I'm just testing something for future use and I can't seem to get it going.

Router A = Office Router LAN 192.168.1.x
Router B = Remote Location Router LAN 10.99.x.x

Router A = pptp client 10.100.1.2
Router B = pptp server 10.100.1.1

I'm trying to set this up so that ALL TRAFFIC goes out our default gateway EXCEPT traffic destined for 10.99.x.x in which case I want that traffic forwarded through the VPN to the other location.

I CAN contact 10.99.x.x from both routers BUT NOT from inside the office LAN (192.168.1.x)


What am I doing wrong?

I discovered an easier way using ip tunnels and added a route and it seems to be working now..

I just wonder how secure these ip tunnels are..

I also found out that I should use a VPN and then set up an IP tunnel or an EOIP tunnel. I've tried both via the VPN and I can't contact the other side no matter what from inside the lan of Router A.

The only way i've been able to get it to work is just a straight ip tunnel with no VPN...

Dangit..

Even followed instructions on the site to the letter bridging the interfaces, I've tried multiple variations. Something just doesn't work.

pptp or Eoip should work well - it sounds like you may be missing a static route somewhere. Can you post VPN and routing configuration?

I'll be able to work on it Friday thanks.. I'll post it all then. I took it all apart..

I added a static route on the office side to the other side of the tunnel and it still would not work.

I was able to ping the remote device/subnet from the office side's mikrotik, but not from inside the offices LAN.

I could if I just used IP tunnels.. but not VPN and IP Tunnel together nor with VPN and EOIP together either. I'm using pptp VPN's..

Thanks for offering help I'll post configs on Friday.

I would use IPIP tunnels with IPSEC encryption

here is a great how to from greg sowell.
http://gregsowell.com/wp-content/upload ... k-vpn1.pdf
look at pages 48 - 52

Thanks I'll check that out tomorrow. I love mikrotik it has sooo many ways of doing things..

Why would you not use a simple IPSec connection in tunnel mode?

http://wiki.mikrotik.com/wiki/Manual:IP ... Sec_Tunnel

I think I figured it out... I had NAT on one router and it was not working, so I think I would have had to add some firewall rules but it would have made it impossible to do. So I had to switch the VPN's ip's to a 172.x.x.x subnet and test it on a router that didn't have NAT enabled on that subnet. Bizzare because it should keep track of the outgoing sessions. I will just have to make sure no NAT is involved or I'll have to add some firewall rules specific to those subnets. Problem is that I couldn't break up that 10.x.x.x because I already was natting all 10.0.0.0/8 ..

You can override NAT by accepting more specifically higher up the chain. Accepting in NAT is a null action, but as long as you're not passing through does qualify as a first match and processing stops.
Assuming you're NAT'ing 10/8 but want to not NAT it when 10.1/16 goes to 192.168.1.0/24 that would like below: