Community discussions

MikroTik App
 
johnway
just joined
Topic Author
Posts: 5
Joined: Tue Sep 03, 2013 11:07 am

Setup VPN Server over PPPoE using RADIUS multiple subnets?

Wed Feb 26, 2014 2:28 am

Hi Guys,

I have reading article after article after article and I am stuck on how to configure the MikroTik Router to enabled:

VPN Server (over PPPoE) using RADIUS with multiple subnets and still can't get it 100% there yet.

I have about 95% configured and guess I just having a routing problem between the two LAN subnets, but let me explain in more detail:

I want to allow the MikroTik device to be a VPN Server (that authenticates with RADIUS inside the LAN segment), and then allow the client connecting to have access to the inside LAN.

I got RADIUS working and authenticating properly, I got the VPN also properly established and I can ping the following:

I can ping the PPPoE interface, ether1 and ether2 from the VPN client, but I can't ping any hosts INSIDE the LAN

I also have full access to the internet when the VPN connection is successfully established - BUT it seems when I do a DNS lookup it seems to be "using" the DNS server on the VPN client's machine and not the DNS server on the LAN segment which is configured to be used by the VPN clients. I can't see the "INSIDE LAN" from the VPN client's machine.

* I would like to enable all VPN protocols due to L2TP being blocked by our cellular networks (not all but some of them)!

Here is my config:

1. DSL MODEM: 192.168.2.2

* Briged-mode with PPPoE passthrough (firewall disabled and all ports open)

2. WAN1 (PPPoE): *.*.*.* (this IP is dynamic from ISP) - DynDNS used to resolve host and works 100%

* Use Peer DNS
* Add Default Route

3. ETHER1 (Connection to WAN1 - DSL MODEM): 192.168.2.1

* ARP: enabled

4. ETHER2 (Connection to INSIDE LAN): 192.168.1.1

* ARP: proxy-arp

5. PPP - Interface:

[PPTP Server]: enabled - using profile in #6
[SSTP Server]: enabled - using profile in #6
[L2TP Server]: enabled - using profile in #6
[OVPN Server]: enabled - using profile in #6

6. PPP - Profile (Configuration for VPN Clients):

* Local Address: 192.168.3.1
* Remote Address: 192.168.3.0/24
* DNS Server: 192.168.0.1 (INSIDE LAN SERVER)
* WINS Server: 192.168.0.1 (INSIDE LAN SERVER)

7. PPP - Secrets:

* Use Radius
* Accounting

8. IP - Addresses:

* 192.168.1.1/24 bound to ETHER2
* 192.168.2.1/24 bound to ETHER1
* *.*.*.* bound to WAN1 <Dynamic>

9. IP - DNS:

* Allow Remote Requests (unticked)

10. IP - Firewall [Filter Rules]:

* All PPTP, L2TP, SSTP, OVPN ports are opened on the INPUT CHAIN, e.g. TCP {1723, 1812, 1813}; GRE; UDP {500, 1701, 4500} - ect....

* All traffic allowed from LAN to outside

11. IP - Firewall [NAT]:

* masquerade rule configured on the WAN1 Interface (as the Out. Interface)

12. IP - Firewall [Mangle]:

* change MSS on the forward chain for TCP traffic on the all ppp Interface as the In. Interface <Dynamic>
* change MSS on the forward chain for TCP traffic on the all ppp Interface as the Out. Interface <Dynamic>

13. IP - Firewall [Service Ports]:

* PPTP: enabled

14. IP - Routes:

* 0.0.0.0/0: Gateway=*.*.*.* this is the <PPPoE Interface IP> - Dynamic IP; ROUTE FLAGS: DAS
* <PPPoE Interface IP>: Gateway=<PPPoE Interface> - Dynamic IP; ROUTE FLAGS: DAC
* 192.168.0.0/24: Gateway=192.168.1.1; ROUTE FLAGS: AS
* 192.168.1.0/24: Gateway=192.168.1.1; ROUTE FLAGS: DAC
* 192.168.2.0/24: Gateway=192.168.2.1; ROUTE FLAGS: DAC

15. IP - Settings:

* IP Forward: enabled
* Send Redirects: enabled
* Accept Redirects: disabled
* Secure Redirects: enabled
* Allow Fast Path: enabled
* Allow Hw. Fast Path: disabled
* RP Filter: no
* TCP SynCookies: disabled

16. RADIUS:

* -Services enabled-: ppp + login
* Address: 192.168.0.1 (INSIDE LAN SERVER)
* Secret: ******
* Authentication Port: 1812
* Accounting Port: 1813
* Src. Address: 0.0.0.0

* Any help would be greatly appreciated... as I have already watched 15 videos in total of more than 5 hours, and read countless documents and I am seriously scratching my head on this one?

