Community discussions

MikroTik App
 
dreams3577
just joined
Topic Author
Posts: 6
Joined: Fri May 29, 2020 12:51 pm

PPTP VPN Netbios/DNS Issue

Thu May 27, 2021 12:49 am

Evening All

I have enabled VPN on the office Microtik router using the quick set option
The LAN IP Pool is 192.168.1.1/24
The VPN Pool is 192.168.89.1/24
My Home LAN IP is 192.168.0.1/24

From home I have setup the Windows 10 VPN client with the office WAN IP, username and password and I am able to connect,
once connected, I am able to ping devices on the office LAN, can access shares via \\IP ADDRESS and can RDP using the office device LAN address and I have internet access

My issue is that when connected to the VPN from home, When I click on "Network" in file explorer, I am unable to see any Office LAN Devices, I am unable to ping office LAN devices via hostname, I cannot access shares via \\hostname.

Is this a Netbios issue, IE the Microtik firewall blocking the traffic? or something else

Thank you for any help you are able to offer

Steve
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: PPTP VPN Netbios/DNS Issue

Thu May 27, 2021 1:21 am

Network browsing will only show devices in the same broadcast domain so you will not see devices in different subnets. Not being able to resolve hostnames, if they are internal to your office network, is likely to be incorrect DNS server(s) being passed from the office Mikrotik when the VPN connection is established.

Also whilst PPTP is an easy VPN protocol to set up the MSCHAPv2 password and MPPE encryption have not been considered secure for years, consider using something better.
 
dreams3577
just joined
Topic Author
Posts: 6
Joined: Fri May 29, 2020 12:51 pm

Re: PPTP VPN Netbios/DNS Issue

Thu May 27, 2021 9:52 am

Hi..

Thanks for the reply, I understand the lack of PPTP security, however what I haven’t said is that i first setup a SSTP and that didn’t allow me to resolve hostnames either.. i also tried L2TP with the same issue, therefore i deleted all the config for the SSTP and im trying to troubleshoot via the simple PPTP.

I have set the office LAN IP pool to serve the VPN and i am still unable to resolve office device hostnames

The LAN IP Pool is 192.168.1.1/24
The VPN is now using the LAN Pool is 192.168.1.1/24
My Home LAN IP is 192.168.0.1/24

Thanks
Steve
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: PPTP VPN Netbios/DNS Issue

Thu May 27, 2021 12:29 pm

As you have found changing the type of VPN will not fix a configuration error in issuing DHCP server information to the client. Overlapping the office LAN subnet range with the VPN clients introduces additional complexity, requiring proxy-arp otherwise devices on the subnet are unable to communicate with the VPN clients.

Post the output of /export hide-sensitive in a code block (the [] icon above the text box in the forum).
 
dreams3577
just joined
Topic Author
Posts: 6
Joined: Fri May 29, 2020 12:51 pm

Re: PPTP VPN Netbios/DNS Issue

Thu May 27, 2021 2:21 pm

Thank you for your help..

output of /export hide-sensitive plus I have * WAN IP and radius details
MikroTik RouterOS 6.46.6 (c) 1999-2020       http://www.mikrotik.com/

[admin] > /export hide-sensitive
# may/27/2021 11:52:51 by RouterOS 6.46.6
# software id = NRVV-RBMV
#
# model = CRS326-24G-2S+
# serial number = ********

