Community discussions

MikroTik App
 
razenxd
just joined
Topic Author
Posts: 4
Joined: Tue Aug 13, 2019 3:21 am

Help with SSTP configuration and local network ping.

Thu May 26, 2022 4:25 pm

Hello and forgive my ignorance.
I'm pretty sure that the thing my boss is trying to achieve is a no go but figured out that it wouldn't hurt to ask here.
Image

Here you can see a basic diagram of what I'm trying to achieve(everything you see on diagram are the local addreses)
The SSTP VPN is up and running and I can ping from 192.168.88.254 to 192.168.1.250(ISP 1) and to 192.168.89.145 and vice versa
I Can ping from 192.168.89.145 to 192.168.1.30(ISP 2) and to 192.168.88.254.

My boss would like to Ping the ISP 1 devices while connected to VPN client and vice versa.
I told him that with my knowledge its not possible and the local subnet for one ISP should be different.
He keeps insisting that a simple firewall rule will do the trick.
Any ideas would be appreciated.
Thanks

Edit : Could I perhaps make a firewall rule to mikrotik client so any traffic towards 192.168.1.0/24 be routed to mikrotik server?
So 192.168.89.0/24 could ping 192.168.1.0/24 but only on Server side?
Last edited by razenxd on Thu May 26, 2022 5:06 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help with SSTP configuration and local network ping.

Thu May 26, 2022 4:33 pm

Yes it seems rather dumb (although my experience is limited) to have the same subnets behind the ISP router on both ends. Furthermore then he wants clients on one device to connect to the far end ISP subnet and possibly the ISP devices on the local subnet at the same time........... both have the same IP addresses makes for a shit show.

The mikrotiks are they in router mode or simply ap/switch?
 
razenxd
just joined
Topic Author
Posts: 4
Joined: Tue Aug 13, 2019 3:21 am

Re: Help with SSTP configuration and local network ping.

Thu May 26, 2022 4:37 pm

Yes it seems rather dumb (although my experience is limited) to have the same subnets behind the ISP router on both ends. Furthermore then he wants clients on one device to connect to the far end ISP subnet and possibly the ISP devices on the local subnet at the same time........... both have the same IP addresses makes for a shit show.

The mikrotiks are they in router mode or simply ap/switch?
Yeah seems dumb also to me. But who am I to judge the almighty boss huh, who is btw a "network specialist" and I'm a mere web developer.
Mikrotiks are simply AP/switch, they both are Hap AC2.

Could I perhaps make a firewall rule to mikrotik client so any traffic towards 192.168.1.0/24 be routed to mikrotik server?
So 192.168.89.0/24 could ping 192.168.1.0/24 but only on Server side?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help with SSTP configuration and local network ping.

Thu May 26, 2022 5:12 pm

So to be clear the Boss wants the ability for
a. local clients on 88.X (under MT1) to be able to ping ISP2 local clients
b. local cliens on 89.X (under MT2) to be able to ping ISP1 local clients

Can you post both configs of MT1 and MT2.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Help with SSTP configuration and local network ping.

Thu May 26, 2022 5:14 pm

My boss would like to Ping the ISP 1 devices while connected to VPN client and vice versa.
I told him that with my knowledge its not possible and the local subnet for one ISP should be different.
He keeps insisting that a simple firewall rule will do the trick.
The issue is that each mikrotik has a directly connected route to 192.168.1.0/24 and will use ARP to resolve any addresses within that subnet.

There are a couple of options:
Use netmap to do a 1:1 mapping to a different /24 and static routes, you access the devices at the other side using these addresses.
If there are a small number of devices with static addresses which do not overlap you can add individual /32 static routes. From your diagram on mikrotik 1 a static route for 192.168.1.30/32 via the SSTP address on mikrotik 2, and on mikrotik 2 a static route for 192.168.1.250 via the SSTP address on mikrotik 1.
 
razenxd
just joined
Topic Author
Posts: 4
Joined: Tue Aug 13, 2019 3:21 am

Re: Help with SSTP configuration and local network ping.

