Page 1 of 1

router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Wed Oct 14, 2020 11:11 pm
by jhill8
Dear support,
RouterBoard SSTP VPN Client connects and pings but does not route LAN to JRC VPN
I have made great progress with connecting to a Server 2016 SSTP VPN! I am very close. All config was done through WebFig.
These are the IP's assigned by the Server 2016:
Routerboard Local IP 192.168.5.252 Pingable from Server 2016. Good! Also pingable from RouterBoard LAN ports and Terminal.
Remote IP 192.168.5.10 Pingable from RouterBoard TERMINAL but not LAN ports
adding default route makes no difference in these results. See attached picture with Default Routes enabled.
Routerboard LAN is 192.168.88.0/24

I want any RouterBoard lan requests only in the range of 192.168.5.0/24 to be forwarded through the JRC VPN.
Thanks, John

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Wed Oct 14, 2020 11:38 pm
by tdw
For your information the majority of forum support is by the community, not Mikrotik employees.

The default route via the VPN is inactive (DS not DAS), other than for ECMP you cannot have more than one active route to the same destination. Given you only wish to route some traffic via the VPN, remove this and add a static route of 192.168.5.0/24 with JRC vpn as the gateway.

You will either need a route back to your LAN subnet on the VPN server, or a masquerade NAT rule so your LAN traffic via the VPN appears to originate from the Mikrotik address (192.168.5.252 in this case) rather than the LAN subnet.

Progress! Thanks TDW. router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Thu Oct 15, 2020 12:18 am
by jhill8
Thats progress! thanks TDW. Added route. see attached. The route added is one UNDER "ADDED MANUALLY"
The other route is created when the VPN connects and is not removable as it is dynamic. I tried.
Good News:
I can now ping from TERMINAL addresses other than and including the remote gateway.
Still cannot ping from LAN, unfortunately.
firewall issue? I disabled all the DROP rules and that did not help.

Server 2016 vpn access fine when from windows 10 clients, of course. So I don't really want to make server side changes if possible.

Thanks again, John

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Thu Oct 15, 2020 12:25 am
by tippenring
You probably want the static route to be 192.168.5.0/24 via 192.168.5.10. The JRC vpn interface is dynamic and will disappear when it is down, causing your route to change to a next hop value of unknown, and it will not recover. Setting the next hop to an IP will simply disable the route when the tunnel is down, and will make the route active again when the tunnel is up.

making the change of the static route to be 192.168.5.0/24 via 192.168.5.10 made no change

Posted: Thu Oct 15, 2020 12:58 am
by jhill8
Hi Again,
making the change of the static route to be 192.168.5.0/24 via 192.168.5.10 made no change
Can still ping remote lan from TERMINAL but not from router board LAN 192.168.88.0/24
It did add a next hop entry in route table.
Thanks for your help, as always, John

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Thu Oct 15, 2020 1:12 am
by tdw
You probably want the static route to be 192.168.5.0/24 via 192.168.5.10. The JRC vpn interface is dynamic and will disappear when it is down, causing your route to change to a next hop value of unknown, and it will not recover. Setting the next hop to an IP will simply disable the route when the tunnel is down, and will make the route active again when the tunnel is up.
No. With point-to-point interfaces you can specify the interface as a the gateway rather than an IP address. It correctly becomes disabled when the interface is down and active when the interface is up.

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Thu Oct 15, 2020 1:15 am
by jhill8
Yes I made the change but no change in the results
Can still ping remote lan from TERMINAL but not from router board LAN 192.168.88.0/24
thanks, John

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Thu Oct 15, 2020 1:25 am
by tippenring
You probably want the static route to be 192.168.5.0/24 via 192.168.5.10. The JRC vpn interface is dynamic and will disappear when it is down, causing your route to change to a next hop value of unknown, and it will not recover. Setting the next hop to an IP will simply disable the route when the tunnel is down, and will make the route active again when the tunnel is up.
No. With point-to-point interfaces you can specify the interface as a the gateway rather than an IP address. It correctly becomes disabled when the interface is down and active when the interface is up.
That has not been my experience in the past, but admittedly, I haven't tried it in the last year or so.

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Thu Oct 15, 2020 1:28 am
by tippenring
Yes I made the change but no change in the results
Can still ping remote lan from TERMINAL but not from router board LAN 192.168.88.0/24
thanks, John
I suspect that your ping destination host is receiving your ping request, and is replying. A packet capture on the destination host will confirm that. It is likely that the remote router doesn't have a route to 192.168.88.0/24, so it sends the packet via its own default route somewhere else, like the internet.

Re: Progress! Thanks TDW. router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Thu Oct 15, 2020 1:32 am
by tdw
Thats progress! thanks TDW. Added route. see attached. The route added is one UNDER "ADDED MANUALLY"
The other route is created when the VPN connects and is not removable as it is dynamic. I tried.
Good News:
I can now ping from TERMINAL addresses other than and including the remote gateway.
You likely have add-default-route=yes (or ticked in the web interface) for the SSTP client, disable it.

Still cannot ping from LAN, unfortunately.
firewall issue? I disabled all the DROP rules and that did not help.
Server 2016 vpn access fine when from windows 10 clients, of course. So I don't really want to make server side changes if possible.
It isn't the firewall. When using a VPN client on a Windows 10 machine the client traffic originates from the assigned VPN address so the VPN server knows where to return traffic to.

