Community discussions

 
sniuras
just joined
Topic Author
Posts: 5
Joined: Tue May 28, 2019 10:42 pm

Fix my mess please.

Tue May 28, 2019 11:16 pm

Hello

I really need help with my setup. I have made a VPN IPSec/L2TP connection between my routers but routers dont reach each other's gateways (i can ping from one router to another's router's WAN but not LAN). So right now i have unpluged them from the ISP and connected those two router's either 1 ports with a cable. To help you understand- Router A either 1 connected to router B either 1 , Router A either 2 is connected to a client and router B either 2 is connected to a another client.My goal is to send a ping from one LAN to another LAN (letting the clients to communicate)
So i have two mikrotik routers. router A is: WAN 10.40.2.211 LAN 10.10.11.1 router B is WAN 10.40.2.222 LAN 10.10.12.1.
When i try to ping from first router to another routers LAN (10.40.2.211 to 10.10.12.1) it times out. Im accepting any ideas which will make this work or if you need more information just ask.

I will add my both configs, i hope you smart people can find what is wrong.
Router A config (name is "Pirmas"):
/interface ipip
add allow-fast-path=no ipsec-secret=159357 !keepalive local-address=\
    10.40.2.211 name=ipip-tunnel1 remote-address=10.40.2.222
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool1 ranges=10.10.11.2-10.10.11.200
add name=l2tp ranges=10.10.11.200-10.10.11.220
/ip dhcp-server
add address-pool=pool1 disabled=no interface=ether2 name=server1
/ppp profile
add dns-server=8.8.8.8 local-address=10.40.2.211 name=L2TP remote-address=\
    l2tp
/interface l2tp-server server
set enabled=yes ipsec-secret=159357 use-ipsec=yes
/ip address
add address=10.40.2.211/24 interface=ether1 network=10.40.2.0
add address=10.10.11.1/24 interface=ether2 network=10.10.11.0
add address=10.10.11.254/24 interface=ipip-tunnel1 network=10.10.11.0
/ip dhcp-server network
add address=10.10.11.0/24 dns-server=8.8.8.8 gateway=10.10.11.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established
add action=accept chain=forward comment="default configuration" \
    connection-state=established
add action=accept chain=input comment="Reikalingas PPTP" dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="PPTP reikalingas" protocol=gre
add action=accept chain=input comment=Winboxui dst-port=8291 protocol=tcp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=500,4500,1701 in-interface=ether1 \
    protocol=udp
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=input comment="default configuration" in-interface=\
    ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.12.0/24 src-address=\
    10.10.11.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=10.40.2.222/32 local-address=10.40.2.211 secret=159357
/ip ipsec policy
add dst-address=10.10.12.0/24 sa-dst-address=10.40.2.222 sa-src-address=\
    10.40.2.211 src-address=10.10.11.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.40.2.1
add disabled=yes distance=1 dst-address=10.10.11.0/24 gateway=ether2
add distance=1 dst-address=10.10.12.0/24 gateway=ipip-tunnel1
/ppp secret
add name=abc password=abc123 profile=L2TP service=l2tp


ROUTER B CONFIG:

 /interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface ipip
add allow-fast-path=no ipsec-secret=159357 !keepalive local-address=\
    10.40.2.222 name=ipip-tunnel1 remote-address=10.40.2.211
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=10.10.12.2-10.10.12.200
/ip dhcp-server
add address-pool=pool1 disabled=no interface=ether2 name=server1
/ip address
add address=10.40.2.222/24 interface=ether1 network=10.40.2.0
add address=10.10.11.1/24 interface=ether2 network=10.10.11.0
add address=10.10.11.254 interface=ipip-tunnel1 network=10.10.11.254
/ip dhcp-server network
add address=10.10.12.0/24 dns-server=8.8.8.8 gateway=10.10.12.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established
add action=accept chain=forward comment="default configuration" \
    connection-state=established
add action=accept chain=input comment="Reikalingas PPTP" dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="PPTP reikalingas" protocol=gre
add action=accept chain=input comment=Winboxui dst-port=8291 protocol=tcp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=500,4500,1701 in-interface=ether1 \
    protocol=udp
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid disabled=yes
add action=drop chain=input comment="default configuration" disabled=yes \
    in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.11.0/24 src-address=\
    10.10.12.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=10.40.2.211/32 local-address=10.40.2.222 secret=159357
/ip ipsec policy
add dst-address=10.10.11.0/24 sa-dst-address=10.40.2.211 sa-src-address=\
    10.40.2.222 src-address=10.10.12.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.40.2.1
add distance=1 dst-address=10.10.11.0/24 gateway=ipip-tunnel1
 
