Community discussions

MikroTik App
 
mobisek
just joined
Topic Author
Posts: 1
Joined: Thu Oct 14, 2021 7:33 pm

Resolving local hostnames through VPN IPSec IKEv2

Thu Oct 14, 2021 8:45 pm

Hello,

I have a very similar problem with DNS through IPSec and despite spending hours on different websites still can't solve it.

4 PCs as LAN (192.168.88.1-200),
MikroTik router (DHCP, VPN, DNS server, IP: 192.168.88.1) with static IP.
A remote access from one external PC through VPN IPSec IKEv2 (with certificates), it gets a local address from the pool 192.168.88.201-210 assigned by MT while entering LAN.

Now, the remote access connection is OK, I can ping all LAN PCs, MT, and also external websites per IP. However, I can't ping the LAN computers per hostnames. I have to fix it because of a software that needs access to one of the hosts per its hostname.

Looking at the log I see that after IPSec connection is builtup the DNS requests from the external PC are arriving with its local address (e.g. 192.168.88.210) at the WAN interface and so MikroTik sends its responses back from the same WAN interface to the local addres of the external PC (e.g. 192.168.88.210). It can't work this way, obviously.
I found many opinions that this is how MT works when "clear" IPSec is used, unfortunately could not find any advice how to fix it in such a scenario like mine (remote access, only one MT).
I am a newbie in MT and so all my attempts to set up Firewall rules, NAT rules or even Routes have failed.

I would really appreciate any help in this topic... Many thanks in advance!
 
Kaldek
Member Candidate
Member Candidate
Posts: 111
Joined: Sat Jul 11, 2015 2:40 pm

Re: Resolving local hostnames through VPN IPSec IKEv2

Sat Jun 25, 2022 5:48 am

Hi mate, I just saw your post.

The answer to this is two things. First, you will need to make sure that you have a Firewall rule that allows inbound packets to the router from the Internet interface, but also from the VPN source IP address. That will allow DNS to the router. Note that in my example here my VPN range is 192.168.13.0/24 and I consider it part of the "LAN".

Even though your VPN is "inside" the network, the Firewall sees packets from the VPN as coming from the Internet interface. Note that there may be a better Firewall rule which only allows these packets if they are part of a VPN connection. Probably - the Mikrotik Firewall is extremely flexible here. You may want to do that to remove *all* risk of spoofed packets coming from the Internet with fake source IP addresses, however these days that would be generally very low risk as somewhere along the line, one of the routers on the Internet would have dropped the packet due to it having a source address in the RFC1918 range.
/ip firewall address-list
add address=192.168.0.0/24 list=LAN
add address=192.168.13.0/24 list=LAN
/ip firewall filter add action=accept chain=input comment="Internal Router access" protocol=tcp src-address-list=LAN
/ip firewall filter add action=accept chain=input protocol=udp src-address-list=LAN
The firewall rules shown here also need to be above whatever rules you have in place that block inbound access to the router from the Internet, otherwise your allow rule will never fire because the packets will be dropped by the earlier "drop" rule in the sequence.

Lastly, you need to edit the Adapter Options for the VPN interface and manually set the DNS values for the VPN under the Networking tab, adding the router's internal IP address and also the DNS suffix for your internal network. That way, when the VPN connection comes up the router's internal IP address will be added to the network stack and when you attempt to resolve hosts with the suffix for that network it will correctly use the right DNS server.
 
roberdaniel
just joined
Posts: 1
Joined: Wed Jan 10, 2024 4:18 pm

Re: Resolving local hostnames through VPN IPSec IKEv2

Thu Jan 11, 2024 3:55 pm

Hello all
In my case, I'm running with PPTP vpn and the DNS works correctly inside Lan and over VPN too.
But recently I have just configured L2TP VPN and DNS does not work for this VPN protocol.
I don't see any explicit rule for DNS to be running over PPTP, so I suppose it is something that Mikrotik handles implicitly.
I'm going mad to resolve this.
Regards

Who is online

Users browsing this forum: chechito and 31 guests