Community discussions

MUM Europe 2020
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

VPN to home network

Wed Nov 09, 2011 1:25 am

Hi there,
I'm trying to get my VPN setup to work at home but I'm having a few issues with network discovery.

Basically at the moment my VPN allows me to connect to my home network and then get access to the internet (using that IP) but when I try to search for PC's on the network I'm unable to see them. Can anyone help me resolve this issue.

Thanks
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: VPN to home network

Wed Nov 09, 2011 2:57 am

You need to post way more details unless you want people to start guessing wildly.

Here's a wild guess: you're on a different broadcast domain on the VPN, and you're using Windows. Automatic discovery in Windows outside of usage of WINS servers or AD (which you probably don't have at home) only works on the same broadcast domain. Use the IP address in \\a.b.c.d\sharename format to access resources.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: VPN to home network

Wed Nov 09, 2011 8:37 pm

Hi Fewi,

Sorry your right - I kinda assumed that it might have been the configuration on the RB itself rather than the network.

The remote client is actually a mac (running OSX lion) taking the IP address 192.168.0.201
It cannot see any types of devices across the network.
When looking a the TCP/IP details - the subnet mask does not appear
DNS servers appear correctly and I can ping the internet,router on the VPN server side.

When I try and connect using anything like NFS/SMB/AFP/etc i still cannot get access to the individual devices on the network.

If you let me know what information you need I'll be happy to post it up.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: VPN to home network

Wed Nov 09, 2011 9:03 pm

Start with the usual details: "/interface print detail", "/ip address print detail", "/ip route print detail", "/ip firewall export", and a network diagram. Also add the configuration export from whatever VPN protocol you're using - so far you haven't even indicated if you're using IPsec, PPTP, or something else.

Can you ping devices on the local network via the VPN tunnel? That would help establish a basic connectivity test.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: VPN to home network

Wed Nov 09, 2011 9:34 pm

VPN interface being used is PPTP
I can only ping the main router (192.168.0.1) - no other addresses are pingable.
I can also ping any webpage/public ip.

/interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  ;;; Bridge for Local Network
       name="bridge1" type="bridge" mtu=1500 l2mtu=1524 

 1  X  ;;; NTL - WAN1
       name="ether1" type="ether" mtu=1500 l2mtu=1524 max-l2mtu=1524 

 2  R  ;;; VM -WAN2
       name="ether2" type="ether" mtu=1500 l2mtu=1524 max-l2mtu=1524 

 3  R  ;;; Switch - to 192.168.0.0/24
       name="ether3" type="ether" mtu=1500 l2mtu=1524 max-l2mtu=1524 

 4     name="ether4" type="ether" mtu=1500 l2mtu=1524 max-l2mtu=1524 

 5     name="ether5" type="ether" mtu=1500 l2mtu=1524 max-l2mtu=1524 

 6  R  name="NTL Static bridge" type="bridge" mtu=1500 l2mtu=65535 

 7  R  ;;; Hurricane Electric IPv6 Tunnel Broker
       name="sit1" type="sit" mtu=1280 

 8     name="PPTP-test" type="pptp-in" 

 9  R  name="PPP bridge" type="bridge" mtu=1500 l2mtu=65535 

/ip address print detail
/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.0.1/24 network=192.168.0.0 interface=bridge1 
     actual-interface=bridge1 

 1   address=10.0.0.1/24 network=10.0.0.0 interface=bridge1 
     actual-interface=bridge1 

 2 D address=XX.XXX.YYY.233/22 network=81.YYY.YYY.0 interface=ether2 
     actual-interface=ether2
/ip route print detail
/ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0   S  dst-address=0.0.0.0/0 gateway=86.8.176.1 
        gateway-status=XX.XXX.YYY.1 unreachable distance=1 scope=30 
        target-scope=10 routing-mark=routing-voip 

 1 ADS  dst-address=0.0.0.0/0 gateway=81.106.116.1 
        gateway-status=XX.XXX.YYY.1 reachable ether2 distance=2 scope=30 
        target-scope=10 vrf-interface=ether2 