/interface bridge
add admin-mac=B8:69:F4:08:55:56 arp=proxy-arp auto-mac=no comment=defconf name=\ bridge2 protocol-mode=none
add admin-mac=B8:69:F4:08:55:56 arp=proxy-arp auto-mac=no comment=defconf name=\ localbridge protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] mac-address=B8:69:F4:08:55:56 speed=100Mbps
set [ find default-name=ether2 ] mac-address=B8:69:F4:08:55:57 speed=100Mbps
set [ find default-name=ether3 ] mac-address=B8:69:F4:08:55:58 speed=100Mbps
set [ find default-name=ether4 ] mac-address=B8:69:F4:08:55:59 speed=100Mbps
set [ find default-name=ether5 ] mac-address=B8:69:F4:08:55:5A speed=100Mbps
set [ find default-name=ether6 ] mac-address=B8:69:F4:08:55:5B speed=100Mbps
set [ find default-name=ether7 ] mac-address=B8:69:F4:08:55:5C speed=100Mbps
set [ find default-name=ether8 ] mac-address=B8:69:F4:08:55:5D speed=100Mbps
set [ find default-name=ether9 ] mac-address=B8:69:F4:08:55:5E speed=100Mbps
set [ find default-name=ether10 ] mac-address=B8:69:F4:08:55:5F speed=100Mbps
set [ find default-name=ether11 ] mac-address=B8:69:F4:08:55:60 speed=100Mbps
set [ find default-name=ether12 ] mac-address=B8:69:F4:08:55:61 speed=100Mbps
set [ find default-name=ether13 ] mac-address=B8:69:F4:08:55:62 speed=100Mbps
set [ find default-name=ether14 ] mac-address=B8:69:F4:08:55:63 speed=100Mbps
set [ find default-name=ether15 ] mac-address=B8:69:F4:08:55:64 speed=100Mbps
set [ find default-name=ether16 ] mac-address=B8:69:F4:08:55:65 speed=100Mbps
set [ find default-name=ether17 ] mac-address=B8:69:F4:08:55:66 speed=100Mbps
set [ find default-name=ether18 ] mac-address=B8:69:F4:08:55:67 speed=100Mbps
set [ find default-name=ether19 ] mac-address=B8:69:F4:08:55:68 speed=100Mbps
set [ find default-name=ether20 ] mac-address=B8:69:F4:08:55:69 speed=100Mbps
set [ find default-name=ether21 ] mac-address=B8:69:F4:08:55:6A speed=100Mbps
set [ find default-name=ether22 ] mac-address=B8:69:F4:08:55:6B speed=100Mbps
set [ find default-name=ether23 ] mac-address=B8:69:F4:08:55:6C speed=100Mbps
set [ find default-name=ether24 ] l2mtu=1588 mac-address=B8:69:F4:08:55:6D \ speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] mac-address=B8:69:F4:08:55:6E speed=\ 10Gbps
set [ find default-name=sfp-sfpplus2 ] mac-address=B8:69:F4:08:55:6F speed=\ 10Gbps


/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=**********@**************


/interface list
add name=WAN
add name=LAN


/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik


/ip dhcp-server option
add code=150 name=TFTP value="'192.168.1.101'"


/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot


/ip pool
add name=dhcp ranges=192.168.1.115-192.168.1.199
add name=pool2 ranges=192.168.2.100-192.168.2.199


/ip dhcp-server
add address-pool=dhcp disabled=no interface=localbridge name=dhcp
add address-pool=pool2 disabled=no interface=bridge2 name=dhcp2


/ppp profile
set *FFFFFFFE local-address=192.168.1.1 remote-address=dhcp


/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"


/interface bridge port
add bridge=localbridge comment=defconf disabled=yes interface=ether1
add bridge=localbridge comment=defconf interface=ether2
add bridge=localbridge comment=defconf interface=ether3
add bridge=localbridge comment=defconf interface=ether4
add bridge=localbridge comment=defconf interface=ether5
add bridge=localbridge comment=defconf interface=ether6
add bridge=localbridge comment=defconf interface=ether7
add bridge=localbridge comment=defconf interface=ether8
add bridge=localbridge comment=defconf interface=ether9
add bridge=bridge2 comment=defconf interface=ether10
add bridge=localbridge comment=defconf interface=ether11
add bridge=localbridge comment=defconf interface=ether12
add bridge=localbridge comment=defconf interface=ether13
add bridge=localbridge comment=defconf interface=ether14
add bridge=localbridge comment=defconf interface=ether15
add bridge=localbridge comment=defconf interface=ether16
add bridge=localbridge comment=defconf interface=ether17
add bridge=localbridge comment=defconf interface=ether18
add bridge=localbridge comment=defconf interface=ether19
add bridge=localbridge comment=defconf interface=ether20
add bridge=localbridge comment=defconf interface=ether21
add bridge=localbridge comment=defconf interface=ether22
add bridge=localbridge comment=defconf interface=ether23
add bridge=localbridge comment=defconf interface=sfp-sfpplus1
add bridge=localbridge comment=defconf interface=sfp-sfpplus2
add bridge=localbridge interface=ether24


