thu Jun 29, 2017 5:47 pm

In the DHCP client in the hex at home set use-peer-dns to no.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Thu Jun 29, 2017 5:54 pm

In the DHCP client in the hex at home set use-peer-dns to no.
Changed it. Dynamic servers are gone now, but there is still no DNS traffic possible.
I'm also not able to access the Internet when I'm connected to the Mikrotik router
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Thu Jun 29, 2017 5:59 pm

In the DHCP client in the hex at home set use-peer-dns to no.
Changed it. Dynamic servers are gone now, but there is still no DNS traffic possible.
I'm also not able to access the Internet when I'm connected to the Mikrotik router
What is the /ip route print on the hex at home? I assume you mean no Internet on a PC plugged into the hex with an IP on the 192.168.88.0/24 network.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Thu Jun 29, 2017 9:54 pm


What is the /ip route print on the hex at home? I assume you mean no Internet on a PC plugged into the hex with an IP on the 192.168.88.0/24 network.
Yes, you are correct. That's exactly what I mean.
/ip route print shows:
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 ether1 1
1 A S 145.131.83.14/32 192.168.1.1 1
2 ADC 172.31.255.11/32 172.31.255.61 l2tp-out2 0
3 ADC 192.168.1.0/24 192.168.1.52 ether1 0
4 A S 192.168.2.0/24 172.31.255.11 1
5 X S 192.168.2.0/24 192.168.2.250 l2tp-out1 1
6 ADC 192.168.88.0/24 192.168.88.1 ether2-master 0
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Thu Jun 29, 2017 10:11 pm

For some reason your static route is disabled:
5 X S 192.168.2.0/24 192.168.2.250 l2tp-out1 1
This is why your not able to reach your DNS servers, you also probably can't reach servers at your office anymore. Let's change that static route:
/ip route remove [ find dst-address=192.168.2.0/24 ]
/ip route add dst-address=192.168.2.0/24 gateway=172.31.255.11
I'm not sure which IP you used on which side, you'll want the gateway for the route to be the office side of the L2TP connection. Don't use the interface as the gateway.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Thu Jun 29, 2017 10:30 pm

For some reason your static route is disabled:
5 X S 192.168.2.0/24 192.168.2.250 l2tp-out1 1
This is why your not able to reach your DNS servers, you also probably can't reach servers at your office anymore. Let's change that static route:
/ip route remove [ find dst-address=192.168.2.0/24 ]
/ip route add dst-address=192.168.2.0/24 gateway=172.31.255.11
I'm not sure which IP you used on which side, you'll want the gateway for the route to be the office side of the L2TP connection. Don't use the interface as the gateway.
That route isn't valid anymore. That one was for the setup I made myself in the beginning. The 2.250 address was the IP assigned to the L2TP client connection
 
wwj
just joined
Posts: 16
Joined: Mon May 05, 2014 6:37 am

Re: PPTP & Routing

Thu Jun 29, 2017 10:36 pm

oh my.......
you are wrong from the beginning...
your vpn address pool cant use 192.168.2.x -x
why you use 2.x.......any others like 192.168.3.x you wont get so many questions

in ros vpn address cant use arp to find the lan address , its the cut mode ,so you just can use the routing mode
so the lan pc 192.168.2.5 vis the vpn address 192.168.2.253 will be failed ,on pc its touting table will tell itself the dst 192.168.2.253 and itself in the same lan ,so use arp to find it
so the traffic will never be send to the gateway, and ros is working with arp cut mode, and the resault you know

english is so hard for me.....goodluck
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Thu Jun 29, 2017 10:46 pm

oh my.......
you are wrong from the beginning...
your vpn address pool cant use 192.168.2.x -x
why you use 2.x.......any others like 192.168.3.x you wont get so many questions
That seemed the most logic to do. If the VPN would terminate in the same IP range as the rest of the network it would be easier because there was little to configure ater that. I presumed. Wrong I guess.