If the VPN server knows nothing of your 192.168.88.0/24 addresses traffic cannot be returned, hence the suggestion to use a masquerade NAT rule for traffic routed through the VPN interface so it appears to originate from the Mikrotik itself. The command-line rule would be
/ip firewall nat
add action=masquerade chain=srcnat out-interface="JRC vpn"

or you can use this as a guide for entry via the web interface.

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Thu Oct 15, 2020 1:35 am
by tdw
With point-to-point interfaces you can specify the interface as a the gateway rather than an IP address. It correctly becomes disabled when the interface is down and active when the interface is up.
That has not been my experience in the past, but admittedly, I haven't tried it in the last year or so.
It is only applicable to point-to-point interfaces with a /32 netmask, it doesn't work for interfaces which are part of a subnet.

Added NAT Masqerade via WebFig.

Posted: Thu Oct 15, 2020 3:31 am
by jhill8
Hi
When I add from the terminal
/ip firewall nat
add action=masquerade chain=srcnat out-interface="JRC vpn"
I get error: "input does not match any value of interface"
HOWEVER,
I added from webFig and it did not break anything, shows traffic but still no luck. Please see attached.
Did I miss anything?
I guess I don't understand why I can ping remote LAN just fine from the terminal. I am so close.

Thanks for all your help, John

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Thu Oct 15, 2020 12:07 pm
by tdw
It is difficult to tell the name of the VPN interface from screen shots, apparently not "JRC vpn" from the error message you got. Entering a rule via the web interface is fine, and traffic appears to be hitting it as the packet/byte counters are non-zero, so something else isn't quite right.

The best way to provide information is to post the output of /export hide-sensitive in a code block (the [] icon in the toolbar when posting in the forum) rather than screen shots which don't give the full picture.

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Thu Oct 15, 2020 5:26 pm
by jhill8
Okay i will try. the packets are making it the server 2016 RRAS but not returning from the server. something is wrong with the masquerade or something. The windows 10 clients work perfectly for years. Is there a way to export the config in just plain text?
these routers are a bear.
thanks, John

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Thu Oct 15, 2020 5:28 pm
by jhill8
also copy and paste does not work in the terminal screen (firefox)

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Thu Oct 15, 2020 5:37 pm
by tippenring
Is there a way to export the config in just plain text?
As tdw said:
The best way to provide information is to post the output of /export hide-sensitive in a code block (the [] icon in the toolbar when posting in the forum) rather than screen shots which don't give the full picture.
Mikrotik routers are rather easy to configure, but routing does require one to understand networking fundamentals.

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Thu Oct 15, 2020 7:26 pm
by tdw
also copy and paste does not work in the terminal screen (firefox)

Not sure why that would be, I use Winbox or SSH rather than the web interface.

You can export the configuration to a file with /export hide-sensitive file=somefilename and then download the resulting .rsc file from Files - it is drag & drop with Winbox, not sure how it works with the web interface.

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Fri Oct 16, 2020 2:04 am
by jhill8
with source interface checkbox ticked in WebFig
i got this
/ip firewall nat
add action=masquerade chain=srcnat out-interface="!JRC vpn"

with it unticked
/ip firewall nat
add action=masquerade chain=srcnat out-interface="JRC vpn"
I guess I dont understand why ticking the box would do that
And it WORKS. thank you.

thanks, John

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Fri Oct 16, 2020 4:33 pm
by tdw
I can't comment on how it appears in Webfig - in Winbox the equivalent control is either blank or "!", not a check mark.

It doesn't select whether or not to use an interface, it means 'not' so out-interface="!JRC vpn" means traffic leaving by any interface other than JRC vpn - the reverse of what was required.

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Fri Oct 16, 2020 8:59 pm
by jhill8
Thanks TDW. Not exactly intuitive that tick a check box means NOT but now I know.
What a learning curve. Still not as bad as Juniper-yet at least.
Throughput is disappointing. Only get about %75 of the throughput that a Windows 10 client can get on the same test conditions.
Is there a CPU monitor somewhere in WebFig?
Any performance tweaks I can try?
Thanks for all your help, John.

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Fri Oct 16, 2020 9:57 pm
by tdw
You haven't said which model Mikrotik you have, there is a wide range of CPU capabilities.

The best to worst performing VPN protocols supported are IPsec, OpenVPN, SSTP (I'm Ignoring PPTP and L2TP/MPPE which are insecure). Only some flavours of IPsec are supported with hardware acceleration on some models of Mikrotik (see https://wiki.mikrotik.com/wiki/Manual:I ... celeration), the other flavours of VPNs have no hardware acceleration.

I'm not sure where you would find it in Webfig, but in Winbox you can see CPU utilisation under System > Resources, CPU button. Double-click a CPU row (there is only one row on single-CPU models), Profile button shows use by task on that CPU.

Re: router SSTP VPN Client connects and pings but does not route to JRC VPN

Posted: Fri Oct 16, 2020 11:18 pm
by jhill8
Thanks again tdw
I have the very cute, just purchased, Mikrotik hEX RB750Gr3 5-port Ethernet Gigabit Router

Only getting 800kB/sec with the RouterBoard
Windows 10 client 1.2mB/sec same conditions. thats 1.2 m BYTEs
Obviously not super demanding here. Only a 10mb upstream internet connection at JRC. Thats 10 m BITs. The windows 10 SSTP client/server is very efficient here.
thanks, John