 2 ADC  dst-address=10.0.0.0/24 pref-src=10.0.0.1 gateway=bridge1 
        gateway-status=bridge1 reachable distance=0 scope=10 

 3 ADC  dst-address=XX.XXX.YYY.0/22 pref-src=XX.XXX.YYY.233 gateway=ether2 
        gateway-status=ether2 reachable distance=0 scope=10 

 4 A S  ;;; vpn test
        dst-address=ZZ.ZZZ.208.1/32 gateway=XX.XXX.YYY.1 
        gateway-status=XX.XXX.YYY.1 reachable ether2 distance=1 scope=30 
        target-scope=10 

 5 ADC  dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=bridge1 
        gateway-status=bridge1 reachable distance=0 scope=10 
/ip firewall export
/ip firewall layer7-protocol
add name=sip regexp=\
    "^(invite|register|cancel) sip[\t-\r -~]*sip/[0-2]\\.[0-9]"
/ip firewall address-list
add address=192.168.0.0/24 disabled=no list=lan_list

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward disabled=no dst-port=5060 protocol=udp
add action=accept chain=forward disabled=no dst-port=5060 protocol=tcp
add action=accept chain=forward disabled=no dst-port=5090 protocol=udp
add action=accept chain=forward disabled=no dst-port=5090 protocol=tcp
add action=accept chain=forward disabled=no dst-port=9000-9049 protocol=udp
add action=accept chain=forward disabled=no dst-port=10000 protocol=udp
add action=add-src-to-address-list address-list=VOIP_list \
    address-list-timeout=0s chain=forward comment="mark voip" connection-type=\
    sip disabled=no
add action=accept chain=input comment="accept hosts from trusted list" \
    disabled=no src-address-list=trusted_list
add action=accept chain=input comment="accept established connections" \
    connection-state=established disabled=no
add action=accept chain=input comment="accept related connections" \
    connection-state=related disabled=no
add action=accept chain=input comment="accept hosts from lan" disabled=no \
    src-address-list=lan_list
add action=accept chain=input comment=vpn disabled=yes dst-port=1723 protocol=\
    tcp
add action=accept chain=input comment="vpn 2" disabled=yes protocol=gre
add action=accept chain=icmp comment="allow established connections" disabled=\
    no icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="allow already established connections" \
    disabled=no icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=no \
    icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=no \
    icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=no \
    icmp-options=11:0 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp
add action=accept chain=input comment="IPv6 input" disabled=no protocol=41 \
    src-address=216.66.80.26
add action=accept chain=output comment="IPv6 output" disabled=no protocol=41
add action=jump chain=forward comment="jump to the virus chain" disabled=no \
    jump-target=virus
add action=drop chain=input comment="drop invalid connections" \
    connection-state=invalid disabled=no
add action=drop chain=input comment="Drop FTP Brute Forcers" disabled=no \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" disabled=no \
    dst-limit=1/1m,9,dst-address/2m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    disabled=no protocol=tcp
add action=drop chain=input comment="Drop SSH Brute Forcers" disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=drop chain=forward disabled=no src-address=0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward disabled=no src-address=127.0.0.0/8
add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 \
    protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
    111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
    135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
    protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
    protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
    protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\
    12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
    protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=\
    3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 \
    protocol=tcp
add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
    111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
    135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
    protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
    protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=\
    3133 protocol=udp
add action=accept chain=icmp comment="drop invalid connections" disabled=no \
    icmp-options=0:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=no
add action=drop chain=forward comment="BLOCK SPAMMERS OR INFECTED USERS" \
    disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
    1d chain=forward comment="Detect and add-list SMTP virus or spammers" \
    connection-limit=30,32 disabled=no dst-port=25 limit=50,5 protocol=tcp
add action=drop chain=virus comment="Drop Spammer" disabled=no dst-port=25 \
    protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
    1d chain=virus comment="add to spammer list" connection-limit=30,32 \
    disabled=no dst-port=25 limit=50,5 protocol=tcp
add action=jump chain=forward comment="SYN Flood protect" connection-state=new \
    disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new disabled=no limit=\
    400,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new disabled=no protocol=\
    tcp tcp-flags=syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no \
    src-address-list="port scanners"
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
    135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no \
    dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
    445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
    445 protocol=udp
add action=drop chain=virus comment=________ disabled=no dst-port=593 \
    protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 \
    protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 \
    protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 \
    protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 \
    protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 \
    protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 \
    protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 \
    protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 \
    protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 \
    protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 \
    protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 \
    protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 \
    protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=\
    2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=\
    3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no \
    dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
    tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
    udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 \
    protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 \
    protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=\
    9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=10000 \
    protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=10080 \
    protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 \
    protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 \
    protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=27374 \
    protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no \
    dst-port=65506 protocol=tcp
add action=drop chain=input comment="drop everything else" disabled=no

