Community discussions

MikroTik App
 
Libor
just joined
Topic Author
Posts: 1
Joined: Wed May 24, 2023 6:25 pm

Mikrotik and VPN setup

Mon May 29, 2023 5:00 pm

Hi there,

It's my first post, so please be kind :)

Hey,

I need help upgrading my Mikrotik and setting up a VPN at the same time. This thread will probably be longer and also evolve over time as I troubleshoot. I'm not the strongest in Mikrotik, so I hope you can make this a lot easier :)

The current situation looks like this:
1) office
Mikrotik RB3011 - main router, running on 6.43.12 and VPN server with PPTP and L2TP with presharedkey for all users
Addresses: VLAN1 10.0.0.1/16
VLAN2 10.1.0.1/16
DNS servers : 10.1.1.3 and 10.1.1.7

2) warehouse
Mirkotik CCR1009 - main warehouse router, running 6.43.4 and VPN server with PPTP and L2TP only for admins
Addresses: 192.168.1.254/24
192.168.3.254/24
192.168.10.253 cable connection between second warehouse office router, also be userd like backup connectivity
DNS server: 10.1.1.7, 10.1.1.3

3) warehouse office
Mikrotik CCR1009 - main warehouse office router, running 6.43.9 and VPN server with PPTP and L2TP
Addresses: 192.168.10.254/24

Router connected via L2TP tunnel with router 1)
IP tunnel is 172.1.1.1 and 172.1.1.2

4) Second office - main router in our new office
Mikrotik CCR2004 running on 7.9., wireguard VPN
Addresses: 10.10.0.1/24
DNS server: 8.8.8.8, 8.8.4.4
WG: 10.10.100.1/24

Each router has its own static public IP

Now, ideally, I would like some help. I tried to upgrade the router 1) to fw 7.9, but right after the upgrade the L2TP VPN stopped working, which is a problem because about 50 users use a macbook and there is no PPTP option anymore, so I put back the old fw. 6.43.12, but there was a problem with the L2TP VPN because it disconnects very regularly after a certain time.

So I decided not to troubleshoot the L2TP VPN and switch completely to wireguard and at the same time replace the 3011 router with a 4011.

1. I need to upgrade all my old routers to version 7.9 for wireguard
2. I need all users in the main office using router 1) to be able to connect via wireguard
3. I need all routers to be connected to each other via wireguard

Case 1
I started quite simply by setting up wireguard on router 4), which already had fw 7.9, and made the tunnel between the router and the PC (WG: 10.10.100.1/24). I can connect from every router, except router 1). I can't connect from here, so the first case I would like to solve is why I can't connect to WG from this router.

I assume it will be a badly set firewall or an IP range conflict ?
/ip firewall filter
add action=accept chain=input disabled=yes in-interface=ether10
add action=accept chain=input connection-state=established
add action=accept chain=forward connection-state=established
add action=accept chain=output connection-state=established
add action=drop chain=forward dst-address=10.1.0.0/16 src-address=10.2.0.0/16
add action=drop chain=forward dst-address=10.2.0.0/16 src-address=10.1.0.0/16
# p2p matcher is obsolete please use layer7 matcher instead
add action=drop chain=forward comment="Drop all torrent traffic." p2p=all-p2p
add action=drop chain=forward connection-state=invalid,new dst-address=10.0.0.0/16 src-address=10.1.0.0/16
add action=drop chain=forward dst-address=10.0.0.0/16 src-address=10.2.0.0/16
add action=accept chain=input port=1701,500,4500,13231 protocol=udp
add action=accept chain=input protocol=ipsec-esp

/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=ether1 new-packet-mark=client_download passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=10.1.0.0/16 
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=10.0.0.0/16
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=10.2.0.0/16
add action=jump chain=dstnat comment=INET1>LAN dst-address=x.x.x.x jump-target=INET1>LAN
add action=jump chain=dstnat comment=INET2>LAN dst-address=x.x.x.x jump-target=INET2>LAN

Who is online

Users browsing this forum: Bing [Bot] and 60 guests