Community discussions

MikroTik App
 
User avatar
boxybh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Jul 29, 2017 11:16 am

static ip vpn through modem not working

Tue Jun 07, 2022 9:40 am

2 static ips wan1 wan2
wan1 pppoe dial to modem (bridge)
wan2 modem dials and ip given to wan2 port lets say 192.168.20.10 and modem is 192.168.20.1(gw), dmz done in modem to the 20.10 ip and ipsec and vpn ports also forwarded to 20.10(mikrotikwan2)

vpn server made in mikrotik
dial to wan1 ip from outside works very well
wan2 dial shows connected in mikrotik ph1 and ph2 established and windows drops connection never a success in connection

any ideas?
 
kevinds
Long time Member
Long time Member
Posts: 635
Joined: Wed Jan 14, 2015 8:41 am

Re: static ip vpn through modem not working

Thu Jun 16, 2022 3:36 am

Your post is not clear....

Please make a diagram with how things are set up and how you want things to work.

Are you getting RFC1918 IPs from your ISP? Or are they public IPs you just changing?

The WAN2 modem and DMZ configuration throws up a red flag... What is happening and why? You are actually doing "DMZ" port-forwarding on the modem to your Mikrotik router? And wanting to use it for VPN? This is asking for trouble. Most gateways' DMZ only forward TCP and UDP traffic, ignoring (dropping) all the other protocols.

When you say "dial" are you referring to PPPoE? What access technology? Are WAN1 and WAN2 actually different ISPs? Or the different IPs from the same ISP? If the same ISP, why do you want to do it this way??
 
User avatar
boxybh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Jul 29, 2017 11:16 am

Re: static ip vpn through modem not working

Thu Jun 16, 2022 7:44 am

Are WAN1 and WAN2 actually different ISPs?
Yes, Different ISP's (both have public , static ip. Can ping them from outside.

mikrotiks firewall mangle is configured fully to
preroute -> new connection mark
preroute -> new connection mark -> new routing mark
output -> new connection mark -> new routing mark
above is for both the isp ports and works well with every thing

ok so wan1 has a fiber epon , thats on bridge mode hence it is configured as pppoe in mikrotik and has a static ip from isp, in this vpn connects from outside
wan2 has a modem that is not in bridge. this is also epon but already dialed pppoe in the modem itself. so themode has dmz and vpn port forwarding which is enabled.

both of them are public static ips.

for example i have a sql database , on wan2 modem i port forward that port to the mikrotik and mikrotik throws it at the server and i can connect to the database.
i have been trying to get the isp to give the username and password of the modem on wan2 so that i can put it on bridge mode and use wan2 as pppoe but the wan2 isp has bad support

You are actually doing "DMZ" port-forwarding on the modem to your Mikrotik router?
yes plus there is an option in modem to allow vpn connection through to which ip address, here i have given ip address of the wan2 port of mikrotik and when i connect from outside i can see in mikrotik ph1 and ph2 completed and established but then it disconnects in a matter of 4 or 5 seconds everytime

But with wan1 which is pppoe it works well.
i suspect the modem is holding something.
 
kevinds
Long time Member
Long time Member
Posts: 635
Joined: Wed Jan 14, 2015 8:41 am

Re: static ip vpn through modem not working

Thu Jun 16, 2022 8:11 am

Yes, Different ISP's (both have public , static ip. Can ping them from outside.


ok so wan1 has a fiber epon , thats on bridge mode hence it is configured as pppoe in mikrotik and has a static ip from isp, in this vpn connects from outside
wan2 has a modem that is not in bridge. this is also epon but already dialed pppoe in the modem itself. so themode has dmz and vpn port forwarding which is enabled.

both of them are public static ips.

for example i have a sql database , on wan2 modem i port forward that port to the mikrotik and mikrotik throws it at the server and i can connect to the database.
i have been trying to get the isp to give the username and password of the modem on wan2 so that i can put it on bridge mode and use wan2 as pppoe but the wan2 isp has bad support

