Trying to make service available from VPN

Michelw72 · Tue Mar 12, 2019 10:25 am

Hi,

A friend of mine uses a car dealership service (ODIS) which consists of a "Cisco box" with a WAN and a LAN connection. This box is connected from WAN to ether2 of the mikrotik HEX to connect to the internet. It then automatically creates a secure connection to the ODIS service. Any internet connection will do.

He then connects a laptop to the lan port of this Cisco box and the software on the laptop logs in to the ODIS service.
The software seems to connect via HTTP to addresses like ws-gateway.cpn.vwg.

He now want's to be able to use this service "on the road" so I created a L2TP-IPSEC VPN for him. I connected the LAN port of the Cisco box to ether 5, took ether 5 out of the bridge and activated a DHCP client on ether5. Ether5 now get's this from the Cisco box (like the laptop would):

IP address: 10.10.10.6/28
Gateway: 10.10.10.1
DHCP server: 10.10.10.1
Primary DNS: 192.168.2.42
Secondary DNS: 192.168.129.33

How can I now give him access to the Cisco box from his L2TP-IPSEC VPN as if his laptop where plugged into the Cisco box itself?

Please be kind, I'm just a novice

solar77 · Tue Mar 12, 2019 5:09 pm

very interesting case so I will kick start. It might take me few attempt to get it working but I'd think it's possible.

first try to set the VPN in the way that local address is that of the ether5, and VPN pool is in the same range as that of the Cisco box.
when connected via VPN, the laptop should be able to ping ether5, and the Cisco box

you would need nat rule like mascurade , src-address=VPN range out-interface=ether5
also your DHCP client should enable add default route.

Michelw72 · Tue Mar 12, 2019 5:50 pm

Thanks!

Could you specify that masquerade rule a little more?

Michelw72 · Tue Mar 12, 2019 6:05 pm

This is how I have it setup now:

/ip pool
add name=VAG-kastje ranges=10.10.10.200-10.10.10.205

/ppp profile
add dns-server=10.10.10.1 local-address=10.10.10.1 name=SSTP-profile \
    remote-address=VAG-kastje use-encryption=required

/ip address
add address=10.10.10.199 comment="VAG VPN ding" interface=ether5 network=\
    10.10.10.0

/ip dhcp-client
add comment="VAG VPN kastje" dhcp-options=hostname,clientid disabled=no \
    interface=ether5

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade VAG-kastje" \
    out-interface=ether5 src-address=10.10.10.0/24

I can ping 10.10.10.6 from the SSTP VPN, but I can't ping 10.112.198.40 and 10.112.198.255 (the addresses ws-gateway.cpn.vwg resolves to when the laptop is plugged straight into the Cisco box).

Exiver · Tue Mar 12, 2019 6:16 pm

Please do not set the ip addresses of your vpn (neither local nor the remote one) to one of the ips from the cisco net (10.10.10.0/28). You should just setup the vpn as you would do for a normal road-warrior routed setup (example: https://wiki.mikrotik.com/wiki/Manual:I ... pSec_setup)

Afterwards you should be able to allow connections via firewall filter from vpn -> ether5 and vice versa with nat enabled

Michelw72 · Tue Mar 12, 2019 7:20 pm

Thats how I had it setup before the change.

It's now back to:

Removed:

/ip pool
add name=VAG-kastje ranges=10.10.10.200-10.10.10.205

Changed:

/ppp profile
add local-address=192.168.78.1 name=SSTP-profile remote-address=SSTP-pool use-encryption=required

The result is still the same. I can ping the IP that was given by the Cisco to the DHCP client on ether5 (10.0.0.6) but nothing else.

On the laptop:

PPP adapter SSTP-VPN:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.78.120
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0

ping 10.10.10.6

Pinging 10.10.10.6 with 32 bytes of data:
Reply from 10.10.10.6: bytes=32 time=32ms TTL=64


ping 10.112.198.40

Pinging 10.112.198.40 with 32 bytes of data:
Request timed out.

solar77 · Wed Mar 13, 2019 1:44 pm

not sure why you cannot use 10.10.10.0/28 range as VPN Local address, I don't think it matters but happy to learn otherwise.
in my view, you can use either 192.168.78.1 or 10.10.10.1 as local IP for VPN. use the matching pool .

double check you have Add Default route and user peer DNS on the DHCP client at ether5

then
can you ping 8.8.8.8 on the VPNed laptop?
can you ping 10.10.10.1 ? ( I think that's the cisco box LAN IP?)
trace route to 10.112.198.40, where does it stop?

it might be, that when you ping this IP addresses, it is routed to the main gateway, instead of ether5. so you can add static route like this:
/ip route
add distance=1 dst-address=10.112.198.40 gateway=10.10.10.1

finally, you don't need

/ip address
add address=10.10.10.199 comment="VAG VPN ding" interface=ether5 network= 10.10.10.0

because you already have 10.10.10.6 on ether5

Trying to make service available from VPN

Trying to make service available from VPN

Re: Trying to make service available from VPN

Re: Trying to make service available from VPN

Re: Trying to make service available from VPN

Re: Trying to make service available from VPN

Re: Trying to make service available from VPN

Re: Trying to make service available from VPN

Who is online