That's why we used another set of IP's later on in the topic.
In ros vpn address can't use arp to find the lan address, it's the cut mode,so you just can use the routing mode.
So the lan pc 192.168.2.5 vis the vpn address 192.168.2.253 will be failed ,on pc its touting table will tell itself the dst 192.168.2.253 and itself in the same lan ,so use arp to find it
so the traffic will never be send to the gateway, and ros is working with arp cut mode, and the resault you know

english is so hard for me.....goodluck
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Thu Jun 29, 2017 11:05 pm

oh my.......
you are wrong from the beginning...
your vpn address pool cant use 192.168.2.x -x
why you use 2.x.......any others like 192.168.3.x you wont get so many questions

in ros vpn address cant use arp to find the lan address , its the cut mode ,so you just can use the routing mode
so the lan pc 192.168.2.5 vis the vpn address 192.168.2.253 will be failed ,on pc its touting table will tell itself the dst 192.168.2.253 and itself in the same lan ,so use arp to find it
so the traffic will never be send to the gateway, and ros is working with arp cut mode, and the resault you know

english is so hard for me.....goodluck
Like the poster said, we switched to a range that is different later in the thread to avoid needing proxy-arp to pass traffic. RouterOS will route with a VPN just so many people use overlapping IP space which requires proxy-arp to work.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Thu Jun 29, 2017 11:10 pm

I can ping every device in the 192.168.2.x range from my laptop (192.168.88.x) connected to the hex at home.

Just the DNS doesn't seem to be working using the tunnel.

It looks like the DNS request get to the office network but maybe the result isn't getting back to the laptop?

And when I connect my laptop to the Office network using the windows VPN connection, I'm not able to access any IP just 192.168.2.1 (LAN side hex device at the office)
Last edited by rvdvalk on Thu Jun 29, 2017 11:22 pm, edited 1 time in total.
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Thu Jun 29, 2017 11:20 pm

Did you fix the route on the hex at home? Post /ip firewall filter of both devices? Is the DNS server at the office the MikroTik or something like a MS AD DNS or BIND box? Does your laptop run Windows 10?
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Thu Jun 29, 2017 11:22 pm

Did you fix the route on the hex at home? Post /ip firewall filter of both devices? Is the DNS server at the office the MikroTik or something like a MS AD DNS or BIND box? Does your laptop run Windows 10?
DNS at the Office is MS AD DNS.

My laptop is running Win10
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Thu Jun 29, 2017 11:30 pm

Did you fix the route on the hex at home? Post /ip firewall filter of both devices? Is the DNS server at the office the MikroTik or something like a MS AD DNS or BIND box? Does your laptop run Windows 10?
DNS at the Office is MS AD DNS.

My laptop is running Win10
K, you can use the PowerShell command-let to test DNS instead of using the old nslookup command:
Resolve-DnsName -Server 192.168.2.2 -Name server1
^^ obviously replace the name of the server with something that will actually resolve.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Thu Jun 29, 2017 11:42 pm

I've connected my laptop using windows VPN client.

I can ping by IP but I can't ping by server name.
But, if I do a nslookup I do get the correct servername!?
nslookup 192.168.2.2
Server: nlsch1-s0001.ommelandbouwbv.local
Address: 192.168.2.2

Name: nlsch1-s0001.ommelandbouwbv.local
Address: 192.168.2.2
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Thu Jun 29, 2017 11:51 pm

You shouldn't need to be connecting your laptop to the VPN, just plugging it into the hex and letting it get a 192.168.88.0/24 IP should do the trick. We've already got the MikroTik receiving the DNS server via PPTP. It appears there aren't any firewall rules stopping it. Additionally ICMP seems to flow through without any issue.

What happens when you try to ping by name from the hex at home when connected to the VPN?
/ping count=2 <hostname of something>
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Mon Aug 07, 2017 2:55 pm

You shouldn't need to be connecting your laptop to the VPN, just plugging it into the hex and letting it get a 192.168.88.0/24 IP should do the trick. We've already got the MikroTik receiving the DNS server via PPTP. It appears there aren't any firewall rules stopping it. Additionally ICMP seems to flow through without any issue.

What happens when you try to ping by name from the hex at home when connected to the VPN?
/ping count=2 <hostname of something>
I'll try this evening. Have not been able to test this because of other projects.

New question: If I want to allow users to connect with their laptop when they are on the road, what do I need to do to change the configuration.
I assume there should be an IP-pool to provide addresses.

I've tested with my laptop and it connects, but I also have the DNS issue when I connect from Windows (10) to Mikrotik hEx.