Thu May 26, 2022 5:33 pm

So to be clear the Boss wants the ability for
a. local clients on 88.X (under MT1) to be able to ping ISP2 local clients
b. local cliens on 89.X (under MT2) to be able to ping ISP1 local clients

Can you post both configs of MT1 and MT2.
Thats true.
But option a. only would be enough.
He doesn't care much to access devices connected to ISP 2 from the server side but he wants to access devices connected to ISP while he is connected to client mikrotik.

here are the configs
Server Config
# may/26/2022 17:20:40 by RouterOS 7.2.3
# software id = 7DN2-160L
#
# model = RBD52G-5HacD2HnD
# serial number = E5780FD83A89
/interface bridge
add arp=proxy-arp name=bridge-lan
add name=bridge-wan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-isp
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-lan name=dhcp1
/interface bridge port
add bridge=bridge-wan interface=ether1-isp
add bridge=bridge-wan interface=ether2
add bridge=bridge-wan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=wlan1
add bridge=bridge-lan interface=wlan2
/interface sstp-server server
set authentication=mschap2 certificate=Server enabled=yes port=9443
/ip address
add address=192.168.88.1/24 interface=bridge-lan network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=bridge-wan
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge-wan
add action=masquerade chain=srcnat src-address=10.10.10.2
add action=masquerade chain=srcnat src-address=10.10.10.1
/ip route
add disabled=no dst-address=192.168.89.0/24 gateway=10.2.2.2 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ssh disabled=yes
/ppp secret
add local-address=10.2.2.1 name=name remote-address=10.2.2.2 service=sstp
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=VpnServer
Client
 # may/26/2022 17:18:02 by RouterOS 7.2.3
# software id = TGZY-64AJ
#
# model = RBD52G-5HacD2HnD
# serial number = E5780FF93182
/interface bridge
add name=bridge_lan
add name=bridge_wan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-isp
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTikC
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.89.2-192.168.89.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge_lan name=dhcp1
/interface sstp-client
add authentication=mschap2 connect-to=random.sn.mynetname.net:9443 \
    disabled=no http-proxy=0.0.0.0:9443 name=sstp-out1 pfs=yes profile=\
    default-encryption user=verify-server-address-from-certificate=\
    no
/interface bridge port
add bridge=bridge_wan interface=ether1-isp
add bridge=bridge_wan interface=ether2
add bridge=bridge_wan interface=ether3
add bridge=bridge_lan interface=ether4
add bridge=bridge_lan interface=ether5
add bridge=bridge_lan interface=wlan1
add bridge=bridge_lan interface=wlan2
/ip address
add address=192.168.89.1/24 interface=bridge_lan network=192.168.89.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=bridge_wan
/ip dhcp-server network
add address=192.168.89.0/24 gateway=192.168.89.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge_wan
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=10.2.2.1 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=Client
The issue is that each mikrotik has a directly connected route to 192.168.1.0/24 and will use ARP to resolve any addresses within that subnet.

There are a couple of options:
Use netmap to do a 1:1 mapping to a different /24 and static routes, you access the devices at the other side using these addresses.
If there are a small number of devices with static addresses which do not overlap you can add individual /32 static routes. From your diagram on mikrotik 1 a static route for 192.168.1.30/32 via the SSTP address on mikrotik 2, and on mikrotik 2 a static route for 192.168.1.250 via the SSTP address on mikrotik 1.
I already have setted addresses for the SSTP ,10.2.2.1 and 10.2.2.2 for each end (configs are pasted before the quote), can I use netmap on them or do I have to reconfigure?
I'm sorry ,not sure if my basic knowledge allows me to understand what you are saying, and probably I got it wrong.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Help with SSTP configuration and local network ping.

Fri May 27, 2022 3:32 pm

Changes along the lines of:

...
/interface bridge
add arp=proxy-arp name=bridge-lan # proxy ARP is not required
...
/interface sstp-server
add name=sstp-in1 user=name
# name should match the PPP secret username
...
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge-wan
add action=masquerade chain=srcnat src-address=10.10.10.2 #no idea what this is for
add action=masquerade chain=srcnat src-address=10.10.10.1 #no idea what this is for
add action=netmap chain=dstnat dst-address=192.168.101.0/24 to-addresses=192.168.1.0/24
add action=netmap chain=srcnat out-interface=sstp-in1 src-address=192.168.1.0/24 to-addresses=192.168.101.0/24

/ip route
add disabled=no dst-address=192.168.89.0/24 gateway=10.2.2.2 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.102.0/24 gateway=10.2.2.2 routing-table=main suppress-hw-offload=no
...


and

...
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge_wan
add action=netmap chain=dstnat dst-address=192.168.102.0/24 to-addresses=192.168.1.0/24
add action=netmap chain=srcnat out-interface=sstp-out1 src-address=192.168.1.0/24 to-addresses=192.168.102.0/24

/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=10.2.2.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.101.0/24 gateway=10.2.2.1 routing-table=main suppress-hw-offload=no
...


From 192.168.88.254 you can reach 192.168.1.30 at site 2 using the address 192.168.102.30, similarly from 192.168.89.145 you can reach 192.168.1.250 at site 1 using 192.168.101.250

Who is online

Users browsing this forum: No registered users and 54 guests