Page 1 of 1

VPN Add Route - Cannot ping PC behind VPN

Posted: Mon Nov 23, 2015 1:31 pm
by sanketgroup
Hello
Attached is network diagram.

In my scenario, one PC cannot ping another pc which is behind VPN at other site and has no gateway setup.

I tried lot of things with route add but none of them working.
Pls explain me why.

See diagram.

Thanx


Image

Re: VPN Add Route - Cannot ping PC behind VPN

Posted: Mon Nov 23, 2015 6:32 pm
by pukkita
In my scenario, one PC cannot ping another pc which is behind VPN at other site and has no gateway setup.
You have answered yourself... depending on your setup proxy-arp could be a solution, but why not set an specific gw on PC3 to reach PC4 network?

Re: VPN Add Route - Cannot ping PC behind VPN

Posted: Tue Nov 24, 2015 6:03 am
by sanketgroup
i do not want to give internet access to those PCs so not assigning GW.

Also one more thing:
few clients are on different GW, see below diagram.
I also want those PCs who are on different gateway to be accessed.
Importantly, i can do this in some other brand VPN router but do not know how to in Mikrotik.
Image

Re: VPN Add Route - Cannot ping PC behind VPN

Posted: Tue Nov 24, 2015 6:18 pm
by pukkita
i do not want to give internet access to those PCs so not assigning GW.
For that (and good practices) you'd better set the GW then restrict internet access for PC3 at the firewall...

Same for other devices, otherwise you're limiting those PCs from reaching Internet but also your management productivity...

What can you do with another brand VPN router? Will try to "translate" it to the mikrotik.

Re: VPN Add Route - Cannot ping PC behind VPN

Posted: Tue Nov 24, 2015 7:50 pm
by sanketgroup
with DD WRT, using PPTP, client on other side can ping PCs at server side which do not have GW or even on different GW.

As you said Proxy ARP can work, can you pls explain how to do it? or any other way to accomplish this.
Thanx for replies.

Re: VPN Add Route - Cannot ping PC behind VPN

Posted: Thu Nov 26, 2015 1:21 am
by MTeeker
i do not want to give internet access to those PCs so not assigning GW.
I am not familiar with proxy, but taking a step back.

I would stop Internet access on PC3 and PC5 using firewall rule while still giving these PC gateway addresses to enable ping.

/ip firewall filter
add action=drop chain=forward out-interface=WAN_interface_gateway protocol=tcp \
src-address=ip_address_of_PCx

(replace x with 3 or 5 on their immediately above router's firewall settings)

Ping should still work since it uses icmp instead.