Community discussions

MikroTik App
 
jan11cz
just joined
Topic Author
Posts: 10
Joined: Mon Nov 26, 2012 6:12 pm

ISP and VPN IP conflict

Sat Aug 06, 2022 3:01 pm

Hi, I have a new ISP and now I start noticing VPN issues. I use RouterOS 7.
The IP address the pppoe interface gets from my DSL connection is 10.0.12.2.
Then I tried IPSec and PPTP VPN connection but I notice the interfaces also get 10.0.12.2 IP address.

I tried from another location with another ISP, so the IP from ISP is not 10.0.12.2, but the VPN still gets 10.0.12.2, so it's something set on the VPN and my ISP side, I suppose.
Could this be the reason why part of my IPSec traffic is no longer routed through the IPSec tunnel, and PPTP routing doesn't work at all?
The strange thing with IPSec is that for example "what is my IP" shows correctly the IP of the VPN location but other connections made by a device on the network seem to bypass the IPSec tunnel...
Would perhaps VRF help with this?
Thanks
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: ISP and VPN IP conflict

Sat Aug 06, 2022 4:21 pm

Leaving aside that your ISP has apparently never heard of RFC 6598 on "shared address space", as you can't change that anyway, what kind of VPN are you talking about? Is it some 3rd party VPN provider that assigns you 10.0.12.2 by coincidence, i.e. even if you connect to that VPN from that other location you've mentioned, or is it your own VPN?

Regarding "other connections made by a device on the network" - does it mean that the whatismyip test is done from the same device like the one using those "other connections"? Somehow the structure of the information seems too chaotic to me to understand clearly what you experience.

VRF could only help under specific circumstances.
 
jan11cz
just joined
Topic Author
Posts: 10
Joined: Mon Nov 26, 2012 6:12 pm

Re: ISP and VPN IP conflict

Sat Aug 06, 2022 4:42 pm

It's a 3rd party VPN and 10.0.12.2 is fixed (for both PPTP and IPSec), if I try to change it in policy, the VPN isn't working at all.
It only works when I use OpenVPN on Raspberry. Then the VPN gets different IP than 10.0.12.2 and all devices forward complete traffic to VPN. I'm not able to get OpenVPN connection working from Mikrotik yet... but that's what I'm trying now.

As for the "other devices", it's a TV set-top box so there's no way to check "what's my IP". But when I connect a PC to the same cable, I can see it's the VPN. But when I connect the set-top box, I then see in Torch on WAN interface that the TCP requests from the set-top box go to WAN's 10.0.12.2, so apparently not using the VPN.

The same set-top box connected to Raspberry Pi (used as OpenVPN VPN gateway) sends everything to the VPN tunnel (I suppose - because the VOD downloads on the STB work).
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: ISP and VPN IP conflict

Sat Aug 06, 2022 5:02 pm

That's somehow too many issues at a time. If the PC is in the same LAN subnet like the STB, both should behave the same, but there are caveats - "same cable" doesn't necessarily mean they get an address from the same subnet as there may be VLANs, or there may be match rules that do match on the address your DHCP server assigns to the PC but not on the address it assigns to your STB.

Regarding OpenVPN on Mikrotik, it keeps having some limitations even in RouterOS 7.

As for torch - as the "tx" and "rx" may be confusing, and as /tool sniffer and /tool torch show the payload packets after they get decrypted from the received transport ones, it may be a false alert. /tool sniffer is much clearer in this regard, as it shows the source addresses and destination addresses for every packet.

Post the configuration export, obfuscate the serial number and usernames/e-mail addresses etc. before posting.
 
jan11cz
just joined
Topic Author
Posts: 10
Joined: Mon Nov 26, 2012 6:12 pm

Re: ISP and VPN IP conflict

Sun Aug 07, 2022 11:40 am

Problem solved.

The IP 10.0.12.2 is VPN's only, nothing to do with the ISP. But it was confusing to see this IP assigned to PPPoE interface even when IPSec tunnel was disabled and even twice if I changed IPSec server IP. I'm not sure if I overlooked it before but after reboot, the PPPoE interface only had the correct IP (my public IP) and 10.0.12.2 only appeared after enabling IPSec.

So the traffic is going through VPN correctly. But the problem in the end was the MTU size. Some stuff loaded fine (like websites on PC) but the VOD DRM gateway on the set-top box didn't connect, so it failed. Unfortunately the error messages for geo-blocked access is the same like when there's a broken connection, so that confused me and I thought the STB was bypassing the VPN tunnel...

Who is online

Users browsing this forum: Semrush [Bot] and 68 guests