Community discussions

MikroTik App
 
axel50397

Join interface to VPN pool

Mon Mar 29, 2021 4:39 am

Sorry for the not very explicit title. Not expert in network here.

I’m on CHR on proxmox with 1 bridge on proxmox and 1 interface on CHR connected to the proxmox bridge.

On CHR, I created some PPP accounts (PPTP), which are attributed IPs from a “pool-vpn” and are all connected to a bridge-vpn (without physical interface). This part works, machines on the VPN can ping each other.

Now I have a VM and I would like its physical interface to be in the VPN subnet, is it possible and how can I do it?

I tried creating a lease on the physical interface dhcp, giving my VM’s an IP in the vpn subnet, the lease is given, but the VM can’t ping the router on its VPN IP. I’m confusing myself...
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Join interface to VPN pool  [SOLVED]

Mon Mar 29, 2021 5:23 am

It may be your use of terminology but normally you would have a local subnet with one or more interfaces attached, then have an IP pool containing a range of the addresses from that subnet which can be assigned to VPN connections.

As anything directly attached to the local subnet assumes that everything else in that subnet is also directly attached you have to enable proxy-arp on the bridge containing the interfaces. This is so the Mikrotik can reply to ARP requests on behalf of the VPN connected devices - the VPN does not use ARP (or DHCP either).

Also, don't use PPTP as MSCHAPv2/MPPE authentication/encryption is really insecure.
 
axel50397

Re: Join interface to VPN pool

Mon Mar 29, 2021 9:44 am

It may be your use of terminology but normally you would have a local subnet with one or more interfaces attached, then have an IP pool containing a range of the addresses from that subnet which can be assigned to VPN connections.
Maybe, sorry for that. Currently, the PPP profile used have local address as 192.168.44.1, remote address as pool-vpn (192.168.44.10-192.168.44.200). I looked again, the interfaces created (type L2TP bindings) are independent and not part of any bridge... Is this the root of my problem?

Also, don't use PPTP as MSCHAPv2/MPPE authentication/encryption is really insecure.
I needed something native for Windows, MacOS and iOS, I think it’s the only common protocol, isn’t it ?

Thanks for your help
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Join interface to VPN pool

Mon Mar 29, 2021 1:48 pm

You can't add layer 3 / IP interfaces to a layer 2 / ethernet bridge, proxy-arp is the workaround when the VPN addresses overlap with the subnet on the layer 2 interface or bridge.

The more common way is to use different subnets for the local network and remote VPN connections, then let normal IP routing handle the forwarding. This does require static routes at the client end, or the client to use the VPN as the default gateway.

Reasonably recent versions of most OS support IPsec IKE2, there is information in the Mikrotik help pages and older wiki, plus numerous posts in the forum.
 
axel50397

Re: Join interface to VPN pool

Mon Mar 29, 2021 2:04 pm

The more common way is to use different subnets for the local network and remote VPN connections, then let normal IP routing handle the forwarding. This does require static routes at the client end, or the client to use the VPN as the default gateway.
This is something I wanted to avoid, because I have to share the printers in an office (network printer behind a Milrotik acting as VPN client) and a Windows Server, which is fine on VPN because I can ass static routes on the server. But when users need to print from their machines to the printers in the VPN, I will need to configure .bat for Windows and ppp hooks for UNIX based machines. I would have preferred avoiding more maintenance on me 😅

It seems that setting the VPN as default route is the solution there, it means I need more bandwidth on the VPN. More training from me to the users then!
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Join interface to VPN pool

Mon Mar 29, 2021 3:00 pm

For Windows you can add persistent routes to a VPN connection with a powershell command, you could probably come up with a setup script which creates a VPN connection and adds the routes. Also for Windows you can configure VPN connections to add a class-based route instead of a default route if you don't want all of the client traffic to use the VPN connection.

If you are configuring Mikrotiks as VPN clients then adding static routes to them and a Windows server shouldn't be much additional work, however this may be a case where using proxy-arp with overlapping subnet and VPN addresses is beneficial.
 
axel50397

Re: Join interface to VPN pool

Mon Mar 29, 2021 8:25 pm

For Windows you can add persistent routes to a VPN connection with a powershell command, you could probably come up with a setup script which creates a VPN connection and adds the routes. Also for Windows you can configure VPN connections to add a class-based route instead of a default route if you don't want all of the client traffic to use the VPN connection.
This is what I did on the server, thank you (using rasdial)

If you are configuring Mikrotiks as VPN clients then adding static routes to them and a Windows server shouldn't be much additional work, however this may be a case where using proxy-arp with overlapping subnet and VPN addresses is beneficial.
Wait, I think I may have misunderstood the overlapping subnet/vpn thingy. Are you saying that I can give a VPN pool to the VPN clients, and give the same pool to a physical subnet, they will be reachable by each other?
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Join interface to VPN pool

Thu Apr 01, 2021 12:52 pm

Yes, although it doesn't have to be the same pool, just the same subnet.

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], ivicask, LabarH, mrbroadband and 91 guests