/interface bridge vlan
add tagged=ether10 vlan-ids=30,31,32,33


/interface l2tp-server server
set enabled=yes use-ipsec=yes


/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=pppoe-out1 list=WAN
add interface=localbridge list=LAN


/interface pptp-server server
set enabled=yes


/interface sstp-server server
set default-profile=default-encryption enabled=yes


/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
add address=192.168.2.1/24 interface=bridge2 network=192.168.2.0


/ip arp
add address=192.168.1.100 interface=localbridge mac-address=5C:26:0A:4C:62:13


/ip cloud
set ddns-enabled=yes


/ip dhcp-client
add interface=ether1


/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 \ netmask=24
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1 \ netmask=24


/ip dns
set servers=8.8.8.8


/ip dns static
add address=192.168.1.101 name=Phone1
add address=192.168.1.201 name=********** ttl=52w1d


/ip firewall address-list
add address=192.168.1.0/24 list=vlan100
add address=192.168.200.0/24 list=vlan200


/ip firewall filter
add action=accept chain=forward dst-address=192.168.1.201 src-address=\ 192.168.2.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=\ 192.168.2.0/24
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="grandstream gateway to 3cx" \ dst-address=192.168.1.201 src-address=******
add action=accept chain=input dst-port=3190 protocol=tcp
add action=accept chain=input src-address=192.168.1.0/24


/ip firewall mangle
add action=change-mss chain=forward disabled=yes in-interface=pppoe-out1 \ new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=\ 1411-65535
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu \ out-interface=pppoe-out1 passthrough=yes protocol=tcp tcp-flags=syn \ tcp-mss=1411-65535


