Community discussions

MikroTik App
 
OzanOral26
just joined
Topic Author
Posts: 13
Joined: Wed Sep 01, 2021 1:25 pm

SSTP Local network access problem

Sat Jan 07, 2023 8:32 am

Hello,

I have a 2 WAN - 1 LAN setup. WAN1 192.168.1.0 , WAN2 192.168.2.0 and LAN 192.168.10.0. Yesterday i configured SSTP vpn and its also using 192.168.10.2-250 pool. Clients can access the internet but can't access local network devices( only can ping to 192.168.10.1 ). This is my first time using 2 wan and mangle. I'm publishing exported config. Thanks in advance
/interface bridge
add admin-mac=**.**.**.**.**.** auto-mac=no comment=defconf disabled=yes \
    name=bridge
add name=bridge1_internet
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether3 ] name=ether3-LAN
/interface pptp-server
add disabled=yes name=pptp-in1 user=""
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
add name=L2TP_VPN_POOL ranges=192.168.10.241-192.168.10.253
add name=vpn_pool ranges=192.168.10.2-192.168.10.250
/ip dhcp-server
# DHCP server can not run on slave interface!
add address-pool=dhcp_pool2 disabled=no interface=ether3-LAN name=dhcp1
/ppp profile
add local-address=192.168.10.1 name=vpn_profile remote-address=vpn_pool
set *FFFFFFFE dns-server=8.8.8.8,8.8.4.4
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1-WAN1
add bridge=bridge comment=defconf disabled=yes interface=ether2-WAN2
add bridge=bridge comment=defconf disabled=yes interface=ether3-LAN
add bridge=bridge comment=defconf disabled=yes interface=ether4
add bridge=bridge comment=defconf disabled=yes interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=ether6
add bridge=bridge comment=defconf disabled=yes interface=ether7
add bridge=bridge comment=defconf disabled=yes interface=ether8
add bridge=bridge comment=defconf disabled=yes interface=sfp9
add bridge=bridge comment=defconf disabled=yes interface=sfp10
add bridge=bridge comment=defconf disabled=yes interface=sfp11
add bridge=bridge comment=defconf disabled=yes interface=sfp12
add bridge=bridge1_internet interface=ether3-LAN
/interface l2tp-server server
set one-session-per-host=yes use-ipsec=yes
/interface sstp-server server
set authentication=mschap2 certificate=Server enabled=yes force-aes=yes pfs=\
    yes
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
    network=192.168.88.0
add address=192.168.10.1/24 interface=ether3-LAN network=192.168.10.0
add address=192.168.1.50/24 interface=ether1-WAN1 network=192.168.1.0
add address=192.168.2.50/24 interface=ether2-WAN2 network=192.168.2.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.10.2-192.168.10.254 list=LAN_USERS
add address=192.168.1.0/24 list=WAN_SUBNET
add address=192.168.2.0/24 list=WAN_SUBNET
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related out-interface=ether1-WAN1
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=WAN_SUBNET
add action=mark-routing chain=prerouting new-routing-mark=TO_WAN1 \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 \
    src-address-list=LAN_USERS src-address-type=!local
add action=mark-routing chain=prerouting new-routing-mark=TO_WAN2 \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 \
    src-address-list=LAN_USERS src-address-type=!local
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=LAN_USERS
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-WAN1 \
    protocol=tcp src-address=213.***.157.** to-addresses=192.168.10.102 \
    to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-WAN1 \
    protocol=tcp src-address=78.***.222.*** to-addresses=192.168.10.102 \
    to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-WAN1 \
    protocol=tcp src-address=94.***.215.*** to-addresses=192.168.10.102 \
    to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-WAN1 \
    protocol=tcp src-address=88.***.77.*** to-addresses=192.168.10.102 \
    to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether2-WAN2 \
    protocol=tcp src-address=213.***.157.*** to-addresses=192.168.10.102 \
    to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether2-WAN2 \
    protocol=tcp src-address=78.***.222.*** to-addresses=192.168.10.102 \
    to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether2-WAN2 \
    protocol=tcp src-address=94.***.215.*** to-addresses=192.168.10.102 \
    to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether2-WAN2 \
    protocol=tcp src-address=88.***.77.*** to-addresses=192.168.10.102 \
    to-ports=3389
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=TO_WAN1
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=TO_WAN2
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.2.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp secret
add name=user1 profile=vpn_profile service=sstp
add disabled=yes name=linenetsis profile=default-encryption service=pptp

 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: SSTP Local network access problem

Sat Jan 07, 2023 10:31 pm

With "ether3-LAN" being a port on a bridge (bridge1_internet) , this makes it a 'slave' interface. ALL IP definitions should be defined on the bridge (master) not on the ethernet interface (slave).

ROS told you also: "# DHCP server can not run on slave interface!"

So DHCP server, DHCP client, IP address, interface list membership, address-pool ... are all defined at the master interface only, not at the slave interface.
If the SSTP interface is not a port of the bridge, then it is a "routed" interface by default, and should have it's own IP range , different from the other IP ranges, for routing to work.

You might want the SSTP interface to be member of the LAN 'interface list', just as the bridge "bridge1_internet", for the default firewall rules.
"ether1_WAN" and "ether2_WAN" should be member of the WAN 'interface list', when using default firewall rules.
 
OzanOral26
just joined
Topic Author
Posts: 13
Joined: Wed Sep 01, 2021 1:25 pm

Re: SSTP Local network access problem

Mon Jan 09, 2023 11:31 am

Hello,

I moved dhcp to bridge interface. I tried include the SSTP interface to bridge but couldn't manage to do it beacuse there is no static sstp profile. Profile only appears when remote user is connected. Can you describe me how to do it? I'm using same subnet because when i gave different subnet also i couldn't access to internet and local network and i couldn't figure it out. This way remote clients al least can access to internet so 1 less problem for me.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: SSTP Local network access problem

Mon Jan 09, 2023 12:59 pm

SSTP port here is "dynamic". Either add all "dynamic interfaces" to the bridge, or use an "interface list" with that interface member of that list, and add that list to the bridge ports (which will be indicated as dynamic ports) according to the wiki

See "Interface Lists" in https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
.

Klembord-3.jpg
Klembord-2.jpg

Dynamic interface or interface list as bridge port was not used in this "routed" setup: viewtopic.php?t=192264#p975984
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: cesarfernandez63, SanchoHa, syslog and 47 guests