Good day, I am fairly new to using Mikrotik hardware. I have been asked to set up a VPN for one of our departments to access their subnet. The netmask of the public IP of our ISPs modem is /21 while the subnet to reach has a netmask of /29. The VPN will successfully connect and remote host gains the local private IP, but it won't communicate with the resources on that subnet. If I set the Open VPN netmask to match the /29 of the destination subnet, the VPN will not connect, it just loops.
I am under the impression that I will need to create a subnet between the public IP and the destination then create a bridge. My question is in two parts; firstly, is this assumption correct or is there a way to set the netmask to 21 and stop it looping? Secondly, if the assumption is correct, and the destination subnet is already on a bridge, will a second one create issues with communication?
Re: VPN and subnet have different netmasks
Nope.
Just create a dedicated IP pool seperate from your local subnet for vpn clients and let them use these addresses.
-Chris
Just create a dedicated IP pool seperate from your local subnet for vpn clients and let them use these addresses.
-Chris
Re: VPN and subnet have different netmasks
Sorry for the late reply, it took me some time to sort out other issues we experienced. Thank you for your response.
I was able to simply create a Pool and point the Secret at it. The remote host pulled the new IP, but it still doesn't see anything in the subnet. Not that I would expect it to without a Bridge or Route to allow traffic between the subnets, but I can't find a way to connect to the new Pool as a Bridge or Route requires an interface rather than an IP.
Sorry if I am missing something obvious here.
I was able to simply create a Pool and point the Secret at it. The remote host pulled the new IP, but it still doesn't see anything in the subnet. Not that I would expect it to without a Bridge or Route to allow traffic between the subnets, but I can't find a way to connect to the new Pool as a Bridge or Route requires an interface rather than an IP.
Sorry if I am missing something obvious here.
-
-
IPAsupport
Frequent Visitor
- Posts: 62
- Joined:
Re: VPN and subnet have different netmasks
You should have a new interface everytime a new remote host connects to the router. Can you check that?
Re: VPN and subnet have different netmasks
When I connect to the VPN, I see an entry for it in the Interfaces List and the Address List. I created a bridge with the standard set up (like our other bridges) and in Bridge Ports pointed the new bridge to the VPN interface. When the VPN disconnects the port changes to Unknown, and does not change back to the VPN when the VPN reconnects.
I also tried setting up a route via Firewall Rules with the SrcAdd and DstAdd being the IP Pool and destination subnet, respectively, but it still wouldn't communicate to resources. I ran through a handful of the various actions to see if it made a difference but found nothing that worked. I left the chain as forward, but should it be changed to input or output?
I'm currently testing with by including the new IP Pool in the bridge for the destination subnet, so I'll update when that concludes.
I also tried setting up a route via Firewall Rules with the SrcAdd and DstAdd being the IP Pool and destination subnet, respectively, but it still wouldn't communicate to resources. I ran through a handful of the various actions to see if it made a difference but found nothing that worked. I left the chain as forward, but should it be changed to input or output?
I'm currently testing with by including the new IP Pool in the bridge for the destination subnet, so I'll update when that concludes.
Re: VPN and subnet have different netmasks
First:
You won't need any bridge for vpn access.
Instead of poking into the dark, please post an export of your config and let us know what you exactly want to achieve. "Doesn't see anything in the subnet" is still too vague.
Re-reading your initial post now makes me guess you want a site2site link?
If a second router is involved, post its config as well.
-Chris
You won't need any bridge for vpn access.
Instead of poking into the dark, please post an export of your config and let us know what you exactly want to achieve. "Doesn't see anything in the subnet" is still too vague.
Re-reading your initial post now makes me guess you want a site2site link?
If a second router is involved, post its config as well.
-Chris
Re: VPN and subnet have different netmasks
No, adding the new IP to the Bridge for the subnet didn't work.
When the VPN connects, I see entries for it in the Address List and Route List. If these are what the VPN is using, I don't know how to effect them. If I include them in a bridge, they bridge looses them when the VPN disconnects, and doesn't pick them back up. I can't edit the entries in the Route List and the Address List. Adding other entries for them in the Route and Address Lists has no effect.
