Page 1 of 1

3 branch offices VLAN over PPTP?

Posted: Tue Oct 08, 2019 2:35 pm
by Techally
Hi, Im trying to implement a request from a client.
His setup
Main Office:
RBD52G-5HacD2HnD
Fiber router in bridge mode so external IP is on Mikrotik WAN (eth1) 185.83.x.x
LAN IP : 192.168.92.1

Office1 :
RouterBOARD 941-2nD
Internet provider is a WiSP so eth1 is a 10.0.28.x address from external SXT
LAN IP: 192.168.98.1

Office2:
RBD52G-5HacD2HnD
Fiber router NOT in bridge so eth1 is a 192.168.1.x address
LAN IP: 192.168.94.1

All standalone networks and internet working perfectly.

Main Office is running a PPTP Server
Office1 PPTP client connected and Local IP 192.168.92.2 and Remote 192.168.92.3
Office2 PPTP client connected and Local IP 192.168.92.4 and Remote 192.168.92.5

Main office added static route
/ip route
add distance=1 dst-address=192.168.94.0/24 gateway=192.168.92.5 pref-src=192.168.92.4
add distance=1 dst-address=192.168.98.0/24 gateway=192.168.92.3 pref-src=192.168.92.2

Office1 added static route
/ip route
add distance=1 dst-address=192.168.92.0/24 gateway=192.168.92.2 pref-src=192.168.92.3

Office2 added static route
/ip route
add distance=1 dst-address=192.168.92.0/24 gateway=192.168.92.4 pref-src=192.168.92.5

All seems to be connecting and pinging correctly BUT..... the client needs to be able to RDP from a PC at Office 1 & a PC at office 2 to his main PC in the Main Office
Thats it he has no other requirements like printers or anything.
From every side I can ping all 3 routers can ping each other but one PC cant Ping another PC (ie office1 PC cant ping Main office PC)

What am i missing ?
And should I be doing it a different way?
I have considered using VLAN but Ive spent days going through various examples and cant get them to work properly either?
Is this a correct example to use an eOIP ?

Any advice would be gratefully appreciated
Thanks

Re: 3 branch offices VLAN over PPTP?

Posted: Tue Oct 08, 2019 2:58 pm
by cdiedrich
Routing looks correct.
I'd rather say that this is a Windoze Firewall problem which by default does not accept incoming connections from non-local subnets.

-Chris

Re: 3 branch offices VLAN over PPTP?

Posted: Tue Oct 08, 2019 3:33 pm
by Techally
Yea i thought the same, I have added Firewall rules to the windows PC in the main office to make sure of that.

Am I missing a masquarade rule or something?
Although the client doesnt need access to them there are printers on both sides (Main office and Office 1) and they cant be pinged either like I say all routers can ping each other ?

Any comment on the VLAN or eOiP ideas?

Re: 3 branch offices VLAN over PPTP?

Posted: Tue Oct 08, 2019 3:47 pm
by cdiedrich
Bummer.
No that's no EoIP scenario. Nor vlan - vlans are L2-local as well.
Try setting the tunnel interface as gateway in your routes instead of the remote IP of the tunnel.
-Chris

Re: 3 branch offices VLAN over PPTP?

Posted: Sat Oct 12, 2019 2:38 pm
by Techally
Hi,
I Just wanted to post a reply as we fixed the issue (eventually)

So we visited the clients offices to make life easier as previously we only had terminal access to the Office 1 & Office 2 routers.

The Office 1 router it turns out could ping in one direction to the Main Office client devices (printers, PC etc) but packets not coming back.
The Office 2 Router could ping in any direction but client devices each side couldn't ping in either direction.

After many hours of round in circles we reset the Office 1 & Office 2 Routers and started again with config now using a different IP range to avoid any bad routes or NATs
It turns out that the problems all along where the NAT Masquerade Rules on one side of the PPTP tunnels.
The Traffic from Office 1 & Office 2 where both masquerading their IP which ended up being replaced with their ISP routers address (both were 192.168.1.1)

Removed the offending rules and viola! all working.
Thanks for the assistance

Re: 3 branch offices VLAN over PPTP?

Posted: Sun Oct 13, 2019 6:27 pm
by IPANetEngineer
Sometimes an onsite visit to see what issues people are having can make all the difference in the world.

Glad you figured it out :D