Community discussions

MikroTik App
 
bojesiewody
just joined
Topic Author
Posts: 1
Joined: Sun Apr 19, 2020 9:51 am

Problem with VPN bridge lost connection  [SOLVED]

Sun Jul 24, 2022 3:44 pm

Hi,
Sorry if the issue I'm bringing might be trivial but I'm struggling with it for the past week and no solution so far (I'm not that fluent in Mikrotik as I'd like to be). I've lost all hope.

Quick background, how my network looks like:
Screenshot 2022-07-24 at 14-25-27 Untitled Visual Paradigm Online.png
I've divided it into three isolated networks: main network, devices network for all those aliexpress stuff I trust a little less (urzadzenia) and VPN network for devices I want to connect only via vpn connection (a bit outdated hide.me SSTP currently). VPN connection doesn't have to be ultrafast or secure, it's mainly to keep the destination server unaware of my current IP.
I'd be more than happy to go for wireguard or OpenVPN / IKEv2 protocol with my current free ProtonVPN plan, even tried that a few times, with exact the same outcome - no web for VPN bridge.
It worked well for a couple years, survived migration to 7.x successfully but it stopped working after some latest RouterOS update. I have a similar setup in different location that wasn't updated to latest version (it is 7.x tho) that's running just fine.

Main network (192.168.88.x) is running just fine. The VPN (192.168.2.x) is giving me a headache. I am able to ping 1.1.1.1, even traceroute it, but no other connection is going thru. But whenever I open a web browser and type any address I see vital signs on the SSTP trafic monitor.

My config:
/interface bridge add admin-mac=B8:69:F4:18:98:82 auto-mac=no name=bridge_lan
/interface bridge add name=bridge_urzadzenia
/interface bridge add name=bridge_vpn
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=wifi_sec supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=wifi_urzadzenia supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=wifi_vpn supplicant-identity=""
/interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX country=poland disabled=no distance=indoors frequency=auto mode=ap-bridge name=wlan_2.4 security-profile=wifi_sec ssid=NieMamyWiFi_2.4 wps-mode=disabled
/interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=poland disabled=no distance=indoors frequency=auto mode=ap-bridge name=wlan_5 security-profile=wifi_sec skip-dfs-channels=all ssid=NieMamyWifi_5 wps-mode=disabled
/interface wireless add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=BA:69:F4:18:98:86 master-interface=wlan_2.4 multicast-buffering=disabled name=wlan_urzadzenia security-profile=wifi_urzadzenia ssid=NieMamyWifi_urzadzenia wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:18:98:87 master-interface=wlan_2.4 multicast-buffering=disabled name=wlan_vpn security-profile=wifi_vpn ssid=NieMamyWiFi_vpn wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip pool add name=pool_urzadzenia ranges=192.168.87.10-192.168.87.254
/ip pool add name=pool_vpn ranges=192.168.2.10-192.168.2.254
/ip dhcp-server add address-pool=default-dhcp interface=bridge_lan name=defconf
/ip dhcp-server add address-pool=pool_urzadzenia interface=bridge_urzadzenia name=server_urzadzenia
/ip dhcp-server add address-pool=pool_vpn interface=bridge_vpn name=servervpn
/interface sstp-client add authentication=mschap2 connect-to=free-nl.hideservers.net disabled=no name="hide.me SSTP" profile=default-encryption tls-version=only-1.2 user=bojesiewody
/routing table add disabled=no fib name=SSTP
/interface bridge port add bridge=bridge_lan comment=defconf interface=ether2
/interface bridge port add bridge=bridge_lan comment=defconf interface=ether3
/interface bridge port add bridge=bridge_lan comment=defconf interface=ether4
/interface bridge port add bridge=bridge_vpn comment=defconf interface=ether5
/interface bridge port add bridge=bridge_lan comment=defconf interface=wlan_2.4
/interface bridge port add bridge=bridge_lan comment=defconf interface=wlan_5
/interface bridge port add bridge=bridge_vpn interface=wlan_vpn
/interface bridge port add bridge=bridge_urzadzenia interface=wlan_urzadzenia
/ip neighbor discovery-settings set discover-interface-list=LAN
/ipv6 settings set disable-ipv6=yes forward=no
/interface list member add comment=defconf interface=bridge_lan list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/ip address add address=192.168.88.1/24 interface=bridge_lan network=192.168.88.0
/ip address add address=192.168.87.1/24 interface=bridge_urzadzenia network=192.168.87.0
/ip address add address=192.168.2.1/24 interface=bridge_vpn network=192.168.2.0
/ip dhcp-client add comment=defconf interface=ether1
/ip dhcp-server network add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
/ip dhcp-server network add address=192.168.87.0/24 dns-server=192.168.87.1 gateway=192.168.87.1
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter add action=accept chain=forward connection-state=established,related
/ip firewall filter add action=accept chain=input dst-port=8291 protocol=tcp
/ip firewall filter add action=accept chain=forward in-interface=bridge_urzadzenia out-interface=ether1 src-address=192.168.87.0/24
/ip firewall filter add action=accept chain=forward in-interface=bridge_vpn out-interface="hide.me SSTP" src-address=192.168.2.0/24
/ip firewall filter add action=accept chain=forward in-interface=bridge_lan out-interface=ether1 src-address=192.168.88.0/24
/ip firewall filter add action=accept chain=forward connection-nat-state=dstnat
/ip firewall filter add action=drop chain=forward
/ip firewall filter add action=accept chain=output
/ip firewall filter add action=accept chain=input connection-state=established,related
/ip firewall filter add action=accept chain=input icmp-options=8:0 protocol=icmp
/ip firewall filter add action=accept chain=input icmp-options=3:4 protocol=icmp
/ip firewall filter add action=accept chain=input connection-state=new dst-address=192.168.88.1 dst-port=53 in-interface=bridge_lan protocol=udp src-address=192.168.88.0/24
/ip firewall filter add action=accept chain=input connection-state=new dst-address=192.168.87.1 dst-port=53 in-interface=bridge_urzadzenia protocol=udp src-address=192.168.87.0/24
/ip firewall filter add action=accept chain=input connection-state=new dst-address=192.168.2.1 dst-port=53 in-interface=bridge_vpn protocol=udp src-address=192.168.2.0/24
/ip firewall filter add action=accept chain=input connection-state=new dst-address=192.168.88.1 dst-port=8291 in-interface=bridge_lan protocol=tcp src-address=192.168.88.0/24
/ip firewall filter add action=accept chain=input connection-state=new dst-address=192.168.87.1 dst-port=8291 in-interface=bridge_urzadzenia protocol=tcp src-address=192.168.87.0/24
/ip firewall filter add action=accept chain=input connection-state=new dst-address=192.168.2.1 dst-port=8291 in-interface=bridge_vpn protocol=tcp src-address=192.168.2.0/24
/ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=SSTP passthrough=yes src-address=192.168.2.0/24
/ip firewall nat add action=masquerade chain=srcnat out-interface="hide.me SSTP" src-address=192.168.2.0/24
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.88.0/24
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.87.0/24
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway="hide.me SSTP" pref-src=0.0.0.0 routing-table=SSTP scope=10 suppress-hw-offload=no target-scope=10
/system clock set time-zone-name=Europe/Warsaw
/system ntp client set enabled=yes
/system ntp client servers add address=ntp.task.gda.pl
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: gkoleff, outtahere and 58 guests