Community discussions

MikroTik App
 
Neoby
just joined
Topic Author
Posts: 4
Joined: Mon Jan 30, 2023 6:54 pm

Yet Another VPN: Cannot reach LAN from remote device

Mon Jan 30, 2023 7:52 pm

I am trying to set-up a Remote-access (host-to-network) VPN in order to connect from a remote computer into my LAN.

On the LAN side, I have a hAP ac², serving as gateway and DHCP server.
The internet box provided by my ISP simply DMZ to the static IP of the hAP WAN port (assigned via the ISP box DHCP server as static IP 192.168.1.10).

(Now a disclaimer: RouterOS is very advanced compared to my limited knowledge of network configurations.)

What was tried:
* I activated the PPP > L2TP Server with a long IPsec secret.
* I added a PPP > Secret user named "vpn", with a long password.
* In the PPP > Profiles > default, I set local address to the range dhcp and remote address to the range vpn (see config below)
* I added firewall rules found in this post.

With that in place, a machine on a different network can establish a VPN connection to the Mikrotik router. It does get assigned an address in the vpn range "pointing to" and address in the dhcp range.
ppp0: inet 192.168.89.100 -> 192.168.88.15 netmask 0Xffffff00
This remote machine is then able to ping both 192.168.89.100 and 192.168.88.15.
But it cannot ping another machine on the LAN (machine-B), which has another address in the dhcp range.
(Please note that I confirmed that machine-B responds to ping: if I connect the remote machine directly to the LAN, then it can ping machine-B).

I suspect the issue is that the routes are not installed on the remote machine when the VPN connection is established.
Is it possible to install such routes automatically?
Are there other potential issues in my configuration? (In particular, I am not confident regarding my firewall rules).

Please see the output of /export hide-sensitive below:
/interface bridge
add admin-mac=74:4D:28:E0:B6:8A auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MySSID \
    station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MySSID \
    station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.10-192.168.89.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *0 bridge=bridge local-address=dhcp remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=InternalNetworks
add address=192.168.89.0/24 list=InternalNetworks
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow all internal networks (see: https://forum.mikrotik.com/viewtopic.php\?t=92543#p477316)" src-address-list=InternalNetworks
add action=accept chain=forward comment="Allow all internal networks (see: https://forum.mikrotik.com/viewtopic.php\?t=92543#p477316)" dst-address-list=InternalNetworks
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=dstnat disabled=yes dst-address=192.168.88.100 dst-port=8554 protocol=udp src-port=8554
add action=accept chain=dstnat disabled=yes dst-address=192.168.88.100 dst-port=8554 protocol=tcp src-port=8554
add action=dst-nat chain=dstnat dst-address=192.168.1.10 dst-port=8554 protocol=tcp to-addresses=192.168.88.100 to-ports=8554
add action=dst-nat chain=dstnat dst-address=192.168.1.10 dst-port=8554 protocol=udp to-addresses=192.168.88.100 to-ports=8554
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=dst-nat chain=dstnat dst-address=192.168.1.10 dst-port=9090 protocol=tcp to-addresses=192.168.88.41
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn routes=192.168.88.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thank you very much for reading!
 
Neoby
just joined
Topic Author
Posts: 4
Joined: Mon Jan 30, 2023 6:54 pm

Re: Yet Another VPN: Cannot reach LAN from remote device

Mon Feb 06, 2023 11:49 am

TLDR: I want to setup my hAP ac² to allow host-to-network VPN. How should I configure the router in order for the routes to be installed on the remote client when it connects to the VPN?

(Are there any information I should add to have more chances for a response?)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Yet Another VPN: Cannot reach LAN from remote device

Mon Feb 06, 2023 3:19 pm

Sorry, if you want to try wireguard instead, I can be of assistance.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Yet Another VPN: Cannot reach LAN from remote device

Mon Feb 06, 2023 11:49 pm

route must be correct in both directions (unless masquerade is used which will do the reverse path without routing)

Some details in the config
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24

/ppp secret
add name=vpn routes=192.168.88.0/24

IP address 192.168.88.1 should be on the bridge, not on ether2

All going out to the WAN (eth1) will be masqueraded. Is OK. Common practice.
All coming from the VPN will be masqueraded. OK client route back will be found.