Thanks in advace.
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Mon Aug 07, 2017 5:03 pm

You shouldn't need to be connecting your laptop to the VPN, just plugging it into the hex and letting it get a 192.168.88.0/24 IP should do the trick. We've already got the MikroTik receiving the DNS server via PPTP. It appears there aren't any firewall rules stopping it. Additionally ICMP seems to flow through without any issue.

What happens when you try to ping by name from the hex at home when connected to the VPN?
/ping count=2 <hostname of something>
I'll try this evening. Have not been able to test this because of other projects.

New question: If I want to allow users to connect with their laptop when they are on the road, what do I need to do to change the configuration.
I assume there should be an IP-pool to provide addresses.

I've tested with my laptop and it connects, but I also have the DNS issue when I connect from Windows (10) to Mikrotik hEx.

Thanks in advace.
Yes, you could use an IP Pool. Alternatively, you can create a user account for each user (if you're not using RADIUS) and assign the IP address statically there for each one. The DNS is a bit mystifying, we see it assigned to the PPP profile. I'm pretty sure Windows pulls that information in.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Mon Aug 07, 2017 5:10 pm

Yes, you could use an IP Pool. Alternatively, you can create a user account for each user (if you're not using RADIUS) and assign the IP address statically there for each one. The DNS is a bit mystifying, we see it assigned to the PPP profile. I'm pretty sure Windows pulls that information in.
Yes, Windows does get the DNS info correct but doesn't seem to do anything with it.

PPP adapter Vriesbouw:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Vriesbouw
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.31.255.61(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 192.168.2.2
192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

What should I do with the local/dest. addresses in the connection if I create a separate connection for every user?
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Mon Aug 07, 2017 6:03 pm

What happens if you try to query that DNS server using PowerShell's Resolve-DnsName command-let or the nslookup command-line tool while connected to VPN?
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Mon Aug 07, 2017 10:17 pm

What happens if you try to query that DNS server using PowerShell's Resolve-DnsName command-let or the nslookup command-line tool while connected to VPN?
These are the results from my laptop when Windows has a VPN connection to the Mikrotik hEx at the office.
2017-08-07 21_15_52-Microsoft Azure Active Directory Module for Windows PowerShell.png
You do not have the required permissions to view the files attached to this post.
Last edited by rvdvalk on Mon Aug 07, 2017 10:22 pm, edited 1 time in total.
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: PPTP & Routing

Mon Aug 07, 2017 10:37 pm

So you can resolve the names but you have to specify the fqdn for the resource. Not entirely surprising. If you go to Control Panel -> Network and Internet -> Network Connections and open the properties for your VPN connection. Click on "Internet Protocol Version 4 (TCP/IPv4)" and click Properties then Advanced and switch to the DNS tab. Near the bottom, you should see "DNS Suffix for this connection:" Enter "ommelandbouwbv.local" into that box and disconnect and reconnect to the VPN.

Also, long-term you should think about moving your domain away from .local to a name you own. The best practice today is to use a valid domain you own. Ideally it's different than what you use for your Internet presence or a sub-domain of it. Say you own ommelandbouwbv.com, use ad.ommelandbouwbv.com or ommelandbouwbv.net instead. You can adjust the short-name of your domain to not be "ad" if you use ad.ommelandbouwbv.com.
 
rvdvalk
newbie
Topic Author
Posts: 40
Joined: Tue Apr 25, 2017 9:05 pm

Re: PPTP & Routing

Tue Aug 08, 2017 5:34 pm

So you can resolve the names but you have to specify the fqdn for the resource. Not entirely surprising. If you go to Control Panel -> Network and Internet -> Network Connections and open the properties for your VPN connection. Click on "Internet Protocol Version 4 (TCP/IPv4)" and click Properties then Advanced and switch to the DNS tab. Near the bottom, you should see "DNS Suffix for this connection:" Enter "ommelandbouwbv.local" into that box and disconnect and reconnect to the VPN.

Also, long-term you should think about moving your domain away from .local to a name you own. The best practice today is to use a valid domain you own. Ideally it's different than what you use for your Internet presence or a sub-domain of it. Say you own ommelandbouwbv.com, use ad.ommelandbouwbv.com or ommelandbouwbv.net instead. You can adjust the short-name of your domain to not be "ad" if you use ad.ommelandbouwbv.com.
It worked. Good to keep these things in mind for the future.
Thanks for all your help.

Who is online

Users browsing this forum: No registered users and 37 guests