Community discussions

MikroTik App
 
User avatar
jhill8
just joined
Topic Author
Posts: 13
Joined: Mon Sep 14, 2020 9:43 pm
Location: California
Contact:

router SSTP VPN Client connects and pings but does not route to JRC VPN

Wed Oct 14, 2020 11:11 pm

Dear support,
RouterBoard SSTP VPN Client connects and pings but does not route LAN to JRC VPN
I have made great progress with connecting to a Server 2016 SSTP VPN! I am very close. All config was done through WebFig.
These are the IP's assigned by the Server 2016:
Routerboard Local IP 192.168.5.252 Pingable from Server 2016. Good! Also pingable from RouterBoard LAN ports and Terminal.
Remote IP 192.168.5.10 Pingable from RouterBoard TERMINAL but not LAN ports
adding default route makes no difference in these results. See attached picture with Default Routes enabled.
Routerboard LAN is 192.168.88.0/24

I want any RouterBoard lan requests only in the range of 192.168.5.0/24 to be forwarded through the JRC VPN.
Thanks, John
You do not have the required permissions to view the files attached to this post.
 
tdw
Long time Member
Long time Member
Posts: 514
Joined: Sat May 05, 2018 11:55 am

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Wed Oct 14, 2020 11:38 pm

For your information the majority of forum support is by the community, not Mikrotik employees.

The default route via the VPN is inactive (DS not DAS), other than for ECMP you cannot have more than one active route to the same destination. Given you only wish to route some traffic via the VPN, remove this and add a static route of 192.168.5.0/24 with JRC vpn as the gateway.

You will either need a route back to your LAN subnet on the VPN server, or a masquerade NAT rule so your LAN traffic via the VPN appears to originate from the Mikrotik address (192.168.5.252 in this case) rather than the LAN subnet.
 
User avatar
jhill8
just joined
Topic Author
Posts: 13
Joined: Mon Sep 14, 2020 9:43 pm
Location: California
Contact:

Progress! Thanks TDW. router SSTP VPN Client connects and pings but does not route to JRC VPN

Thu Oct 15, 2020 12:18 am

Thats progress! thanks TDW. Added route. see attached. The route added is one UNDER "ADDED MANUALLY"
The other route is created when the VPN connects and is not removable as it is dynamic. I tried.
Good News:
I can now ping from TERMINAL addresses other than and including the remote gateway.
Still cannot ping from LAN, unfortunately.
firewall issue? I disabled all the DROP rules and that did not help.

Server 2016 vpn access fine when from windows 10 clients, of course. So I don't really want to make server side changes if possible.

Thanks again, John
You do not have the required permissions to view the files attached to this post.
 
tippenring
Member Candidate
Member Candidate
Posts: 290
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Thu Oct 15, 2020 12:25 am

You probably want the static route to be 192.168.5.0/24 via 192.168.5.10. The JRC vpn interface is dynamic and will disappear when it is down, causing your route to change to a next hop value of unknown, and it will not recover. Setting the next hop to an IP will simply disable the route when the tunnel is down, and will make the route active again when the tunnel is up.
 
User avatar
jhill8
just joined
Topic Author
Posts: 13
Joined: Mon Sep 14, 2020 9:43 pm
Location: California
Contact:

making the change of the static route to be 192.168.5.0/24 via 192.168.5.10 made no change

Thu Oct 15, 2020 12:58 am

Hi Again,
making the change of the static route to be 192.168.5.0/24 via 192.168.5.10 made no change
Can still ping remote lan from TERMINAL but not from router board LAN 192.168.88.0/24
It did add a next hop entry in route table.
Thanks for your help, as always, John
 
tdw
Long time Member
Long time Member
Posts: 514
Joined: Sat May 05, 2018 11:55 am

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Thu Oct 15, 2020 1:12 am

You probably want the static route to be 192.168.5.0/24 via 192.168.5.10. The JRC vpn interface is dynamic and will disappear when it is down, causing your route to change to a next hop value of unknown, and it will not recover. Setting the next hop to an IP will simply disable the route when the tunnel is down, and will make the route active again when the tunnel is up.
No. With point-to-point interfaces you can specify the interface as a the gateway rather than an IP address. It correctly becomes disabled when the interface is down and active when the interface is up.
 
