Community discussions

MUM Europe 2020
 
isaac509
just joined
Topic Author
Posts: 4
Joined: Tue May 08, 2007 8:33 pm

PPTP connections cannot access local subnet

Tue May 08, 2007 10:19 pm

Hello -

I followed the PPTP instructions posted on the Wiki, and I have a successful connection from a WinXP client to the Mikrotik. I can route traffic to the Internet, and I can successfully ping the local address of the Mikrotik (192.168.111.1).

However, I cannot access any of the other addresses in the 192.168.111.0/24 subnet. Some previous help on this forum refer to proxy-arp, and I believe that I have that turned on:

Flags: X - disabled, R - running
# NAME MTU MAC-ADDRESS ARP
0 R WAN 1500 00:40:F4:B8:45:43 enabled
1 R ether2 1500 00:40:F4:B8:45:42 enabled
2 R LAN 1500 00:40:F4:B8:45:41 enabled
[admin@MikroTik] interface ethernet> /interface bridge
[admin@MikroTik] interface bridge> print
Flags: X - disabled, R - running
0 R name="lan" mtu=1500 arp=proxy-arp mac-address=00:40:F4:B8:45:43 stp=no
priority=32768 ageing-time=5m forward-delay=15s
garbage-collection-interval=4s hello-time=2s max-message-age=20s
[admin@MikroTik] interface bridge>

(ether2 is not connected to anything)

The WinXP box seems to know the correct route:

C:\Documents and Settings\isaac>tracert 192.168.111.1

Tracing route to 192.168.111.1 over a maximum of 30 hops

1 13 ms 13 ms 13 ms 192.168.111.1

Trace complete.

C:\Documents and Settings\isaac>tracert 192.168.111.125

Tracing route to 192.168.111.125 over a maximum of 30 hops

1 15 ms 14 ms 13 ms 192.168.111.1
2 * * * Request timed out.
3 *

I fear that I'm running into a problem with the interface names, or missing somethign obvious. I have triple checked the config as posted in the Wiki and I do not believe I have any typo errors.

Any advice would be appreciated, thank you!

- Isaac
 
User avatar
usrox
just joined
Posts: 24
Joined: Sat Sep 17, 2005 7:59 am

Wed May 09, 2007 8:26 am

I have similar problems and i use NAT to reach the local network

NAT-VPN-to-local
chain=srcnat out-interface=eth-local
src-address=10.xx.xx.82-10.xx.xx.85 action=src-nat
to-addresses=10.xx.xx.80 to-ports=0-65535

NAT-VPN-to-Public
chain=srcnat out-interface=eth-gateway
src-address=10.xx.xx.82-10.xx.xx.85 action=src-nat
to-addresses=[public-ip] to-ports=0-65535

(10.xx.xx.82-10.xx.xx.85 -> vpn client ip)
 
User avatar
winxp2000
Member Candidate
Member Candidate
Posts: 113
Joined: Mon Jan 30, 2006 8:57 pm
Location: China
Contact:

Wed May 09, 2007 10:23 am

OK usrox:

As you know you make a PPTP to a network

But I do not known what tpye Ip you got from MT

You can run the command in Winxp command windows as follow:

c:\ipconfig/all

may be you will find the ip and subnet as

192.168.111.X
255.255.255.255

Ok the problem is here


The solution just change the VPN client ip to other net segment

Such as 192.168.112.X

And make a new NAT rule for it
 
User avatar
usrox
just joined
Posts: 24
Joined: Sat Sep 17, 2005 7:59 am

Wed May 09, 2007 1:50 pm

My vpn ip-client (ip-pool) are the same segment with my local-networks 10.xx.xx.82-10.xx.xx.85, I just add 2 NAT rules like my post before and it works perfectly.
 
isaac509
just joined
Topic Author
Posts: 4
Joined: Tue May 08, 2007 8:33 pm

NAT rules did not work

Thu May 10, 2007 10:26 pm

USRox, I was very excited to see your response, but this did not work :(

Here is my config:

[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=WAN action=masquerade

1 chain=srcnat out-interface=LAN src-address=192.168.111.150-191.168.111.199
action=src-nat to-addresses=192.168.111.1-192.168.111.254
to-ports=0-65535

2 chain=srcnat out-interface=WAN src-address=192.168.111.150-192.168.111.199
action=src-nat to-addresses=64.142.70.192 to-ports=0-65535

.. where 192.168.111.150-199 is my PPTP range, and 64.142.70.192 is my WAN IP address.

Did I miss something?

Thanks,

- Isaac
 
User avatar
usrox
just joined
Posts: 24
Joined: Sat Sep 17, 2005 7:59 am

Fri May 11, 2007 7:26 am

From your first rule Try change to-addresses=192.168.111.1-192.168.111.254 with something like to-addresses=192.168.111.1 <-- local ip on your local interface
 
isaac509
just joined
Topic Author
Posts: 4
Joined: Tue May 08, 2007 8:33 pm

Success!

Sat May 12, 2007 4:32 am

:D

So, I tried modifying the rule as USRox recommended, but I wasn't getting it - When USRox said 'local IP on local interface' I didn't understand that he meant 'some unused ip that is not in your PPTP pool'.

A guy in our NOC explained it to me: PPTP can get tricky, because even though your PPTP pool can be in your local LAN subnet, it has no layer 2 connection to that subnet. Therefore, ARP requests for 'local' addresses don't go anywhere even though it might be assumed that they could due to the fact that everybody is on the same subnet.

There are two ways around that - You can either NAT your VPN traffic through a local address that is otherwise unused to establish a layer3->layer 2 bridge, or, you can turn on proxy-ARP on the LAN and WAN interfaces.

I tried proxy-ARP and everything started working, even without the NAT rules. :D

I will note that one of the FAQ entries I encountered on this site early on implied this, but the actual Forum post was a 404 so I charged off in a different direction.

I hope this explanation makes sense and is not factually incorrect.

My next challenge is to establish working IPSec tunnels to a few Netgear FVS318 routers elsewhere on the network. I have sessions up but no traffic is passing yet.

Thanks to everybody who considered this, especially USRox for trying to show me the answer.

I'm really happy with the Mikrotik, it's flexible, reasonably easy to configure and once I get this IPSec problem out of the way I'll be able to retire my Pix 501's and Netgear FVS318's!

Best,

- Isaac
 
isaac509
just joined
Topic Author
Posts: 4
Joined: Tue May 08, 2007 8:33 pm

.. and now that I think about it...

Sat May 12, 2007 4:49 am

'winxp2000' was on the right track as well.

I surmise that changing the PPTP pool to a different logical subnet from the local would probably esablish the same layer3->layer2 bridge, but I'm not going to try it because things are working properly now.

Thanks,

- Isaac

Who is online

Users browsing this forum: adeeadee, amt, dedysobr, Google [Bot], Google Feedfetcher, heidarren, leemans, oskarsk, romiszcze and 163 guests