/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 out-interface-list=\ WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-out1 protocol=\ tcp to-addresses=192.168.1.2 to-ports=80
add action=dst-nat chain=dstnat dst-port=51820 in-interface=pppoe-out1 \ protocol=tcp to-addresses=192.168.1.80 to-ports=51820
add action=dst-nat chain=dstnat dst-port=1194 in-interface=pppoe-out1 protocol=\ tcp to-addresses=192.168.2.254 to-ports=1194
add action=dst-nat chain=dstnat dst-port=5000,5001,5060,5061,5090 in-interface=\ pppoe-out1 protocol=udp to-addresses=192.168.1.201
add action=dst-nat chain=dstnat dst-port=5000,5001,5060,5061,5090 in-interface=\ pppoe-out1 protocol=tcp to-addresses=192.168.1.201
add action=dst-nat chain=dstnat dst-port=9000-10999 in-interface=pppoe-out1 \ protocol=udp to-addresses=192.168.1.201 to-ports=9000-10999
add action=dst-nat chain=dstnat dst-port=10001-10005 in-interface=pppoe-out1 \ protocol=tcp to-addresses=192.168.1.15 to-ports=10001-10002
add action=dst-nat chain=dstnat dst-port=12000-12005 in-interface=pppoe-out1 \ protocol=tcp to-addresses=192.168.1.21
add action=masquerade chain=srcnat out-interface=pppoe-out1 protocol=tcp \ src-port=5060,5061,5090
add action=masquerade chain=srcnat out-interface=pppoe-out1 protocol=udp \ src-port=5060,5061,5090
add action=dst-nat chain=dstnat dst-address=*.*.*.* dst-port=80 protocol=tcp \ to-addresses=192.168.1.2
add action=dst-nat chain=dstnat dst-address=*.*.*.* dst-port=\ 5001,5006,5061,5090 protocol=tcp to-addresses=192.168.1.201
add action=dst-nat chain=dstnat comment="TCP To 192.168.2.33" dst-address=\ *.*.*.* dst-port=55001,55060,55061,55090 protocol=tcp to-addresses=\ 192.168.2.33
add action=dst-nat chain=dstnat comment="UDP To 192.168.2.33" dst-address=\ *.*.*.* dst-port=55001,55060,55061,55090 protocol=udp to-addresses=\ 192.168.2.33
add action=dst-nat chain=dstnat dst-address=*.*.*.* dst-port=10001-10005 \ protocol=tcp to-addresses=192.168.1.15
add action=dst-nat chain=dstnat dst-address=*.*.*.* dst-port=12000-12005 \ protocol=tcp to-addresses=192.168.1.21
add action=masquerade chain=srcnat dst-address=192.168.1.2 dst-port=80 \ out-interface=localbridge protocol=tcp src-address=192.168.1.0/24
add action=masquerade chain=srcnat dst-address=192.168.1.201 dst-port=\ 5060,5061,5090 out-interface=localbridge protocol=tcp src-address=\ 192.168.1.0/24
add action=masquerade chain=srcnat dst-address=192.168.1.15 dst-port=\ 10001-10005 out-interface=localbridge protocol=tcp src-address=\ 192.168.1.0/24
add action=masquerade chain=srcnat dst-address=192.168.1.21 dst-port=\ 12000-12005 out-interface=localbridge protocol=tcp src-address=\ 192.168.1.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\ 192.168.1.0/24

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=26711
set api disabled=yes
set api-ssl disabled=yes

/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote

/ip upnp
set show-dummy-rule=no

/ppp secret
add name=vpn profile=default-encryption

/system clock
set time-zone-name=Europe/London

/system routerboard settings
set boot-os=router-os

 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: PPTP VPN Netbios/DNS Issue

Thu May 27, 2021 4:51 pm

As the Mikrotik is using Google DNS servers and you are also passing the Google DNS servers to DHCP clients there are no local DNS entries to be looked up by VPN clients. Also, as the PPP profile does not contain any DNS server definitions the Mikrotik will pass its own address to VPN clients which will not be able to use for lookups as allow-remote-requests=no.

NetBIOS name lookups will only work within the broadcast domain on a local LAN, beyond that you need entries in a DNS or WINS server. You could either have a Windows server providing the DHCP & DNS for the local LAN and configure the VPN server to pass that server address to the VPN clients, or add static DHCP & DNS entries on the Mikrotik and allow it to serve them to clients.

It is best to leave the default and default-encryption PPP profiles as-is due to them being used by any PPP-like client interface by default and add new profiles with specific settings for any PPP-like servers, otherwise you may change a setting for a PPP-like server which breaks your PPP-like client connections.

Having multiple bridges will disable hardware offload on all but the first which will lead to much less than wire-speed throughput between ports.

Due to a bug in the setup script in earlier firmware the ip address has been attached to ether2 rather than localbridge which can result in strange behaviour.

I'm not sure what the /interface bridge vlan configuration is for as it appears incomplete, or the need for the /ip arp configuration.

You appear to have removed all of the default firewall rules so no traffic from the WAN to the Mikrotik is blocked, this is usually bad. Luckily with the DNS server not allowing remote requests that is not being used for DDoS amplification attacks, exposing Winbox without an address list to restrict source addresses is strongly discouraged, and management access only via a VPN connection is preferable.

Who is online

Users browsing this forum: araqiel, pants6000, synchro and 112 guests