Community discussions

MikroTik App
 
thomassocz
just joined
Topic Author
Posts: 7
Joined: Sat Sep 17, 2022 1:55 pm

Can connect to SSTP VPN but can't interact with Windows Server

Sat Sep 17, 2022 2:04 pm

Hi all,

we use a single server (Windows Server 2019 Essentials) in our micro-sized business. The server's role are Domain Controller, DNS, DHCP and some others.

We also have a MikroTik router. This is our only router and is connected to the internet directly - it's the main gateway to our network and functions also as a firewall.

I managed to configure a SSTP server on the router and I am able to connect to it from a distant network using a Win 10 client.

I can ping the server's IP address. But I can't do anything else...
  • Can't ping the server hostname
  • Can't access shared files
  • Can't do anything else on the server, basically just ping its IP
Needless to say, this all works when I'm connected directly to the network.

The server handles the DHCP, however when I configured the SSTP on MikroTik, I had to assign some IP Pool to VPN clients. As I am fairly new to MikroTik, I'm not sure if I did everything correctly here. The Windows Server DHCP assigns range 192.168.100.100-192.168.100.254 and I configured the VPN Pool on Mikrotik to 192.168.101.100-192.168.101.254.

I also have several bridges on the router, one of which is my company network. I made sure to assign this bridge to the VPN connection.

I tried to turn off Windows Firewall on the server, but that didn't do anything.

I would appreciate any tips about why this might be happening.

Thanks a lot.
Tomas
 
tdw
Forum Guru
Forum Guru
Posts: 1470
Joined: Sat May 05, 2018 11:55 am

Re: Can connect to SSTP VPN but can't interact with Windows Server

Sun Sep 18, 2022 4:43 am

Without seeing the configuration it is impossible to say what is wrong, post the output of /export hide-sensitive after redacting any other information such as public IP addresses. From the symptoms most likely firewall rules, VPN DNS settings.
Using multiple bridges is generally not optimal as hardware offload is only supported on one bridge on most Mikrotiks. SSTP is an IP VPN so bridges are not relevant to the setup unless attempting to use the PPP BCP functionality.
 
thomassocz
just joined
Topic Author
Posts: 7
Joined: Sat Sep 17, 2022 1:55 pm

Re: Can connect to SSTP VPN but can't interact with Windows Server

Mon Sep 19, 2022 11:15 am

Hi, thanks for your reply.

As for now, I'm using the public IP address, not DNS name, so that shouldn't be the issue. I plan on adding the "A" record to our public DNS after I make it work with IP.

Here is the requested information:
# sep/19/2022 10:07:01 by RouterOS 6.49.6
# software id = 6D4F-G8NH
#
# model = RB3011UiAS
# serial number = HCV085R40Q0
/interface bridge
add admin-mac=18:FD:74:5C:40:3D auto-mac=no comment=defconf name=bridge-datel
add name=bridge-home
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security-datel
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/caps-man datapath
add bridge=bridge-datel interface-list=LAN name=datapath-datel
/caps-man configuration
add country="czech republic" datapath=datapath-datel hide-ssid=no installation=\
    indoor mode=ap name=CAPs security=security-datel \
    security.authentication-types=wpa2-psk security.encryption=aes-ccm ssid=\
    DatelInternalWifi
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profile-datel \
    supplicant-identity=""
/ip pool
add name=vpn_pool ranges=192.168.101.100-192.168.101.254
/ppp profile
add bridge=bridge-datel local-address=192.168.100.1 name=profile-sstp \
    remote-address=vpn_pool
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=CAPs
/interface bridge port
add bridge=bridge-datel comment=defconf interface=ether2
add bridge=bridge-datel comment=defconf interface=ether3
add bridge=bridge-datel comment=defconf interface=ether4
add bridge=bridge-datel comment=defconf interface=ether5
add bridge=bridge-home comment=defconf interface=ether6
add bridge=bridge-home comment=defconf interface=ether7
add bridge=bridge-home comment=defconf interface=ether8
add bridge=bridge-home comment=defconf interface=ether9
add bridge=bridge-home comment=defconf interface=ether10
add bridge=bridge-home comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-datel list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=Server enabled=yes force-aes=yes pfs=yes
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge-datel network=\
    192.168.100.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA" list=Bogons
/ip firewall filter
add action=drop chain=forward comment="Disable Internet Remote Desktop" \
    dst-port=3389 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=443 protocol=tcp
add action=accept chain=forward comment="Allow Always On VPN Connections" \
    dst-port=500,4500 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    Bogons
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip service
set telnet disabled=yes port=2301
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.100.0/24 port=2201
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=stats read-only-mode=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=DatelRouterBoard
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks a lot.