The VPN is connecting to it's own subnet, and I am unable to find a way for it to communicate outside of that subnet.
When the VPN connects, I see entries for it in the Address List and Route List. If these are what the VPN is using, I don't know how to effect them. If I include them in a bridge, they bridge looses them when the VPN disconnects, and doesn't pick them back up. I can't edit the entries in the Route List and the Address List. Adding other entries for them in the Route and Address Lists has no effect.
The VPN is connecting to it's own subnet, and I am unable to find a way for it to communicate outside of that subnet.
Re: VPN and subnet have different netmasks
My goal is to allow an employee from home to VPN into the office and access information from a laptop at 192.168.33.2, which is directly connected to Eth2 on the router. The VPN will only connect if the netmask is /21, to match the public IP from our ISP. But the 192.168.33.0 subnet has a mask of /29, so even if I have the VPN apply a .33.x IP they won't communicate. I created the 192.168.48.0/21 subnet for the VPN to connect to, and I have been trying to find a way to get that to communicate to the .33.0 subnet, to no avail.
Sorry for any confusion. I hope this helps.
Sorry for any confusion. I hope this helps.
Code: Select all
# sep/04/2020 16:20:52 by RouterOS 6.44.3
# software id = CUYU-RBI1
#
# model = 435G
# serial number = 894109055921
/interface bridge
add arp=proxy-arp name=bridge1
add arp=proxy-arp name=bridge2
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
set [ find default-name=ether2 ] arp=proxy-arp
set [ find default-name=ether3 ] arp=proxy-arp
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=[REDACTED] \
wpa2-pre-shared-key=[REDACTED]
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=office supplicant-identity="" \
wpa2-pre-shared-key=[REDACTED]
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=accounting supplicant-identity="" \
wpa2-pre-shared-key=[REDACTED]
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-onlyn country=canada disabled=no \
frequency=5825 ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6\
,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15" \
installation=outdoor mode=ap-bridge security-profile=office ssid=Site2020 \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyn country=canada disabled=no \
frequency=5260 hide-ssid=yes ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs\
-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15\
" installation=outdoor mode=ap-bridge security-profile=accounting ssid=\
Site2020a wireless-protocol=802.11
set [ find default-name=wlan3 ] disabled=no mode=ap-bridge security-profile=\
office ssid=Site2020_2_4GHz wps-mode=disabled
/ip pool
add name=dhcp_pool1 ranges=192.168.33.3-192.168.33.6
add name=dhcp_pool2 ranges=192.168.22.40-192.168.22.254
add name=pool3 ranges=192.168.48.0/21
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge2 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether2
add bridge=bridge2 interface=wlan2
add bridge=bridge2 interface=ether3
add bridge=bridge1 interface=wlan3
/interface detect-internet
set detect-interface-list=all lan-interface-list=all
/interface ovpn-server server
set auth=sha1 certificate=[REDACTED] cipher=aes256 enabled=yes netmask=21 \
require-client-certificate=yes
/ip address
add address=192.168.22.1/24 interface=bridge1 network=192.168.22.0
add address=192.168.33.1/29 interface=bridge2 network=192.168.33.0
add address=192.168.44.1/24 interface=bridge1 network=192.168.44.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.33.2 client-id=1:a0:2b:b8:2f:77:aa mac-address=\
A0:2B:B8:2F:77:AA server=dhcp2
/ip dhcp-server network
add address=192.168.22.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.22.1
add address=192.168.33.0/29 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.33.1
/ip firewall filter
add action=drop chain=input dst-address=192.168.33.0/29 log=yes src-address=\
192.168.22.0/24
add action=drop chain=input dst-address=192.168.22.0/24 src-address=\
192.168.33.0/29
add action=drop chain=forward protocol=rdp src-address=!192.168.0.0/16
add action=log chain=forward dst-address=10.10.33.2 protocol=rdp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.22.0/24 src-address-list=""
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.33.0/29
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.44.0/24
add action=masquerade chain=srcnat disabled=yes
/ip route
add distance=1 gateway=[REDACTED]
add distance=2 gateway=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ppp secret
add local-address=192.168.48.1 name=[REDACTED] password=\
[REDACTED] remote-address=192.168.48.2 routes=\
Bridge2 service=ovpn
/system clock
set time-zone-name=America/Halifax
/system console
set [ find ] disabled=yes
/tool bandwidth-server
set enabled=no
Re: VPN and subnet have different netmasks
The OpenVPN server netmask has absolutely nothing to do with the WAN subnet mask - for example one router we have is configured with a /32 WAN IP and /30 routed public IP, the VPN local client addresses are a /26 and Open VPN server netmask is /20, encompassing the local client addresses, to allow access to the local subnets.