You are actually doing "DMZ" port-forwarding on the modem to your Mikrotik router?
yes plus there is an option in modem to allow vpn connection through to which ip address, here i have given ip address of the wan2 port of mikrotik and when i connect from outside i can see in mikrotik ph1 and ph2 completed and established but then it disconnects in a matter of 4 or 5 seconds everytime

But with wan1 which is pppoe it works well.
i suspect the modem is holding something.
This is a symptom of TCP and UDP being forwarded, but not the other protocols... 47 (GRE) and 50 (ESP) as examples.. TCP is protocol 6, ICMP is protocol 1, UDP is protocol 17..

There are many, many protocols and most times, DMZ only means TCP and UDP, there are simply no options in the gateways for the other protocols.

My first thought anyways..

Depending on your configuration, any NAT can/will break the VPN because the packets are changed as they are NAT'd.

Personally, I wouldn't hesitate to try and hack the modem/gateway to get the credentials, but I would never suggest someone else do that.. lol
Last edited by kevinds on Thu Jun 16, 2022 10:20 am, edited 1 time in total.
 
User avatar
boxybh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Jul 29, 2017 11:16 am

Re: static ip vpn through modem not working

Thu Jun 16, 2022 8:18 am

hahah i tire the html hack see the password as text but its encrypted or some isps lock the macaddress of the dialing modem so that any other modem on th line with correct username and password would not dial
 
kevinds
Long time Member
Long time Member
Posts: 635
Joined: Wed Jan 14, 2015 8:41 am

Re: static ip vpn through modem not working

Thu Jun 16, 2022 8:35 am

hahah i tire the html hack see the password as text but its encrypted or some isps lock the macaddress of the dialing modem so that any other modem on th line with correct username and password would not dial
Certificate sometimes, username and password, usually. MAC address, not really

Having static IPs.. Is it still a residential account? Or a business account.. It would be normal for a business to use their own router..

Otherwise, one of those scenarios is most likely your issue. Check the manuals on NAT-T, otherwise, you need to bypass that gateway.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: static ip vpn through modem not working

Thu Jun 16, 2022 9:42 am

wan2 dial shows connected in mikrotik ph1 and ph2 established and windows drops connection never a success in connection
Whereas IPsec as such doesn't care where the NAT takes place, the Windows embedded client does - with default settings, it breaks connection if the NAT detector indicates that the actual address of the responder (the private one of your Mikrotik) doesn't match the one configured at the Windows side (the public IP of the modem).
There are two ways to handle this - either to change registry settings on every single Windows client you use, or to put up the public IP also on the Mikrotik an "un-dst-nat" the incoming IPSec connections back to that IP address, see viewtopic.php?p=738129#p738129

The drawback of the latter option is that it doesn't work if the Windows initiator is on a public IP address unless the DMZ on the modem can forward also ESP traffic.
 
User avatar
boxybh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Jul 29, 2017 11:16 am

Re: static ip vpn through modem not working

Thu Jun 16, 2022 9:49 am

(either to change registry settings on every single Windows client you use)

i know this but avoiding it


(or to put up the public IP also on the Mikrotik an "un-dst-nat" the incoming IPSec connections back to that IP address, see viewtopic.php?p=738129#p738129)
can try this
 
kevinds
Long time Member
Long time Member
Posts: 635
Joined: Wed Jan 14, 2015 8:41 am

Re: static ip vpn through modem not working

Thu Jun 16, 2022 10:21 am

i know this but avoiding it
But does that fix it?
 
