I just build a vpn setup that terminates into a Watchguard device.
The setup looks as follows.
1. The VPN Client (RB751G) connects to the VPN Server which has the IP Address 212.53.XXX.XXX
2. The VPN Client obtains a tunnel IP (local & remote) of 10.1.30.3 (local) and 10.1.30.1 (remote)
3. All traffic that is produced by clients connected to the VPN Client get routed out of the sstp-out interface
4. The VPN Server ist connected to the Watchguard with the IP address 10.10.0.2, while the Watchguard has the IP 10.10.0.1
5. All traffic coming from the VPN Client with the IP address 10.1.30.3 to the VPN server is routed from the VPN Server to the Watchguard (10.1.30.0/24 to 10.10.0.1 on interface ether1)
So far so good, the funny thing is everything seems to be setup just fine bute the only traffic i can push through this construct ist icmp. I can see http traffice traversing the interface to the watchguard but it doesn't reach the VPN Client. I am missing something but i don't know what.
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes src-address=10.1.30.0/24 \
to-addresses=10.10.0.1
add action=masquerade chain=srcnat src-address=10.1.30.0/24 to-addresses=\
10.10.0.1
add action=masquerade chain=srcnat dst-address=10.1.30.0/24
Code: Select all
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=0.0.0.0/0 \
new-routing-mark=vpn
add action=mark-routing chain=prerouting in-interface=ether1-Watchguard-egress \
new-routing-mark=vpn-out src-address=0.0.0.0/0
add action=mark-routing chain=prerouting new-routing-mark=vpn src-address=\
10.1.30.0/24
add action=mark-routing chain=prerouting dst-address=10.1.30.0/24 \
new-routing-mark=vpn-out
Code: Select all
/ip route
add distance=1 dst-address=10.1.30.0/24 gateway=10.10.0.1 routing-mark=vpn
add distance=2 gateway=212.53.XXX.XXX
/ip route rule
add routing-mark=vpn table=vpn
Code: Select all
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 10.1.30.0/24 10.10.0.1 1
1 A S 0.0.0.0/0 212.53.151.1 2
2 ADC 10.1.30.3/32 10.1.30.1 <sstp-test> 0
3 ADC 10.10.0.0/24 10.10.0.2 ether1-Watchgua... 0
4 ADC 172.16.30.0/24 172.16.30.6 local-bridge 0
5 ADC 212.53.XXX.XXX/XX 212.53.XXX.XXX ether2-gateway 0
Code: Select all
# ADDRESS NETWORK INTERFACE
0 212.53.XXX.XXX/XX 212.53.XXX.XXX ether2-gateway
1 172.16.30.6/24 172.16.30.0 ether8-vpn-gateway
2 10.10.0.2/24 10.10.0.0 ether1-Watchguard-egress
3 XI 212.53.XXX.XXX/XX 212.53.XXX.XXX ether7-failover-gateway
4 D 10.1.30.1/32 10.1.30.3 <sstp-test>