3liswaid
newbie
Posts: 44
Joined: Thu Feb 14, 2019 5:12 pm
Location: Syria
Contact:

Re: Fix my mess please.

Wed May 29, 2019 11:09 am

you have the below scheme

Image
please apply the following
[admin@R1] interface ipip> add
local-address: 10.40.2.211 
remote-address: 10.40.2.222 
[admin@R1] interface ipip> print
Flags: X - disabled, R - running
  #    NAME                               MTU   LOCAL-ADDRESS   REMOTE-ADDRESS
  0 X  ipip1                              1480  10.40.2.211         10.40.2.222 

[admin@R1]
[admin@R1] ip address add address=1.1.1.1/24 interface=ipip1
[admin@R1]/ip route> add dst-address=2.2.2.2/24 gateway=ipip1



[admin@R2] interface ipip> add
local-address: 10.40.2.222  
remote-address: 10.40.2.211 
[admin@R2] interface ipip> print
Flags: X - disabled, R - running
  #    NAME                               MTU   LOCAL-ADDRESS   REMOTE-ADDRESS
  0 X  ipip1                              1480  10.40.2.211          10.40.2.222 

[admin@R2]
[admin@R2] ip address add address=2.2.2.2/24 interface=ipip1
[admin@R2]/ip route> add dst-address=1.1.1.1/24 gateway=ipip1
 
sniuras
just joined
Topic Author
Posts: 5
Joined: Tue May 28, 2019 10:42 pm

Re: Fix my mess please.

Tue Jun 04, 2019 5:43 pm

Sorry for such a late reply, i will be more active from now on.

Your scheme is exactly what i want to do. 10/10. So i did like u said, and not much changed,From router A i can ping router B WAN (10.40.2.222) and IP tunnel (2.2.2.2). For some reason, i cant ping from my PC which is connected to router A either 2 to anything, It gets the IP adress which is 10.10.11.200 and gateway is 10.10.11.1 but from CMD i cant ping neither its own gateway or router A WAN address.
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 609
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Fix my mess please.

Tue Jun 04, 2019 5:53 pm

Hello,

One big thing that jumps up is your routing. Never use an interface as gateway, always an IP address.

So on router A, use the IP if B's tunnel to each B's LAN.

Cheers



Sent from my cell phone. Sorry for the errors.

___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 609
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Fix my mess please.

Tue Jun 04, 2019 5:55 pm

Eventually, use dynamic routing. Avoids the hassle of static routing.


Sent from my cell phone. Sorry for the errors.

___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
sniuras
just joined
Topic Author
Posts: 5
Joined: Tue May 28, 2019 10:42 pm

Re: Fix my mess please.

Tue Jun 04, 2019 6:58 pm

So tell me if im doing this right. On the router A, in the route list, i need to put 1.1.1.1 instead of ipip-tunnel. Not sure if im doing this correctly, because when i do this, gateway becomes "unreachable". But i believe the problem is as you say in my routes.
 
mkx
Forum Guru
Forum Guru
Posts: 2948
Joined: Thu Mar 03, 2016 10:23 pm

Re: Fix my mess please.

Tue Jun 04, 2019 7:15 pm

Never use an interface as gateway, always an IP address.