The routes parameter in secret is for the client routes, not the server routes.

https://wiki.mikrotik.com/wiki/Manual:P ... r_Database
routes (string; Default: )	           Routes that appear on the server when the client is connected. The route format is: dst-address gateway metric (for example, 10.1.0.0/ 24 10.0.0.1 1). Other syntax is not acceptable since it can be represented in incorrect way. Several routes may be specified separated with commas. This parameter will be ignored for OpenVPN.


https://wiki.mikrotik.com/wiki/Manual:Interface/PPTP
Client should route 192.168.88.0/24 via gateway 192.168.89.1 as in 'Site-to-site' setup
Or as suggested : using proxy-arp on "PPP server/hAP ac2" for 'Remote client' setup
 
Neoby
just joined
Topic Author
Posts: 4
Joined: Mon Jan 30, 2023 6:54 pm

Re: Yet Another VPN: Cannot reach LAN from remote device

Sat Feb 18, 2023 3:32 pm

Thank you very much bpwl for your help!

Following your post, I made the following changes:
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0

/ppp secret
add name=vpn routes=192.168.89.0/24

https://wiki.mikrotik.com/wiki/Manual:Interface/PPTP
Client should route 192.168.88.0/24 via gateway 192.168.89.1 as in 'Site-to-site' setup

I issued the following command line in the client (the remote is a mac, connecting to the VPN using macOS' default VPN client):
route -n add -net 192.168.88.0/24 -interface ppp0
With that in place, the remote client can ping machines on the local LAN using their 192.168.88.x IP addresses (including the router's bridge address 192.168.88.1), and machines on the local LAN can ping the remote client on it's 192.168.89.y address (which is assigned within the "vpn" ip-pool).

Yet, I have to install the route on the remote client each time the remote client establishes the VPN connection.

Is it possible to configure the Mikrotik router to automatically install the route on the remote client when the connection is established?
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Yet Another VPN: Cannot reach LAN from remote device

Sat Feb 18, 2023 4:07 pm

https://wiki.mikrotik.com/wiki/Manual:Interface/PPTP
Notice that we set up PPTP server's PPP secret where a route is added automatically whenever the client connects. If this option is not set, then you will need to add static routing on the server to route traffic between the two sites through the PPTP tunnel. (See PPP User Database for more info on routes variable).

https://wiki.mikrotik.com/wiki/Manual:P ... r_Database
Klembord-2.jpg
You do not have the required permissions to view the files attached to this post.
 
Neoby
just joined
Topic Author
Posts: 4
Joined: Mon Jan 30, 2023 6:54 pm

Re: Yet Another VPN: Cannot reach LAN from remote device

Mon Feb 20, 2023 11:42 am

Thank you @bpwl for your response.

I think I might be confused though. In my setup, the client is the remote macOS machine, and the server is the MikroTik router, is that correct?

If so, the routes parameter documentation seems to indicate that this route is installed on the MikroTik router itself whenever the remote client establishes the connection, not on the remote client.

Yet, I am looking for a way to automatically install the route on the remote macOS machine when it establishes the VPN connection, is that possible?
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Yet Another VPN: Cannot reach LAN from remote device

Mon Feb 20, 2023 6:39 pm

No macOS experience here, but I think the client will always have (all the possible) routes to the server defined. When the VPN is not open, then that route will not be available for the client. The server is supposed to do the routing for the LANs there, so defining the VPN as route to a large subnet is quite common. The local LAN to the MAC will have priority (and remote will not be accessible if the same subnet exists behind the VPN). Selective routing is needed when you want to send some traffic directly to Internet (not over the VPN), but this will never be for private IP addresses (10 / 172.16-31 / 192.168)

If dynamic added and removed routes are needed, then it depends on the client OS. e.g. for windows: https://woshub.com/add-routes-after-con ... n-windows/

Don't know if DHCP option codes 121 or 249 can be used here. (viewtopic.php?t=156710)

Who is online

Users browsing this forum: devnull0 and 47 guests