Community discussions

MikroTik App
 
dakinet
just joined
Topic Author
Posts: 7
Joined: Thu Jul 27, 2017 10:28 am

EoIP VPN conqlusions and questions

Sun Jul 30, 2017 11:06 am

Im succesfuly make a VPN network with same subnet on both sides (Main building and office) using PPtP tuneling protokol to connect two mikrotik-s and after successfuly conection im using EoIP bridged with LAN port. Configuration is like this:

MK1 - Mikrotik RB750r2 (Main building)
Internet <-> modem [wan: x.x.x.x, lan: 192.168.1.3] <-> MK1 [wan: 192.168.1.4, lan:192.168.10.1] <-> PC1 [192.168.10.10/24, gate:192.168.10.1, dns:192.168.10.1 and 8.8.8.8]
MTK1 and MTK firewalls are disabled, enabled only Masyuerade on WAN interface in srcnat cnain.
default rute for MK1 is 192.168.1.3


MK2 - Mikrotik RB750r2 (Office)
Internet <-> modem [wan: x.x.x.x, lan: 192.168.1.1] <-> MK1 [wan: 192.168.1.2, lan:192.168.10.2] <-> PC2 [192.168.10.11]
default rute for MK2 is 192.168.1.1


What is the problem then?
---------------------------------------------
1. When is connection between two MTK1 and MTK disabled (disabled bridge and EoIP) Computer (PC1) have access to internet and can browse normaly all sites, everything is ok. But when connection betwen two Mikrotiks is estabilished PC1 have dificulty to connect to internet. Connection to www.google.com is maked quickly but when im trying to connect to other stites like www.microsoft.com or everything else nothing cappen (browser trying to reach site and whaiting....).

2. Changing default gateway on PC1 from 192.168.10.1 to 192.168.10.2 all is working like a charm, but all trafic between PC1 and internet are maked throuht vpn connection and my office mikrotik MTK2.



questions:
----------------------------
1. Whay i can acces only google site from main buildig PC1 and can not acces other sites?
2. Connection to internet is maded sucesfuly when im cnanging gateway from lokal MTK1 to far remote MTK2 witch is on address: 192.168.10.2
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: EoIP VPN conqlusions and questions

Sun Jul 30, 2017 2:17 pm

You have same lan addressing on MK1 and MK2.

Best approach here would be changing MK2 LAN ip address range to e.g. 192.168.20.0/24.

What you have done is basically plugging two seperate LANs (MK1: 192.168.10.0/24 and MK2: 192.168.10.0/24) into a "switch", duplicating IP addresses.

If MK2 is using DHCP to provision IPs to the LAN, then this can be fixed by reconfiguring MK2 w/o having to go to computers to change the ip.
 
dakinet
just joined
Topic Author
Posts: 7
Joined: Thu Jul 27, 2017 10:28 am

Re: EoIP VPN conqlusions and questions

Sun Jul 30, 2017 4:35 pm

Quote:
You have same lan addressing on MK1 and MK2.
Best approach here would be changing MK2 LAN ip address range to e.g. 192.168.20.0/24.

I need same subnet on both MK lan sides, because access controllers are on MT1 side and access controler menagement software is on MT2 side.

Quote:
What you have done is basically plugging two seperate LANs (MK1: 192.168.10.0/24 and MK2: 192.168.10.0/24) into a "switch", duplicating IP addresses.

All ip addresses on lan network on MK1 side (main building) are choosen manualy, there are four devices:
[PC1:192.168.10.10; Access Controller1:192.168.10.22; Access Controller2:192.168.10.202; Digital Video Recorder:192.168.10.100]

on MK2 lan side there is only one PC2 with address:192.168.10.11, there are no duplicated ip-s.


Quote:
If MK2 is using DHCP to provision IPs to the LAN, then this can be fixed by reconfiguring MK2 w/o having to go to computers to change the ip.

Do i need dhcp if im using static ip addresses on both sides?
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: EoIP VPN conqlusions and questions

Mon Jul 31, 2017 9:53 am

I need same subnet on both MK lan sides, because access controllers are on MT1 side and access controler menagement software is on MT2 side.

Then why the tunnel?

You could:

Use different subnet for the MT2 side LAN, say 192.168.20.1/16 for the gw, 192.168.20.10/16 for PC2. MT1 side only needs to change the netmask: 192.168.10.1/16, 192.168.10.10/16, and so on (255.255.0.0).

This way you overcome the "same subnet" limitation.

You'll need to add a route on MT1 towards 192.168.20.0/24 via the remote pptp end IP, and viceversa, a route on MT2 towards 192.168.10.0/24 via MT1 end of the pptp tunnel ip.

This way routing is easier to setup across both networks and is also easier to control internet (default route) and remote VPN (remote LAN specific routes) traffic separately.

Then bridge the EoIP tunnel on MT2 to the ether port where PC2 is connected, are you sure it addition to same subnet, it needs Layer2 to communicate with the controllers?

I would consider using L2TP/IPSec as simple L2 tunnel, better security and overhead than PPTP + EoIP.

Do i need dhcp if im using static ip addresses on both sides?
No not needed at all; just asked because is better practice, from a management standpoint, to use DHCP + Static leases, so that you control addressing from a single central point: better than having to go device per device, possibly physically, to manually change their IP addresses. Allows for an address range change remotely too...

Who is online

Users browsing this forum: blazer4493, megabytenet, TheColdy and 38 guests