What's wrong with using interface as gateway if interface is a point-to-point type of interface?
BR,
Metod
 
mkx
Forum Guru
Forum Guru
Posts: 2948
Joined: Thu Mar 03, 2016 10:23 pm

Re: Fix my mess please.

Tue Jun 04, 2019 7:19 pm

For some reason, i cant ping from my PC which is connected to router A either 2 to anything, It gets the IP adress which is 10.10.11.200 and gateway is 10.10.11.1 but from CMD i cant ping neither its own gateway ...
This problem most probably doesn't have anything to do with ipip. Look for misconfiguration of router A (e.g. does LAN adress come with netmask?)
BR,
Metod
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 609
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Fix my mess please.

Tue Jun 04, 2019 9:26 pm

Never use an interface as gateway, always an IP address.

What's wrong with using interface as gateway if interface is a point-to-point type of interface?
Works for non broadcast technologies like x.25, Frame relay.

Sent from my cell phone. Sorry for the errors.

___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
mkx
Forum Guru
Forum Guru
Posts: 2948
Joined: Thu Mar 03, 2016 10:23 pm

Re: Fix my mess please.

Tue Jun 04, 2019 9:42 pm

Never use an interface as gateway, always an IP address.

What's wrong with using interface as gateway if interface is a point-to-point type of interface?
Works for non broadcast technologies like x.25, Frame relay.
Works for any PtP link, such as IPIP or PPPoE:
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS              NETWORK         INTERFACE
 # snip
 5 D XXX.YYY.ZZZ.WWW/32   AAA.BBB.CCC.DDD pppoe-out1
 6   192.168.255.254/32   192.168.255.255 ipip-ces
 
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          pppoe-out1                1
# snip
 2 A S  192.168.13.0/24                    ipip-ces                  1
# snip
 9 ADC  192.168.255.255/32 192.168.255.254 ipip-ces                  0
10 ADC  XXX.YYY.ZZZ.WWW/32 AAA.BBB.CCC.DDD pppoe-out1                0

The address and routing for PPPoE interface is how it's done automatically so it should be fine ... I guess.

And the PtP link doesn't have to be non-broadcast technology, it can be ethernet if forced to equivalent of PtP link by specifying /32 address with network address set to the address of remote device.
BR,
Metod
 
sniuras
just joined
Topic Author
Posts: 5
Joined: Tue May 28, 2019 10:42 pm

Re: Fix my mess please.

Tue Jun 04, 2019 11:09 pm

So i can ping from connected PC to its LAN gateway (10.10.11.1) but cant ping router WAN address (10.40.2.211). And PC gets IP from DHCP, mask and gateway. Im totally lost at the moment to be honest.
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 609
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Fix my mess please.

Tue Jun 04, 2019 11:38 pm

Never use an interface as gateway, always an IP address.

What's wrong with using interface as gateway if interface is a point-to-point type of interface?
Works for non broadcast technologies like x.25, Frame relay.
Works for any PtP link, such as IPIP or PPPoE:
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS              NETWORK         INTERFACE
 # snip
 5 D XXX.YYY.ZZZ.WWW/32   AAA.BBB.CCC.DDD pppoe-out1
 6   192.168.255.254/32   192.168.255.255 ipip-ces
 
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          pppoe-out1                1
# snip
 2 A S  192.168.13.0/24                    ipip-ces                  1
# snip
 9 ADC  192.168.255.255/32 192.168.255.254 ipip-ces                  0
10 ADC  XXX.YYY.ZZZ.WWW/32 AAA.BBB.CCC.DDD pppoe-out1                0

The address and routing for PPPoE interface is how it's done automatically so it should be fine ... I guess.

And the PtP link doesn't have to be non-broadcast technology, it can be ethernet if forced to equivalent of PtP link by specifying /32 address with network address set to the address of remote device.
Ok. I'll test it. Even Normis has posted something to that effect once about using interfaces as gateways.

Thanks


Sent from my cell phone. Sorry for the errors.

___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 609
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Fix my mess please.