The proxy-arp settings are redundant if the VPN client address is not part of any local subnet, so best removed.
The routes=Bridge2 parameter in /ppp secret is completely incorrect syntax, and also irrelevant for Open VPN connections as they have been shoehorned into the Mikrotik PPP model and have no effect - any routes not encompassed by the server netmask require routes to be defined in the client configuration.
The proxy-arp settings are redundant if the VPN client address is not part of any local subnet, so best removed.
The routes=Bridge2 parameter in /ppp secret is completely incorrect syntax, and also irrelevant for Open VPN connections as they have been shoehorned into the Mikrotik PPP model and have no effect - any routes not encompassed by the server netmask require routes to be defined in the client configuration.
Re: VPN and subnet have different netmasks
It doesn't make sense for it to have nothing to do with it. If I change the OVPN Netmask to anything else, it no longer connects. If I could make the VPN Netmask /29 and point it at .33.0 it would make this all much easier.The OpenVPN server netmask has absolutely nothing to do with the WAN subnet mask - for example one router we have is configured with a /32 WAN IP and /30 routed public IP, the VPN local client addresses are a /26 and Open VPN server netmask is /20, encompassing the local client addresses, to allow access to the local subnets.
We were originally attempting to get the VPN to connect directly to .33.0 but when it failed we tried another approach, and this is a hold over from the first attempt. I will change the proxy settings and see what happens.The proxy-arp settings are redundant if the VPN client address is not part of any local subnet, so best removed.
I'll remove the route and look into routing via client config.The routes=Bridge2 parameter in /ppp secret is completely incorrect syntax, and also irrelevant for Open VPN connections as they have been shoehorned into the Mikrotik PPP model and have no effect - any routes not encompassed by the server netmask require routes to be defined in the client configuration.
Thanks for the tips.
Re: VPN and subnet have different netmasks
When you say it doesn't connect does it not pass traffic, or does it fail to establish a connection. What errors do you see on the Mikrotik and client? Are you connecting from an outside address or internally?It doesn't make sense for it to have nothing to do with it. If I change the OVPN Netmask to anything else, it no longer connects. If I could make the VPN Netmask /29 and point it at .33.0 it would make this all much easier.The OpenVPN server netmask has absolutely nothing to do with the WAN subnet mask - for example one router we have is configured with a /32 WAN IP and /30 routed public IP, the VPN local client addresses are a /26 and Open VPN server netmask is /20, encompassing the local client addresses, to allow access to the local subnets.
If you wanted to use the 192.168.33.0/29 subnet for both the VPN and local network proxy-arp would only be required on bridge2.We were originally attempting to get the VPN to connect directly to .33.0 but when it failed we tried another approach, and this is a hold over from the first attempt. I will change the proxy settings and see what happens.The proxy-arp settings are redundant if the VPN client address is not part of any local subnet, so best removed.
Re: VPN and subnet have different netmasks
Our VPN is connecting to the .33.0 subnet!!
Adding the route to the config file did the trick.
I simply had to add route 192.168.33.0 255.255.255.248 to the client config file.
Thank so very much to everyone for your help on this. It was invaluable.
Adding the route to the config file did the trick.
I simply had to add route 192.168.33.0 255.255.255.248 to the client config file.
Thank so very much to everyone for your help on this. It was invaluable.
Who is online
Users browsing this forum: AimiSayo, Bing [Bot] and 66 guests