Fix my mess please.

sniuras · Tue May 28, 2019 11:16 pm

Hello

I really need help with my setup. I have made a VPN IPSec/L2TP connection between my routers but routers dont reach each other's gateways (i can ping from one router to another's router's WAN but not LAN). So right now i have unpluged them from the ISP and connected those two router's either 1 ports with a cable. To help you understand- Router A either 1 connected to router B either 1 , Router A either 2 is connected to a client and router B either 2 is connected to a another client.My goal is to send a ping from one LAN to another LAN (letting the clients to communicate)
So i have two mikrotik routers. router A is: WAN 10.40.2.211 LAN 10.10.11.1 router B is WAN 10.40.2.222 LAN 10.10.12.1.
When i try to ping from first router to another routers LAN (10.40.2.211 to 10.10.12.1) it times out. Im accepting any ideas which will make this work or if you need more information just ask.

I will add my both configs, i hope you smart people can find what is wrong.

Router A config (name is "Pirmas"):
/interface ipip
add allow-fast-path=no ipsec-secret=159357 !keepalive local-address=\
    10.40.2.211 name=ipip-tunnel1 remote-address=10.40.2.222
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool1 ranges=10.10.11.2-10.10.11.200
add name=l2tp ranges=10.10.11.200-10.10.11.220
/ip dhcp-server
add address-pool=pool1 disabled=no interface=ether2 name=server1
/ppp profile
add dns-server=8.8.8.8 local-address=10.40.2.211 name=L2TP remote-address=\
    l2tp
/interface l2tp-server server
set enabled=yes ipsec-secret=159357 use-ipsec=yes
/ip address
add address=10.40.2.211/24 interface=ether1 network=10.40.2.0
add address=10.10.11.1/24 interface=ether2 network=10.10.11.0
add address=10.10.11.254/24 interface=ipip-tunnel1 network=10.10.11.0
/ip dhcp-server network
add address=10.10.11.0/24 dns-server=8.8.8.8 gateway=10.10.11.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established
add action=accept chain=forward comment="default configuration" \
    connection-state=established
add action=accept chain=input comment="Reikalingas PPTP" dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="PPTP reikalingas" protocol=gre
add action=accept chain=input comment=Winboxui dst-port=8291 protocol=tcp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=500,4500,1701 in-interface=ether1 \
    protocol=udp
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=input comment="default configuration" in-interface=\
    ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.12.0/24 src-address=\
    10.10.11.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=10.40.2.222/32 local-address=10.40.2.211 secret=159357
/ip ipsec policy
add dst-address=10.10.12.0/24 sa-dst-address=10.40.2.222 sa-src-address=\
    10.40.2.211 src-address=10.10.11.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.40.2.1
add disabled=yes distance=1 dst-address=10.10.11.0/24 gateway=ether2
add distance=1 dst-address=10.10.12.0/24 gateway=ipip-tunnel1
/ppp secret
add name=abc password=abc123 profile=L2TP service=l2tp


ROUTER B CONFIG:

 /interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface ipip
add allow-fast-path=no ipsec-secret=159357 !keepalive local-address=\
    10.40.2.222 name=ipip-tunnel1 remote-address=10.40.2.211
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=10.10.12.2-10.10.12.200
/ip dhcp-server
add address-pool=pool1 disabled=no interface=ether2 name=server1
/ip address
add address=10.40.2.222/24 interface=ether1 network=10.40.2.0
add address=10.10.11.1/24 interface=ether2 network=10.10.11.0
add address=10.10.11.254 interface=ipip-tunnel1 network=10.10.11.254
/ip dhcp-server network
add address=10.10.12.0/24 dns-server=8.8.8.8 gateway=10.10.12.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established
add action=accept chain=forward comment="default configuration" \
    connection-state=established
add action=accept chain=input comment="Reikalingas PPTP" dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="PPTP reikalingas" protocol=gre
add action=accept chain=input comment=Winboxui dst-port=8291 protocol=tcp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=500,4500,1701 in-interface=ether1 \
    protocol=udp
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid disabled=yes
add action=drop chain=input comment="default configuration" disabled=yes \
    in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.11.0/24 src-address=\
    10.10.12.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=10.40.2.211/32 local-address=10.40.2.222 secret=159357
/ip ipsec policy
add dst-address=10.10.11.0/24 sa-dst-address=10.40.2.211 sa-src-address=\
    10.40.2.222 src-address=10.10.12.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.40.2.1
add distance=1 dst-address=10.10.11.0/24 gateway=ipip-tunnel1

3liswaid · Wed May 29, 2019 11:09 am

you have the below scheme

please apply the following

[admin@R1] interface ipip> add
local-address: 10.40.2.211 
remote-address: 10.40.2.222 
[admin@R1] interface ipip> print
Flags: X - disabled, R - running
  #    NAME                               MTU   LOCAL-ADDRESS   REMOTE-ADDRESS
  0 X  ipip1                              1480  10.40.2.211         10.40.2.222 

[admin@R1]
[admin@R1] ip address add address=1.1.1.1/24 interface=ipip1
[admin@R1]/ip route> add dst-address=2.2.2.2/24 gateway=ipip1



[admin@R2] interface ipip> add
local-address: 10.40.2.222  
remote-address: 10.40.2.211 
[admin@R2] interface ipip> print
Flags: X - disabled, R - running
  #    NAME                               MTU   LOCAL-ADDRESS   REMOTE-ADDRESS
  0 X  ipip1                              1480  10.40.2.211          10.40.2.222 

[admin@R2]
[admin@R2] ip address add address=2.2.2.2/24 interface=ipip1
[admin@R2]/ip route> add dst-address=1.1.1.1/24 gateway=ipip1

sniuras · Tue Jun 04, 2019 5:43 pm

Sorry for such a late reply, i will be more active from now on.

Your scheme is exactly what i want to do. 10/10. So i did like u said, and not much changed,From router A i can ping router B WAN (10.40.2.222) and IP tunnel (2.2.2.2). For some reason, i cant ping from my PC which is connected to router A either 2 to anything, It gets the IP adress which is 10.10.11.200 and gateway is 10.10.11.1 but from CMD i cant ping neither its own gateway or router A WAN address.

AlainCasault · Tue Jun 04, 2019 5:53 pm

Hello,

One big thing that jumps up is your routing. Never use an interface as gateway, always an IP address.

So on router A, use the IP if B's tunnel to each B's LAN.

Cheers

Sent from my cell phone. Sorry for the errors.

AlainCasault · Tue Jun 04, 2019 5:55 pm

Eventually, use dynamic routing. Avoids the hassle of static routing.

Sent from my cell phone. Sorry for the errors.

sniuras · Tue Jun 04, 2019 6:58 pm

So tell me if im doing this right. On the router A, in the route list, i need to put 1.1.1.1 instead of ipip-tunnel. Not sure if im doing this correctly, because when i do this, gateway becomes "unreachable". But i believe the problem is as you say in my routes.

mkx · Tue Jun 04, 2019 7:15 pm

Never use an interface as gateway, always an IP address.

What's wrong with using interface as gateway if interface is a point-to-point type of interface?

mkx · Tue Jun 04, 2019 7:19 pm

For some reason, i cant ping from my PC which is connected to router A either 2 to anything, It gets the IP adress which is 10.10.11.200 and gateway is 10.10.11.1 but from CMD i cant ping neither its own gateway ...

This problem most probably doesn't have anything to do with ipip. Look for misconfiguration of router A (e.g. does LAN adress come with netmask?)

AlainCasault · Tue Jun 04, 2019 9:26 pm

Never use an interface as gateway, always an IP address.

What's wrong with using interface as gateway if interface is a point-to-point type of interface?

Works for non broadcast technologies like x.25, Frame relay.

Sent from my cell phone. Sorry for the errors.

mkx · Tue Jun 04, 2019 9:42 pm

Never use an interface as gateway, always an IP address.

What's wrong with using interface as gateway if interface is a point-to-point type of interface?
Works for non broadcast technologies like x.25, Frame relay.

Works for any PtP link, such as IPIP or PPPoE:

/ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS              NETWORK         INTERFACE
 # snip
 5 D XXX.YYY.ZZZ.WWW/32   AAA.BBB.CCC.DDD pppoe-out1
 6   192.168.255.254/32   192.168.255.255 ipip-ces
 
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          pppoe-out1                1
# snip
 2 A S  192.168.13.0/24                    ipip-ces                  1
# snip
 9 ADC  192.168.255.255/32 192.168.255.254 ipip-ces                  0
10 ADC  XXX.YYY.ZZZ.WWW/32 AAA.BBB.CCC.DDD pppoe-out1                0

The address and routing for PPPoE interface is how it's done automatically so it should be fine ... I guess.

And the PtP link doesn't have to be non-broadcast technology, it can be ethernet if forced to equivalent of PtP link by specifying /32 address with network address set to the address of remote device.

sniuras · Tue Jun 04, 2019 11:09 pm

So i can ping from connected PC to its LAN gateway (10.10.11.1) but cant ping router WAN address (10.40.2.211). And PC gets IP from DHCP, mask and gateway. Im totally lost at the moment to be honest.

AlainCasault · Tue Jun 04, 2019 11:38 pm

Never use an interface as gateway, always an IP address.