Wed Jun 05, 2019 12:57 am

Damn! I had this TOTALY confused with another (and totaly unrelated) issue... My bad!!! Thank @MKS for setting me straight.

/interface bridge
add name=LAN
/interface ipip
add name=ipip-tunnel1 remote-address=172.16.2.203
/ip address
add address=10.1.1.1/24 interface=LAN network=10.1.1.0
add address=10.2.1.2 interface=ipip-tunnel1 network=10.2.1.1
/ip dhcp-client
add add-default-route=no dhcp-options=clientid,hostname disabled=no interface=ether1
/ip route
add distance=1 dst-address=10.1.2.0/24 gateway=ipip-tunnel1
/system identity
set name=pod4


===================
294 10.1.2.1 56 64 0ms
295 10.1.2.1 56 64 0ms
296 10.1.2.1 56 64 0ms
297 10.1.2.1 56 64 0ms
===================
___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 609
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Fix my mess please.

Wed Jun 05, 2019 1:06 am

So tell me if im doing this right. On the router A, in the route list, i need to put 1.1.1.1 instead of ipip-tunnel. Not sure if im doing this correctly, because when i do this, gateway becomes "unreachable". But i believe the problem is as you say in my routes.

OK! Now that I've got my head out of the cloud, try this:
IPIP on A : address: 1.1.1.1 Netmask 2.2.2.2
IPIP on B : address: 2.2.2.2 Netmask 1.1.1.1

With that, your routing should work when using interface ipip-tunnel1.

EDIT: No /24!
___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
sniuras
just joined
Topic Author
Posts: 5
Joined: Tue May 28, 2019 10:42 pm

Re: Fix my mess please.

Fri Jun 07, 2019 12:22 am

So tell me if im doing this right. On the router A, in the route list, i need to put 1.1.1.1 instead of ipip-tunnel. Not sure if im doing this correctly, because when i do this, gateway becomes "unreachable". But i believe the problem is as you say in my routes.

OK! Now that I've got my head out of the cloud, try this:
IPIP on A : address: 1.1.1.1 Netmask 2.2.2.2
IPIP on B : address: 2.2.2.2 Netmask 1.1.1.1

With that, your routing should work when using interface ipip-tunnel1.

EDIT: No /24!
Im not sure where or how do I put a netmask like 2.2.2.2 or 1.1.1.1. Could you please explain in more detail
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 609
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Fix my mess please.

Fri Jun 07, 2019 12:39 am

Here's an export of my very basic config along with basic details.

__________________________________
ROUTER A
/interface ipip[
add name=ipip-tunnel1 remote-address=172.16.2.203
/ip address
add address=10.1.1.1 interface=ipip-tunnel1 network=10.2.2.2
/ip dhcp-client
add dhcp-options=clientid,hostname disabled=no interface=ether1
/system identity
set name=ROUTER-A
[admin@ROUTER-A] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 D 172.16.2.204/24 172.16.2.0 ether1
1 10.1.1.1/32 10.2.2.2 ipip-tunnel1


__________________________________
ROUTER B
/interface ipip
add name=ipip-tunnel1 remote-address=172.16.2.204
/ip address
add address=10.2.2.2 interface=ipip-tunnel1 network=10.1.1.1
/ip dhcp-client
add dhcp-options=clientid,hostname disabled=no interface=ether1
/system identity
set name=ROUTER-B
[admin@ROUTER-B] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 D 172.16.2.203/24 172.16.2.0 ether1
1 10.2.2.2/32 10.1.1.1 ipip-tunnel1


So this is how you can setup /32 addresses for your tunnel.
Understand that the 1.1.1.1 and 2.2.2.2 where just examples. DON'T use them as they are public (routable) IP addresses.
The netmask field, when using /32 addresses is ALWAYS the IP address of the other end of the tunnel.

Hope this helps.
___________________________
Alain Casault, Eng.
If I helped you, let me know!

Who is online

Users browsing this forum: MSN [Bot] and 35 guests