User avatar
jhill8
just joined
Topic Author
Posts: 13
Joined: Mon Sep 14, 2020 9:43 pm
Location: California
Contact:

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Thu Oct 15, 2020 1:15 am

Yes I made the change but no change in the results
Can still ping remote lan from TERMINAL but not from router board LAN 192.168.88.0/24
thanks, John
 
tippenring
Member Candidate
Member Candidate
Posts: 290
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Thu Oct 15, 2020 1:25 am

You probably want the static route to be 192.168.5.0/24 via 192.168.5.10. The JRC vpn interface is dynamic and will disappear when it is down, causing your route to change to a next hop value of unknown, and it will not recover. Setting the next hop to an IP will simply disable the route when the tunnel is down, and will make the route active again when the tunnel is up.
No. With point-to-point interfaces you can specify the interface as a the gateway rather than an IP address. It correctly becomes disabled when the interface is down and active when the interface is up.
That has not been my experience in the past, but admittedly, I haven't tried it in the last year or so.
 
tippenring
Member Candidate
Member Candidate
Posts: 290
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Thu Oct 15, 2020 1:28 am

Yes I made the change but no change in the results
Can still ping remote lan from TERMINAL but not from router board LAN 192.168.88.0/24
thanks, John
I suspect that your ping destination host is receiving your ping request, and is replying. A packet capture on the destination host will confirm that. It is likely that the remote router doesn't have a route to 192.168.88.0/24, so it sends the packet via its own default route somewhere else, like the internet.
 
tdw
Long time Member
Long time Member
Posts: 514
Joined: Sat May 05, 2018 11:55 am

Re: Progress! Thanks TDW. router SSTP VPN Client connects and pings but does not route to JRC VPN

Thu Oct 15, 2020 1:32 am

Thats progress! thanks TDW. Added route. see attached. The route added is one UNDER "ADDED MANUALLY"
The other route is created when the VPN connects and is not removable as it is dynamic. I tried.
Good News:
I can now ping from TERMINAL addresses other than and including the remote gateway.
You likely have add-default-route=yes (or ticked in the web interface) for the SSTP client, disable it.

Still cannot ping from LAN, unfortunately.
firewall issue? I disabled all the DROP rules and that did not help.
Server 2016 vpn access fine when from windows 10 clients, of course. So I don't really want to make server side changes if possible.
It isn't the firewall. When using a VPN client on a Windows 10 machine the client traffic originates from the assigned VPN address so the VPN server knows where to return traffic to.

If the VPN server knows nothing of your 192.168.88.0/24 addresses traffic cannot be returned, hence the suggestion to use a masquerade NAT rule for traffic routed through the VPN interface so it appears to originate from the Mikrotik itself. The command-line rule would be
/ip firewall nat
add action=masquerade chain=srcnat out-interface="JRC vpn"

or you can use this as a guide for entry via the web interface.
 
tdw
Long time Member
Long time Member
Posts: 514
Joined: Sat May 05, 2018 11:55 am

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Thu Oct 15, 2020 1:35 am

With point-to-point interfaces you can specify the interface as a the gateway rather than an IP address. It correctly becomes disabled when the interface is down and active when the interface is up.
That has not been my experience in the past, but admittedly, I haven't tried it in the last year or so.
It is only applicable to point-to-point interfaces with a /32 netmask, it doesn't work for interfaces which are part of a subnet.
 
User avatar
jhill8
just joined
Topic Author
Posts: 13
Joined: Mon Sep 14, 2020 9:43 pm
Location: California
Contact:

Added NAT Masqerade via WebFig.

Thu Oct 15, 2020 3:31 am

Hi
When I add from the terminal
/ip firewall nat
add action=masquerade chain=srcnat out-interface="JRC vpn"
I get error: "input does not match any value of interface"
HOWEVER,
I added from webFig and it did not break anything, shows traffic but still no luck. Please see attached.
Did I miss anything?
I guess I don't understand why I can ping remote LAN just fine from the terminal. I am so close.

Thanks for all your help, John
You do not have the required permissions to view the files attached to this post.
 
tdw
Long time Member
Long time Member
Posts: 514
Joined: Sat May 05, 2018 11:55 am

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Thu Oct 15, 2020 12:07 pm

It is difficult to tell the name of the VPN interface from screen shots, apparently not "JRC vpn" from the error message you got. Entering a rule via the web interface is fine, and traffic appears to be hitting it as the packet/byte counters are non-zero, so something else isn't quite right.

The best way to provide information is to post the output of /export hide-sensitive in a code block (the [] icon in the toolbar when posting in the forum) rather than screen shots which don't give the full picture.
 