Tomas
 
thomassocz
just joined
Topic Author
Posts: 7
Joined: Sat Sep 17, 2022 1:55 pm

Re: Can connect to SSTP VPN but can't interact with Windows Server

Wed Sep 21, 2022 11:00 am

Hi again,

after some further googling, I think that I may need to add an IP route for this? But I'm not sure which one.

Further testing shows that I can only ping the router, not the server or anything else in the network.

This is my detailed configuration:
  • I have several bridges on the router (bridge-datel, bridge-guest)
  • Mikrotik acts as DHCP server for bridge-guest - basically a guest wi-fi
  • Windows Server acts as DHCP server for bridge-datel (range 192.168.100.100-192.168.100.149)
Please see a screenshot here:

Image

Basically I need the VPN connections to be able to access everything in bridge-datel

Thanks in advance for any tips.
Last edited by thomassocz on Wed Sep 21, 2022 1:58 pm, edited 1 time in total.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2089
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: Can connect to SSTP VPN but can't interact with Windows Server

Wed Sep 21, 2022 1:20 pm

They way your config is at the moment, i.e. vpn and LAN on same subnet, you will need proxy arp, which I do not suggest.

Rather give your vpn a separate subnet to the LAN, and then route / firewall between these
MTCNA, MTCTCE, MTCRE & MTCINE
 
thomassocz
just joined
Topic Author
Posts: 7
Joined: Sat Sep 17, 2022 1:55 pm

Re: Can connect to SSTP VPN but can't interact with Windows Server

Wed Sep 21, 2022 1:54 pm

Ok, let's say that my LAN subnet is 192.168.100.0/24 and my VPN subnet will be 192.168.101.0/24.

Can you please advise how I would set the routing and firewall for this?

Also, what role will my Windows DHCP Server play in this scenario? Currently it assigns 192.168.100.100-192.168.100.149 to everything connected to bridge-datel.

Thanks a lot :)
Tomas
 
thomassocz
just joined
Topic Author
Posts: 7
Joined: Sat Sep 17, 2022 1:55 pm

Re: Can connect to SSTP VPN but can't interact with Windows Server

Wed Sep 21, 2022 4:04 pm

I tried something quite "random":

Image

Unfortunately it doesn't work... :(
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2089
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: Can connect to SSTP VPN but can't interact with Windows Server

Wed Sep 21, 2022 11:30 pm

Post full configuration export, screen shots shows only part of config

But there 2 things you really need to look at after separating the subnets.
One being that the vpn subnet is allowed in relevant chains in firewall on mikrotik, and second is you will need to add the vpn subnet on the windows firewall as by default, the windows firewall will block all traffic initiated outside its local ip range
MTCNA, MTCTCE, MTCRE & MTCINE
 
thomassocz
just joined
Topic Author
Posts: 7
Joined: Sat Sep 17, 2022 1:55 pm

Re: Can connect to SSTP VPN but can't interact with Windows Server

Thu Sep 22, 2022 9:45 am

Hi, here it is.
I tried turning the Windows Firewall off and it didn't help, so that's not the issue.