/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "2010.09.09 route 5060 via eth1" disabled=no dst-port=5060 in-interface=\
    bridge1 new-routing-mark=routing-voip passthrough=yes protocol=udp
add action=mark-routing chain=prerouting comment=\
    "2010.07.27 route sip via eth1" connection-type=sip disabled=no \
    in-interface=bridge1 new-routing-mark=routing-voip passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "2010.07.27 sip connection mark" connection-type=sip disabled=no \
    new-connection-mark=conn-voip passthrough=yes
add action=mark-routing chain=prerouting comment="2010.09.09 route via eth1" \
    disabled=no in-interface=bridge1 new-routing-mark=routing-voip \
    passthrough=yes src-address=192.168.0.200
add action=mark-connection chain=prerouting comment=\
    "2010.09.09 mark-conn for traffic received via eth1 if not marked already" \
    disabled=no in-interface=ether1 new-connection-mark=conn-eth1-in \
    passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "2010.09.06 set voip packet mark" connection-mark=conn-voip disabled=no \
    new-packet-mark=packet-voip passthrough=yes
add action=mark-routing chain=output comment=\
    "2010.09.09 traffic received on eth1 sent back via eth1" connection-mark=\
    conn-eth1-in disabled=no new-routing-mark=routing-voip passthrough=yes
add action=mark-routing chain=output comment="2010.09.09 route via eth1" \
    disabled=no dst-address=192.168.0.200 new-routing-mark=routing-voip \
    passthrough=yes
add action=mark-routing chain=prerouting comment="route stun through eth1" \
    disabled=no dst-port=3478 in-interface=bridge1 new-routing-mark=\
    routing-voip passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="2010.09.04 icmp packetmark" \
    disabled=no new-packet-mark=packet-icmp passthrough=no protocol=icmp
add action=mark-packet chain=prerouting comment="2010.09.03 dns packetmark" \
    disabled=no dst-port=53 new-packet-mark=packet-dns passthrough=no \
    protocol=udp
add action=jump chain=prerouting disabled=no jump-target=mangle-200 \
    src-address=192.168.0.200
add action=jump chain=prerouting disabled=yes jump-target=mangle-112 \
    src-address=192.168.0.112
add action=jump chain=prerouting disabled=yes jump-target=mangle-113 \
    src-address=192.168.0.113
add action=jump chain=prerouting disabled=yes jump-target=mangle-117 \
    src-address=192.168.0.117
add action=jump chain=prerouting disabled=yes jump-target=mangle-120 \
    src-address=192.168.0.120
add action=jump chain=prerouting disabled=yes jump-target=mangle-121 \
    src-address=192.168.0.121
add action=jump chain=prerouting disabled=yes jump-target=mangle-124 \
    src-address=192.168.0.124
add action=jump chain=prerouting disabled=yes jump-target=mangle-138 \
    src-address=192.168.0.138
add action=jump chain=prerouting disabled=yes jump-target=mangle-139 \
    src-address=192.168.0.139
add action=jump chain=prerouting disabled=yes jump-target=mangle-154 \
    src-address=192.168.0.154
add action=jump chain=prerouting disabled=yes jump-target=mangle-167 \
    src-address=192.168.0.167
add action=jump chain=prerouting disabled=yes jump-target=mangle-169 \
    src-address=192.168.0.169
add action=jump chain=prerouting disabled=yes jump-target=mangle-179 \
    src-address=192.168.0.179
add action=jump chain=prerouting disabled=yes jump-target=mangle-185 \
    src-address=192.168.0.185
add action=jump chain=prerouting disabled=yes jump-target=mangle-186 \
    src-address=192.168.0.186
add action=jump chain=prerouting disabled=yes jump-target=mangle-192 \
    src-address=192.168.0.192
add action=jump chain=prerouting disabled=yes jump-target=mangle-193 \
    src-address=192.168.0.193
add action=jump chain=prerouting disabled=yes jump-target=mangle-194 \
    src-address=192.168.0.194
add action=mark-packet chain=prerouting disabled=no new-packet-mark=upload-10k \
    passthrough=no src-address=192.168.0.0/24
add action=mark-packet chain=mangle-200 comment="http requests" \
    connection-bytes=0-500000 disabled=no dst-port=80 new-packet-mark=\
    packet-200-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-200 comment="http download" \
    connection-bytes=500001-0 disabled=no dst-port=80 new-packet-mark=\
    packet-200-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-200 disabled=no new-packet-mark=\
    packet-200-other passthrough=no
add action=mark-packet chain=mangle-112 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-112-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-112 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-112-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-112 disabled=yes new-packet-mark=\
    packet-XX-other passthrough=no
add action=mark-packet chain=mangle-113 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-113-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-113 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-113-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-113 disabled=yes new-packet-mark=\
    packet-113-other passthrough=no
add action=mark-packet chain=mangle-117 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-117-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-117 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-117-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-117 disabled=yes new-packet-mark=\
    packet-117-other passthrough=no
add action=mark-packet chain=mangle-120 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-120-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-120 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-120-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-120 disabled=yes new-packet-mark=\
    packet-120-other passthrough=no
add action=mark-packet chain=mangle-121 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-121-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-121 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-121-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-121 disabled=yes new-packet-mark=\
    packet-121-other passthrough=no
add action=mark-packet chain=mangle-124 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-124-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-124 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-124-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-124 disabled=yes new-packet-mark=\
    packet-124-other passthrough=no