User avatar
jhill8
just joined
Topic Author
Posts: 13
Joined: Mon Sep 14, 2020 9:43 pm
Location: California
Contact:

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Thu Oct 15, 2020 5:26 pm

Okay i will try. the packets are making it the server 2016 RRAS but not returning from the server. something is wrong with the masquerade or something. The windows 10 clients work perfectly for years. Is there a way to export the config in just plain text?
these routers are a bear.
thanks, John
 
User avatar
jhill8
just joined
Topic Author
Posts: 13
Joined: Mon Sep 14, 2020 9:43 pm
Location: California
Contact:

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Thu Oct 15, 2020 5:28 pm

also copy and paste does not work in the terminal screen (firefox)
 
tippenring
Member Candidate
Member Candidate
Posts: 290
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Thu Oct 15, 2020 5:37 pm

Is there a way to export the config in just plain text?
As tdw said:
The best way to provide information is to post the output of /export hide-sensitive in a code block (the [] icon in the toolbar when posting in the forum) rather than screen shots which don't give the full picture.
Mikrotik routers are rather easy to configure, but routing does require one to understand networking fundamentals.
 
tdw
Long time Member
Long time Member
Posts: 514
Joined: Sat May 05, 2018 11:55 am

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Thu Oct 15, 2020 7:26 pm

also copy and paste does not work in the terminal screen (firefox)

Not sure why that would be, I use Winbox or SSH rather than the web interface.

You can export the configuration to a file with /export hide-sensitive file=somefilename and then download the resulting .rsc file from Files - it is drag & drop with Winbox, not sure how it works with the web interface.
 
User avatar
jhill8
just joined
Topic Author
Posts: 13
Joined: Mon Sep 14, 2020 9:43 pm
Location: California
Contact:

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Fri Oct 16, 2020 2:04 am

with source interface checkbox ticked in WebFig
i got this
/ip firewall nat
add action=masquerade chain=srcnat out-interface="!JRC vpn"

with it unticked
/ip firewall nat
add action=masquerade chain=srcnat out-interface="JRC vpn"
I guess I dont understand why ticking the box would do that
And it WORKS. thank you.

thanks, John
 
tdw
Long time Member
Long time Member
Posts: 514
Joined: Sat May 05, 2018 11:55 am

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Fri Oct 16, 2020 4:33 pm

I can't comment on how it appears in Webfig - in Winbox the equivalent control is either blank or "!", not a check mark.

It doesn't select whether or not to use an interface, it means 'not' so out-interface="!JRC vpn" means traffic leaving by any interface other than JRC vpn - the reverse of what was required.
 
User avatar
jhill8
just joined
Topic Author
Posts: 13
Joined: Mon Sep 14, 2020 9:43 pm
Location: California
Contact:

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Fri Oct 16, 2020 8:59 pm

Thanks TDW. Not exactly intuitive that tick a check box means NOT but now I know.
What a learning curve. Still not as bad as Juniper-yet at least.
Throughput is disappointing. Only get about %75 of the throughput that a Windows 10 client can get on the same test conditions.
Is there a CPU monitor somewhere in WebFig?
Any performance tweaks I can try?
Thanks for all your help, John.
 
tdw
Long time Member
Long time Member
Posts: 514
Joined: Sat May 05, 2018 11:55 am

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Fri Oct 16, 2020 9:57 pm

You haven't said which model Mikrotik you have, there is a wide range of CPU capabilities.

The best to worst performing VPN protocols supported are IPsec, OpenVPN, SSTP (I'm Ignoring PPTP and L2TP/MPPE which are insecure). Only some flavours of IPsec are supported with hardware acceleration on some models of Mikrotik (see https://wiki.mikrotik.com/wiki/Manual:I ... celeration), the other flavours of VPNs have no hardware acceleration.

I'm not sure where you would find it in Webfig, but in Winbox you can see CPU utilisation under System > Resources, CPU button. Double-click a CPU row (there is only one row on single-CPU models), Profile button shows use by task on that CPU.
 
User avatar
jhill8
just joined
Topic Author
Posts: 13
Joined: Mon Sep 14, 2020 9:43 pm
Location: California
Contact:

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Fri Oct 16, 2020 11:18 pm

Thanks again tdw
I have the very cute, just purchased, Mikrotik hEX RB750Gr3 5-port Ethernet Gigabit Router

Only getting 800kB/sec with the RouterBoard
Windows 10 client 1.2mB/sec same conditions. thats 1.2 m BYTEs
Obviously not super demanding here. Only a 10mb upstream internet connection at JRC. Thats 10 m BITs. The windows 10 SSTP client/server is very efficient here.
thanks, John

Who is online

Users browsing this forum: andynorwich, BrandonSk, JohnTRIVOLTA, okriso, pekr, sindy and 125 guests