pptp vpn issue

moazdabsheh · Mon Mar 24, 2014 3:40 am

i have mikrotik 5.26 on x86
i'm using user manager for pppoe authentication and static ip addressing for some clients with reply-only for arp on lan card.

i'm trying to access wireless devices on the lan to that mikrotik throug h pptp, pptp connection established but i can't ping nor access the wireless devices on that mikrotik, though i can see them on neighborhood using winbox.

there is no filter rules in firewall - nat

what could possibly be wrong ?

SurferTim · Mon Mar 24, 2014 1:56 pm

Is the lan in question on the VPN server or the VPN client?

moazdabsheh · Mon Mar 24, 2014 2:42 pm

the vpn client, whenever i connect to pptp from outside the network i can't access the devices nor ping it, but when i'm connected to the LAN i can easily even without pptp connection.

SurferTim · Mon Mar 24, 2014 3:18 pm

Did you add the route to the localnet in "/ppp secret"? I have multiple networks on my clients, but to access them from my VPN server, I must add the network to "routes". For example, I have two networks on my VPN client test router. 192.168.3.1/24 and 192.168.5.1/24, so I had to add this to my entry in "/ppp secret" on the server, then disconnect and reconnect the VPN client.

/ppp secret
set 0 routes="192.168.3.0/24,192.168.5.0/24"

Check in "/ip route" on the VPN server after the reconnect to insure the new route is added as a dynamic route there.

moazdabsheh · Mon Mar 24, 2014 3:49 pm

i just did that and test it and the result is the same, no ping at Ubiqutie access points or even the mikrotik itself.
i noticed that i get subnet for my vpn connection /32 such as 255.255.255.255 !!!

SurferTim · Mon Mar 24, 2014 3:58 pm

Did you check the entries in "/ip route" on the server after the reconnect? Here is mine after the reconnect.
172.16.0.2/32 is the ip of the VPN client.
Note the routes for 192.168.3.0/24 and 192.168.5.0/24 have a gateway of 172.16.0.2.

[admin@test] /ip route> pri
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 68.99.58.97 1
1 ADC 68.99.58.96/27 68.99.58.119 ether1 0
2 ADC 172.16.0.2/32 172.16.0.1 mypptp 0
3 DC 192.168.0.0/24 192.168.0.1 wlan1 255
4 ADC 192.168.1.0/24 192.168.1.1 ether2 0
5 DC 192.168.2.0/24 192.168.2.1 ether3 255
6 ADS 192.168.3.0/24 172.16.0.2 1
7 ADS 192.168.5.0/24 172.16.0.2 1

moazdabsheh · Mon Mar 24, 2014 4:39 pm

yes, here is mine:

SurferTim · Mon Mar 24, 2014 4:45 pm

You know you will not be able to reach any 192.168.0.x ip through that VPN. That ip range is assigned to LAN 1.

moazdabsheh · Mon Mar 24, 2014 5:11 pm

no i didn't know.
that's my point of vpn.

what's the solution in this scenario ?
how do I access the 192.168.x.x devices that are connected to LAN 1 interface ?!

I'm trying to access these devices while i'm not on that mikrotik's network.

SurferTim · Mon Mar 24, 2014 9:16 pm

how do I access the 192.168.x.x devices that are connected to LAN 1 interface ?!

I'm trying to access these devices while i'm not on that mikrotik's network.

If you are not on the Mikrotik's network, what network are you on?

You set your VPN to accept all 192.168.x.x ips on the VPN client. What subnets are actually there?

moazdabsheh · Mon Mar 24, 2014 10:12 pm

Sometimes i'm in the office which is another city, and sometimes i'm home.
Thats why i need to access 192.168.4.x devices on the mikrotik's lan to view it's performance remotly as i'm there.

192.168.4.x for wireless access points and pptp clients.
192.168.0.x for static arp clients
10.10.10.x for pppoe user manager clients

SurferTim · Mon Mar 24, 2014 11:26 pm

So your VPN ip 192.168.4.9/32 is also in the same as one of your localnets? I don't think that will work. Do you have a 192.168.4.0/24 localnet somewhere in one of the routers?

moazdabsheh · Tue Mar 25, 2014 11:42 am

yes.

at the office i'm on 192.168.1.x/24
and at home i'm on 192.168.5.x/16

what do you suggest? change something ip address?

SurferTim · Tue Mar 25, 2014 12:41 pm

yes.

at the office i'm on 192.168.1.x/24
and at home i'm on 192.168.5.x/16

what do you suggest? change something ip address?

Yes. I would change the home setting to 192.168.5.x/24.

In the home router, it shouldn't cause any routing problems because the router will use the network that has the smallest subnet. (/24 is a smaller subnet than /16)

But in the home localnet computers, they will not know about the smaller subnet assigned in the router, so all localnet computers will think the 192.168.1.x ips are local, and will not use the router gateway.

edit: Insure you change the dhcp server on the home localnet so it will issue the correct subnet.

moazdabsheh · Tue Mar 25, 2014 3:37 pm

when you say (localnet) you mean the network i'm connected to other than mikrotik's network, right ?

SurferTim · Tue Mar 25, 2014 3:47 pm

when you say (localnet) you mean the network i'm connected to other than mikrotik's network, right ?

I'm not sure what you mean.
What make and model router do you have at home?
What make and model router do you have at work?

I'm talking about the localnet on your home router.

moazdabsheh · Tue Mar 25, 2014 3:59 pm

at home i have linksys wrt54g router.
at work we use d-link dsl router.

the mikrotik router is on a network not related to these networks, that's my whole point of vpn, to be able to access the devices connected to the mikrotik while i'm home or at the office.

SurferTim · Tue Mar 25, 2014 5:09 pm

Then this is not a Mikrotik issue. However, I can tell you that any router will have problems with your home router setup. You must change the localnet to 192.168.5.x/24, or the localnet will not route correctly to 192.168.1.x/24.

moazdabsheh · Tue Mar 25, 2014 5:28 pm

i will change my home router dhcp and gateway settings to 172.20.7.x/24 when i get home and give it a try.

moazdabsheh · Thu Mar 27, 2014 1:36 am

i changed the ip address, after pptp client connect i can ping 192.168.4.1 but i can't ping the others on the same subnet !!!
what would be wrong now ?!

moazdabsheh · Thu Oct 30, 2014 12:42 am

i still haven't solved this !
any help? someone?

docmarius · Thu Oct 30, 2014 8:16 am

You need to do a src-nat on your LAN interface for connection coming from the tunnel.
Devices on the LAN usually don't accept connections from devices outside their subnet.
Also make sure you have forward rules set, allowing traffic between tunnel and LAN, AND from LAN to the tunnel.

moazdabsheh · Fri Oct 31, 2014 12:10 am

can you please guide me how to do it since i'm a newbie in Mikrotik ?

pptp vpn issue

pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Re: pptp vpn issue

Who is online