I would like to keep my VPN clients on the subnet 192.168.3.0/24, DSL+ETHER1 on the subnet 192.168.2.0/24; ETHER2 on subnet 192.168.1.0/24; INSIDE LAN on subnet 192.168.0.0/24
 
nerdtron
Member Candidate
Member Candidate
Posts: 123
Joined: Sat Nov 30, 2013 7:49 am

Re: Setup VPN Server over PPPoE using RADIUS multiple subnet

Wed Feb 26, 2014 4:01 am

I can ping the PPPoE interface, ether1 and ether2 from the VPN client, but I can't ping any hosts INSIDE the LAN
This is the correct behavior if your mikrotik is the vpn client. You can't access anything inside the LAN behind the mikrotik since all of these LAN devices are behind NAT.
The only way to access the inside LAN of the vpn clients is to configure port forwarding.
 
johnway
just joined
Topic Author
Posts: 5
Joined: Tue Sep 03, 2013 11:07 am

Re: Setup VPN Server over PPPoE using RADIUS multiple subnet

Wed Feb 26, 2014 9:41 am

This is the correct behavior if your mikrotik is the vpn client. You can't access anything inside the LAN behind the mikrotik since all of these LAN devices are behind NAT.
The only way to access the inside LAN of the vpn clients is to configure port forwarding.
The MikroTik Router is not a VPN Client but a VPN Server, am I missing something here [or maybe misunderstood the term VPN Client]?

Thanks for the reply, I completely missed port forwarding *blush*

I will look into adding port forwarding and let you know the results, what I do find funny though is that with further investigation I seem to be having an issue getting into the LAN subnet 192.168.0.0/24 from the router itself; which is weird, and makes me wonder if this is not an issue on the LAN Server.


The LAN Server does have RRAS enabled with standard LAN Routing and Demand Dial enabled and the LAN Server has two NICs configured:

EXTERNAL: 192.168.1.2 (facing the MikroTik Router's ether2)

INTERNAL: 192.168.0.1 (facing the network switch of the INSIDE LAN)

* Again all Firewall Rules are enabled / configured on the LAN Server for VPN ports / connectivity as has been done for the MikroTik Router, reference my previous post.


I can ping the Internet from any of the LAN clients, and both NICs on the INSIDE LAN Server, I can also ping ALL ether ports and ALL others Interfaces on the MikroTik Router from any of the LAN clients.

* NOTE: The weird thing that I did pick up after my previous post is that from the MikroTik Router I can ping ANYTHING including 192.168.1.2 (which is the EXTERNAL NIC on the INSIDE LAN Server), EXCEPT: 192.168.0.1 (which is the INTERNAL NIC on the INSIDE LAN Server), or any of the 192.168.0.0/24 (INSIDE LAN Clients).


For some stupid arbitrary reason on Windows Server 2003 you don't have to configure a static route in order for routing to work properly, but on Windows Server 2008 or newer versions you have to add a static route on the EXTERNAL "Internet facing" NIC:

0.0.0.0 (destination)
0.0.0.0 (network mask)
1 (metric)

Otherwise routing does not allow any traffic to pass through the LAN Server from any of the LAN clients, however the LAN Server itself can see both "The Internet" and "LAN Clients" (without "The Static Route" created above); however in order to get traffic to pass through from the "LAN Clients", I have to add "The Static Route" above - this is according to almost ALL MS admins I have asked - even MS themselves suggest this on various documents and sources!?


* Oh WHY does Windows Server NOT support source and destination NAT[ting] like MikroTik ;(


If there is anyway that I could do that on Windows Server then the entire network configuration would work as I can then create proper static routes for going towards the INSIDE LAN subnet, and going out (example below), etc...

* Source: 0.0.0.0/0; Destination: 192.168.0.0/24; Gateway: 192.168.0.1; Distance: 1
* Source: 192.168.0.0/24; Destination: 0.0.0.0/0; Gateway: 192.168.1.1; Distance: 2


I have a gut feeling that because traffic to 192.168.0.0/24 is routed to 192.168.1.2 (EXTERNAL NIC) it reaches that point and creates a loop back to 192.168.1.1 (MikroTik ether2) - because of this idiotic static rule of 0.0.0.0 (destination), 0.0.0.0 (network mask), 1 (metric) - as suggested by MS admins and MS, etc... *doh*


Any other / further advice [other than checking port forwarding], thanks?

Who is online

Users browsing this forum: domon, hatred, sindy, theonemikrotik and 105 guests