User avatar
boxybh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Jul 29, 2017 11:16 am

Re: static ip vpn through modem not working

Mon Jun 27, 2022 10:47 am

ok so tried with this
https://docs.microsoft.com/en-us/troubl ... tion-issue

setting it to 2 works

with this registry hack i can connect to the vpn of the router

but this one did not work
"
/ip firewall nat
print chain=dstnat where !dynamic
add chain=dstnat place-before=0 action=dst-nat protocol=udp dst-port=500,4500 in-interface=your-wan-interface \
to-addresses=the.public.ip.mentioned.above
"


wan2 dial shows connected in mikrotik ph1 and ph2 established and windows drops connection never a success in connection
Whereas IPsec as such doesn't care where the NAT takes place, the Windows embedded client does - with default settings, it breaks connection if the NAT detector indicates that the actual address of the responder (the private one of your Mikrotik) doesn't match the one configured at the Windows side (the public IP of the modem).
There are two ways to handle this - either to change registry settings on every single Windows client you use, or to put up the public IP also on the Mikrotik an "un-dst-nat" the incoming IPSec connections back to that IP address, see viewtopic.php?p=738129#p738129

The drawback of the latter option is that it doesn't work if the Windows initiator is on a public IP address unless the DMZ on the modem can forward also ESP traffic.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: static ip vpn through modem not working

Mon Jun 27, 2022 10:54 am

this one did not work
I'd have to see the complete configuration to say why. The dst-nat rule alone seems fine to me.
 
User avatar
boxybh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Jul 29, 2017 11:16 am

Re: static ip vpn through modem not working

Mon Jun 27, 2022 11:00 am

well the connection by miktoik does get established but what is not being forwarded by modem -> mikrotik for windows to see it right?
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: static ip vpn through modem not working

Mon Jun 27, 2022 11:21 am

Sorry, I did not understand your description of the situation. You've stated that it works end-to-end with the Windows registry change, hence the IPsec settings, L2TP settings, and port-forwarding on the modem must all be correct. The dst-address of the L2TP transport packets is inherited from the IPsec transport packets carrying them during decapsulation, so no dst-nat rule should be necessary for UDP port 1701.

So something in the other settings must be wrong. See my automatic signature for a mini-howto on how to obtain the configuration in a concise form and anonymize it properly before posting.
 
User avatar
boxybh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Jul 29, 2017 11:16 am

Re: static ip vpn through modem not working

Mon Jun 27, 2022 11:26 am

" so no dst-nat rule should be necessary for UDP port 1701. " without this, but with windows regstry hack i can connect to the vpn. but i want to avoid registry hack .
one way is bridging the modem and dial from mikrotik as my wan1 does, this is on wan 2 through modem of isp and for wan2 regity hack only works with win10.
Sorry, I did not understand your description of the situation. You've stated that it works end-to-end with the Windows registry change, hence the IPsec settings, L2TP settings, and port-forwarding on the modem must all be correct. The dst-address of the L2TP transport packets is inherited from the IPsec transport packets carrying them during decapsulation, so no dst-nat rule should be necessary for UDP port 1701.

So something in the other settings must be wrong. See my automatic signature for a mini-howto on how to obtain the configuration in a concise form and anonymize it properly before posting.
 
User avatar
boxybh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Jul 29, 2017 11:16 am

Re: static ip vpn through modem not working

Mon Jun 27, 2022 12:01 pm

ok another develpoment

win 10 pc 1 , with registry mod
win 10 pc2 , without registry mod
(pc1 pc2 using same internet and same lan)

try connecting pc2 to vpn on wan2 = no success

connect pc1 to wan2 vpn and it succeeds -> now connect pc2 (which is without registry mod and it is a sucess)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: static ip vpn through modem not working

Mon Jun 27, 2022 1:45 pm

Wait - are both PCs at the same site, i.e. from the perspective of the server, do they connect from the same public IP address?
 
User avatar
boxybh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Jul 29, 2017 11:16 am

Re: static ip vpn through modem not working

Mon Jun 27, 2022 2:02 pm

Wait - are both PCs at the same site, i.e. from the perspective of the server, do they connect from the same public IP address?
Yes both pcs are at same site same public ipadress correct
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: static ip vpn through modem not working

Mon Jun 27, 2022 2:16 pm

That's a separate can of worms then, you need a complicated workaround to make L2TP/IPsec work in this case.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], GoogleOther [Bot], jprietove, onnyloh, RobertsN, TheCat12 and 88 guests