Thanks a lot. Tomas
# sep/22/2022 08:44:09 by RouterOS 6.49.6
# software id = 6D4F-G8NH
#
# model = RB3011UiAS
# serial number = HCV085R40Q0
/interface bridge
add admin-mac=18:FD:74:5C:40:3D auto-mac=no comment=defconf name=bridge-datel
add name=bridge-guest
add name=bridge-home
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
/caps-man datapath
add bridge=bridge-datel name=datapath-datel
add bridge=bridge-guest name=datapath-guest
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security-datel
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security-guest
/caps-man configuration
add country="czech republic" datapath=datapath-guest installation=indoor mode=ap \
    name=cfg-guest security=security-guest ssid=datel-guest
add country="czech republic" datapath=datapath-datel installation=indoor mode=ap \
    name=cfg-datel security=security-datel ssid=datel-office
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profile-datel \
    supplicant-identity=""
/ip pool
add name=vpn-pool ranges=192.168.100.150-192.168.100.199
add name=guest-pool ranges=192.168.175.2-192.168.175.254
/ip dhcp-server
add address-pool=guest-pool disabled=no interface=bridge-guest name=dhcp-guest
/ppp profile
add bridge=bridge-datel local-address=192.168.100.1 name=profile-sstp \
    remote-address=vpn-pool
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg-datel \
    slave-configurations=cfg-guest
/interface bridge port
add bridge=bridge-datel comment=defconf interface=ether2
add bridge=bridge-datel comment=defconf interface=ether3
add bridge=bridge-datel comment=defconf interface=ether4
add bridge=bridge-datel comment=defconf interface=ether5
add bridge=bridge-datel comment=defconf interface=ether6
add bridge=bridge-datel comment=defconf interface=ether7
add bridge=bridge-datel comment=defconf interface=ether8
add bridge=bridge-home comment=defconf interface=ether9
add bridge=bridge-home comment=defconf interface=ether10
add bridge=bridge-datel comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-datel list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=Server default-profile=profile-sstp \
    enabled=yes force-aes=yes pfs=yes
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge-datel network=\
    192.168.100.0
add address=192.168.175.1/24 interface=bridge-guest network=192.168.175.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.175.0/24 gateway=192.168.175.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA" list=Bogons
/ip firewall filter
add action=drop chain=forward comment="Prohibit WAN Remote Desktop" dst-port=\
    3389 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow SSTP VPN Tunnel" dst-port=443 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.100.0/24 src-address=\
    192.168.101.0/24
add action=accept chain=forward comment="Allow Always On VPN Connections" \
    dst-port=500,4500 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    Bogons
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface=ether1
/ip route
add distance=1 dst-address=192.168.101.0/24 gateway=bridge-datel
/ip service
set telnet disabled=yes port=2301
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.100.0/24 port=2201
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=stats read-only-mode=yes
/ppp secret
add name=tomas.pokorny profile=profile-sstp service=sstp
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=DatelRouterBoard
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
thomassocz
just joined
Topic Author
Posts: 7
Joined: Sat Sep 17, 2022 1:55 pm

Re: Can connect to SSTP VPN but can't interact with Windows Server

Thu Sep 22, 2022 5:42 pm

Update:

After adding this rule to Windows Server Firewall:

Image

I can now ping the Server from remote connection, but still can't access its resources.

Tomas
 
Sob
Forum Guru
Forum Guru
Posts: 8605
Joined: Mon Apr 20, 2009 9:11 pm

Re: Can connect to SSTP VPN but can't interact with Windows Server

Thu Sep 22, 2022 10:25 pm

Do something similar for other services, e.g. if you want to access shared files, find "File and Printer Sharing (SMB-In)", open its properties and look at "Remote IP address" on "Scope" tab. By default there's only "Local subnet". Add 192.168.101.0/24 and it should work.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.

Who is online

Users browsing this forum: Ahrefs [Bot], Semrush [Bot] and 11 guests