Cannot connect to other LAN via VPN

SilverNodashi · Wed May 30, 2018 10:26 am

Hi,

Can someone please help?

The setup is as follows:

We use PPTP VPN on internal IP range 172.16.16.0/24. My house IP range is 192.168.10.0/24. The HQ is on 192.41.100.0/24 and the other on 192.168.6.0/24. I setup NAT and routing on both ends, but cannot connect to PC's and printers on the 192.168.6.0/24 range, i.e. 192.168.6.101 and 192.168.6.20 from my laptop on 192.168.10.13. I can connect to the HQ equipment on 192.41.100.0/24

i.e. the connection is as follows: My Laptop (192.168.10.100) -> VPN (172.16.16.103) -> Internet -> HQ via VPN (172.16.16.1)
Remote branch is as follows: Printer (192.168.6.20) -> VPN (172.16.16.106) -> Internet - HQ via VPN

Running a traceroute to the networks from my laptop:

C:\Users\Rudi>tracert 192.41.100.250

Tracing route to 192-41-100-250.c7dc.com [192.41.100.250]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  192.168.10.1
  2    36 ms    30 ms    47 ms  172.16.16.1
  3    31 ms    30 ms    44 ms  192-41-100-250.c7dc.com [192.41.100.250]
  
  
  C:\Users\Rudi>tracert 192.168.6.20

Tracing route to 192.168.6.20 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  192.168.10.1
  2    31 ms    31 ms    28 ms  172.16.16.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

Please see attached the network diagram.

solar77 · Wed May 30, 2018 12:37 pm

traffic towards 192.168.6.20 should be routed to 172.16.16.106, not 172.16.16.1
change your static routing at home router

CZFan · Wed May 30, 2018 1:57 pm

You will need the following routes at:

HQ:
192.168.6.0/24 via PPTP-1 (To Remote)
192.168.10.0/24 Via PPTP-2 (To Home)

Home:
192.168.1.0/24 via PPTP-1 (To HQ)
192.168.6.0/24 via PPTP-1 (To Remote via HQ)

Remote:
192.168.1.0/24 via PPTP-1 (To HQ)
192.168.10.0/24 via PPTP-1 (To Home via HQ)

SilverNodashi · Wed May 30, 2018 11:58 pm

traffic towards 192.168.6.20 should be routed to 172.16.16.106, not 172.16.16.1
change your static routing at home router

That doesn't make sense. 172.16.16.106 sits on the other network and cannot be reached from 1921.168.10.1 directly. Even adding it as a route shows it as unreachable

SilverNodashi · Thu May 31, 2018 12:12 am

You will need the following routes at:

HQ:
192.168.6.0/24 via PPTP-1 (To Remote)
192.168.10.0/24 Via PPTP-2 (To Home)

Home:
192.168.1.0/24 via PPTP-1 (To HQ)
192.168.6.0/24 via PPTP-1 (To Remote via HQ)

Remote:
192.168.1.0/24 via PPTP-1 (To HQ)
192.168.10.0/24 via PPTP-1 (To Home via HQ)

I have these routes already, thought the IP's are slightly different from yours. Look at the attached image to see.

So I have:
HQ:
192.168.6.0/24 via PPTP-1 (To Remote)
192.168.10.0/24 Via PPTP-2 (To Home)

[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          x.x.x.x           1
 1 X S  0.0.0.0/0                          y.y.y.y            2
 2 X S  0.0.0.0/0                          afrihost                  3
25 ADC  172.16.2.0/24      172.16.2.1      ether1-Fiber              0
26 X S  172.16.16.0/24                     172.16.16.1               1
27 ADC  172.16.16.44/32    172.16.16.1     <pptp-RudiA>              0
28 ADC  172.16.16.101/32   172.16.16.1     <pptp-CTVPN>              0
29 ADC  172.16.16.102/32   172.16.16.1     <pptp-DBNVPN-1>           0
30 ADC  172.16.16.106/32   172.16.16.1     <pptp-VERVPN>             0
31 ADC  192.41.100.0/24    192.41.100.1    ether4                    0
32 A S  ;;; DBN VPN
        192.168.1.0/24                     172.16.16.102             1
33 A S  ;;; Cape Town Network via Bitco Fiber
        192.168.4.0/24                     <pptp-CTVPN>              1
34   S  ;;; Cape Town Network via LTE
        192.168.4.0/24                     172.16.16.101             2