add action=mark-packet chain=mangle-138 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-138-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-138 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-138-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-138 disabled=yes new-packet-mark=\
    packet-138-other passthrough=no
add action=mark-packet chain=mangle-139 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-139-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-139 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-139-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-139 disabled=yes new-packet-mark=\
    packet-139-other passthrough=no
add action=mark-packet chain=mangle-154 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-154-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-154 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-154-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-154 disabled=yes new-packet-mark=\
    packet-154-other passthrough=no
add action=mark-packet chain=mangle-167 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-167-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-167 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-167-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-167 disabled=yes new-packet-mark=\
    packet-167-other passthrough=no
add action=mark-packet chain=mangle-169 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-169-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-169 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-169-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-169 disabled=yes new-packet-mark=\
    packet-169-other passthrough=no
add action=mark-packet chain=mangle-179 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-179-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-179 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-179-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-179 disabled=yes new-packet-mark=\
    packet-179-other passthrough=no
add action=mark-packet chain=mangle-185 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-185-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-185 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-185-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-185 disabled=yes new-packet-mark=\
    packet-185-other passthrough=no
add action=mark-packet chain=mangle-186 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-186-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-186 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-186-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-186 disabled=yes new-packet-mark=\
    packet-186-other passthrough=no
add action=mark-packet chain=mangle-192 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-192-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-192 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-192-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-192 disabled=yes new-packet-mark=\
    packet-192-other passthrough=no
add action=mark-packet chain=mangle-193 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-193-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-193 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-193-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-193 disabled=yes new-packet-mark=\
    packet-193-other passthrough=no
add action=mark-packet chain=mangle-194 comment="http requests" \
    connection-bytes=0-500000 disabled=yes dst-port=80 new-packet-mark=\
    packet-194-http1 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-194 comment="http download" \
    connection-bytes=500001-0 disabled=yes dst-port=80 new-packet-mark=\
    packet-194-http2 passthrough=no protocol=tcp
add action=mark-packet chain=mangle-194 disabled=yes new-packet-mark=\
    packet-194-other passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="2010.07.22 src-nat on WAN1" \
    disabled=no out-interface=ether1 src-address=192.168.0.0/24 \
    src-address-list=lan_list
add action=masquerade chain=srcnat comment="2010.07.22 src-nat on WAN2" \
    disabled=no out-interface=ether2 src-address=192.168.0.0/24 \
    src-address-list=lan_list
add action=log chain=dstnat disabled=yes in-interface=ether1 log-prefix=nat \
    protocol=udp src-address=91.195.228.9
add action=dst-nat chain=dstnat disabled=no dst-address=XX.XXX.YYY.233 \
    dst-port=14141 protocol=tcp to-addresses=192.168.0.126 to-ports=14141
add action=dst-nat chain=dstnat disabled=no dst-address=XX.XXX.YYY.233 \
    dst-port=51000-52000 protocol=tcp to-addresses=192.168.0.126 to-ports=\
    51000-52000
add action=dst-nat chain=dstnat disabled=no dst-address=AA.A.AA.177 dst-port=\
    22 protocol=tcp src-address-list=trusted_list to-addresses=192.168.0.126 \
    to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-address=XX.XXX.YYY.233 \
    dst-port=22 protocol=tcp src-address-list=trusted_list to-addresses=\
    192.168.0.126 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-address=XX.XXX.YYY.233 \
    dst-port=22 protocol=tcp src-address-list="temp list" to-addresses=\
    192.168.0.126 to-ports=22
/ip firewall service-port
set ftp disabled=no ports=21,22
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061,5090 sip-direct-media=yes
set pptp disabled=no
/ppp print
/ppp profile
set default change-tcp-mss=default name=default only-one=default \
    use-compression=default use-encryption=default use-ipv6=yes use-mpls=\
    default use-vj-compression=default
add bridge="PPP bridge" change-tcp-mss=default dns-server=8.8.8.8,8.8.4.4 \
    local-address="PPP pool" name=PPtP-test only-one=default remote-address=\
    "PPP pool" use-compression=default use-encryption=yes use-ipv6=yes \
    use-mpls=default use-vj-compression=default
add bridge=bridge1 change-tcp-mss=yes local-address=dhcp_pool_bridge1 name=\
    "PPTP remote" only-one=default remote-address=dhcp_pool_bridge1 \
    use-compression=default use-encryption=yes use-ipv6=yes use-mpls=default \
    use-vj-compression=default
set default-encryption change-tcp-mss=yes name=default-encryption only-one=\
    default use-compression=default use-encryption=yes use-ipv6=yes use-mpls=\
    default use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=\
    192.168.0.199 name=test password=test profile=default remote-address=\
    192.168.0.201 routes="" service=pptp
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: VPN to home network