What's wrong with using interface as gateway if interface is a point-to-point type of interface?
Works for non broadcast technologies like x.25, Frame relay.
Works for any PtP link, such as IPIP or PPPoE:
Code: Select all
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS              NETWORK         INTERFACE
 # snip
 5 D XXX.YYY.ZZZ.WWW/32   AAA.BBB.CCC.DDD pppoe-out1
 6   192.168.255.254/32   192.168.255.255 ipip-ces
 
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          pppoe-out1                1
# snip
 2 A S  192.168.13.0/24                    ipip-ces                  1
# snip
 9 ADC  192.168.255.255/32 192.168.255.254 ipip-ces                  0
10 ADC  XXX.YYY.ZZZ.WWW/32 AAA.BBB.CCC.DDD pppoe-out1                0
The address and routing for PPPoE interface is how it's done automatically so it should be fine ... I guess.

And the PtP link doesn't have to be non-broadcast technology, it can be ethernet if forced to equivalent of PtP link by specifying /32 address with network address set to the address of remote device.

Ok. I'll test it. Even Normis has posted something to that effect once about using interfaces as gateways.

Thanks

Sent from my cell phone. Sorry for the errors.

AlainCasault · Wed Jun 05, 2019 12:57 am

Damn! I had this TOTALY confused with another (and totaly unrelated) issue... My bad!!! Thank @MKS for setting me straight.

/interface bridge
add name=LAN
/interface ipip
add name=ipip-tunnel1 remote-address=172.16.2.203
/ip address
add address=10.1.1.1/24 interface=LAN network=10.1.1.0
add address=10.2.1.2 interface=ipip-tunnel1 network=10.2.1.1
/ip dhcp-client
add add-default-route=no dhcp-options=clientid,hostname disabled=no interface=ether1
/ip route
add distance=1 dst-address=10.1.2.0/24 gateway=ipip-tunnel1
/system identity
set name=pod4

===================
294 10.1.2.1 56 64 0ms
295 10.1.2.1 56 64 0ms
296 10.1.2.1 56 64 0ms
297 10.1.2.1 56 64 0ms
===================

AlainCasault · Wed Jun 05, 2019 1:06 am

So tell me if im doing this right. On the router A, in the route list, i need to put 1.1.1.1 instead of ipip-tunnel. Not sure if im doing this correctly, because when i do this, gateway becomes "unreachable". But i believe the problem is as you say in my routes.

OK! Now that I've got my head out of the cloud, try this:
IPIP on A : address: 1.1.1.1 Netmask 2.2.2.2
IPIP on B : address: 2.2.2.2 Netmask 1.1.1.1

With that, your routing should work when using interface ipip-tunnel1.

EDIT: No /24!

sniuras · Fri Jun 07, 2019 12:22 am

So tell me if im doing this right. On the router A, in the route list, i need to put 1.1.1.1 instead of ipip-tunnel. Not sure if im doing this correctly, because when i do this, gateway becomes "unreachable". But i believe the problem is as you say in my routes.

OK! Now that I've got my head out of the cloud, try this:
IPIP on A : address: 1.1.1.1 Netmask 2.2.2.2
IPIP on B : address: 2.2.2.2 Netmask 1.1.1.1

With that, your routing should work when using interface ipip-tunnel1.

EDIT: No /24!

Im not sure where or how do I put a netmask like 2.2.2.2 or 1.1.1.1. Could you please explain in more detail

AlainCasault · Fri Jun 07, 2019 12:39 am

Here's an export of my very basic config along with basic details.

__________________________________
ROUTER A

/interface ipip[
add name=ipip-tunnel1 remote-address=172.16.2.203
/ip address
add address=10.1.1.1 interface=ipip-tunnel1 network=10.2.2.2
/ip dhcp-client
add dhcp-options=clientid,hostname disabled=no interface=ether1
/system identity
set name=ROUTER-A

[admin@ROUTER-A] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 D 172.16.2.204/24 172.16.2.0 ether1
1 10.1.1.1/32 10.2.2.2 ipip-tunnel1

__________________________________
ROUTER B

/interface ipip
add name=ipip-tunnel1 remote-address=172.16.2.204
/ip address
add address=10.2.2.2 interface=ipip-tunnel1 network=10.1.1.1
/ip dhcp-client
add dhcp-options=clientid,hostname disabled=no interface=ether1
/system identity
set name=ROUTER-B

[admin@ROUTER-B] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 D 172.16.2.203/24 172.16.2.0 ether1
1 10.2.2.2/32 10.1.1.1 ipip-tunnel1

So this is how you can setup /32 addresses for your tunnel.
Understand that the 1.1.1.1 and 2.2.2.2 where just examples. DON'T use them as they are public (routable) IP addresses.
The netmask field, when using /32 addresses is ALWAYS the IP address of the other end of the tunnel.

Hope this helps.

Fix my mess please.

Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Re: Fix my mess please.

Who is online