Home:
192.41.100.0/24 via PPTP-1 (To HQ)
192.168.6.0/24 via PPTP-1 (To Remote via HQ)

[admin@MT] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.18.1              1
 1 ADC  172.16.16.1/32     172.16.16.44    HST                       0
 2 A S  192.41.100.0/24                    HST                       1
 3 A S  192.168.1.0/24                     HST                       1
 4 A S  192.168.6.0/24                     HST                       1
5 ADC  192.168.10.0/24    192.168.10.1    bridge                    0
6 ADC  192.168.18.0/24    192.168.18.2    ether1                    0

HST is the VPN connection name.

Remote:
192.41.100.0/24 via PPTP-1 (To HQ)
192.168.10.0/24 via PPTP-1 (To Home via HQ)

[admin@Vereeniging] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          x.x.x.x            1
 1 ADC  154.127.113.72/29  x.x.x.y  ether1-Fiber              0
 2 ADC  172.16.16.1/32     172.16.16.106   JHB-VPN                   0
 3 A S  192.41.100.0/24                    JHB-VPN                   1
 4 ADC  192.168.6.0/24     192.168.6.1     bridge                    0
 5 A S  192.168.10.0/24                    JHB-VPN                   1

CZFan · Thu May 31, 2018 1:27 am

The IP subnets I got from the description in your original post

The home and remote sides looks ok.

There are 2 different route prints for HQ, not sure why. Also, if I follow the route numbers, there seems to be routes missing as it jumps from number 3 to a big number, I assume the reason is there are some dynamics c routes not shown in print of routes.

I also do not see where you are routing to either .192.168.10x or .6.x in the print for HQ?

SilverNodashi · Thu May 31, 2018 7:53 pm

The IP subnets I got from the description in your original post

The 3 main subnets are:
home: 192.168.10.0/24
HQ: 192.41.100.0/24
Remote Office: 192.168.6.0/24

The home and remote sides looks ok.

There are 2 different route prints for HQ, not sure why. Also, if I follow the route numbers, there seems to be routes missing as it jumps from number 3 to a big number, I assume the reason is there are some dynamics c routes not shown in print of routes.

I took out some sensitive routes, but that has nothing todo with the routes I cannot get to work right now.

I also do not see where you are routing to either .192.168.10x or .6.x in the print for HQ?

Hmm, it seems it got cut off when I copied from Winbox. Here it is:

38 A S  ;;; Vereeniging VPN
        192.168.6.0/24                     <pptp-VERVPN>             1
39   S  192.168.8.0/24                     10.1.1.1                  1
40 A S  192.168.10.0/24                    <pptp-RudiA>              1
41  DC  192.168.20.0/24    192.168.20.1    ether10-VOIP            255

CZFan · Thu May 31, 2018 8:23 pm

What does firewall filter rules look like, anything that will block comms between these subnets?

CZFan · Fri Jun 01, 2018 2:39 am

Just reread your OP, you mention you have enabled NAT, is this NATing through the vpn? If so, that might be your problem, remove this and use routing only

Cannot connect to other LAN via VPN

Cannot connect to other LAN via VPN

Re: Cannot connect to other LAN via VPN

Re: Cannot connect to other LAN via VPN

Re: Cannot connect to other LAN via VPN

Re: Cannot connect to other LAN via VPN

Re: Cannot connect to other LAN via VPN

Re: Cannot connect to other LAN via VPN

Re: Cannot connect to other LAN via VPN

Re: Cannot connect to other LAN via VPN

Who is online