Wed Nov 09, 2011 9:44 pm

Here is the network diagram.
Its a very simple network. IT was using failover across both WANS but I've since disable WAN 1 and now all traffic flows over WAN 2.
You do not have the required permissions to view the files attached to this post.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: VPN to home network

Wed Nov 09, 2011 9:51 pm

If this is your home network, why are you running all those firewall rules? They are very messy to read through, and very probably don't do anything whatsoever for you.

Anyway. It's likely that the problem is proxy ARP - you are assigning a LAN IP address to the VPN connection even though it's not on the LAN interface. Add proxy ARP to the LAN interface (or the bridge interface? it's hard to tell. There's IP addressing on 10 dot space, but the network diagram doesn't reflect that at all) so that the router can respond for the VPN client.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: VPN to home network

Wed Nov 09, 2011 10:10 pm

I run those firewalls because there was a point where I needed to be more protected; also there were some infected computers on the network.

The 10. IP addressing is for a test VPN (which is designed to be separated from the 192.168. network range. I left that off the diagram because it doesn't serve any purpose to my question at the moment.

I've add proxy-ARP to the network I'll test it out now.
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: VPN to home network

Wed Nov 09, 2011 10:27 pm

Hi

Ok now that proxy ARP has been added I can ping all devices on the network but I can't discover them or for example print remotely to the local network printer.
Things like RDC, device's internal webpage are all working.

Who is online

Users browsing this forum: MSN [Bot] and 138 guests