Community discussions

MikroTik App
 
Valerio5000
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Fri Dec 06, 2013 2:38 am

Beginner with routeros and VPN

Thu Jul 14, 2022 7:34 pm

Hello to all friends of Mikrotik;)

I have been using ROS for years so much that I made all my relatives and friends buy a Routerboard by creating a VPN connection for remote client management and RB itself.

After several years there are 3 situations that I have not been able to solve in any way

1. Is it possible to have layer2 connectivity between two RBs connected in L2TP while keeping the different subnets?

RB Server = 192.168.0.0/24
Remote RB = 192.168.50.0/24

I would like to be able to find my DLNA servers, printers or PCs simply by searching for them from the "network" in Windows from the remote LAN (192.168.50.0/24).

I have tried EOIP and BCP but to work they need the same subnets instead I would like to keep them diversified.

There is a solution ?

2. I would like my clients with L2TP VPN set up (Android and Windows) when connected to the LAN 192.168.0.0/24 to be able to reach my DLNA servers, printers etc as if they were physically inside the building.

I have read that to do this I have to set in the PPP profiles as Local IP and Remote IP an IP of the same subnet 192.168.0.0/24, indicate the local Bridge and set Proxy-ARP for the local Bridge. It's correct ?

I currently have separate IP pools for VPN clients (192.168.89.0/24), can I leave different IP class or do I need to unify them?

3. If a remote VPN client (Windows or Android) connects to my LAN (192.168.0.0/24) if I search for "\\ NAS_Home" on Windows it finds nothing, if I enter its IP it works. Is it possible to have DNS resolution for remote VPN clients?

If I use a second RB connected in VPN to the home LAN, I have to enter a static entry in the latter under IP> DNS but in doing so if I type "\\ NAS_Home" it does not work, I discovered that if I enter "NAS_Home.local" in IP> DNS then everything works.

Is there any way around this? In the RB server I have entered the IP of the RB as DNS server for both local and remote clients in VPN but it does not work anyway.

NAS_Home is a Synology NAS connected to my LAN (192.168.0.0/24) with IP 192.168.0.6

For now I would like to stay on ROS v6, I still don't trust v7 too much.

I read about Zerotier on v7 but I didn't understand if I could have Layer2 connectivity with different subnets (192.168.0.0/24 and 192.168.50.0/24)

I would be very happy if someone would help me to solve these three points because I'm going crazy: D

Sorry for my English

Config RB Server/home (192.168.0.0/24)
# jul/14/2022 18:44:07 by RouterOS 6.48.6
# software id = [HIDE]
#
# model = RBD52G-5HacD2HnD
# serial number = [HIDE]
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn comment="Wlan 2.4 Ghz" \
    country=no_country_set disabled=no distance=indoors frequency=auto \
    frequency-mode=manual-txpower installation=indoor mode=ap-bridge ssid=\
    Rete-Privata tx-power=18 tx-power-mode=all-rates-fixed wireless-protocol=\
    802.11 wmm-support=enabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \
    comment="Wlan 5 Ghz" country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
    ap-bridge skip-dfs-channels=all ssid=Rete-Privata-5 tx-power=20 \
    tx-power-mode=all-rates-fixed wireless-protocol=802.11 wmm-support=\
    enabled
/interface bridge
add admin-mac=[HIDE] auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment="Switch Principale"
set [ find default-name=ether3 ] comment="Centralino VOIP"
set [ find default-name=ether4 ] comment="Camera Luca"
set [ find default-name=ether5 ] comment=NAS
/interface wireless manual-tx-power-table
set wlan1 comment="Wlan 2.4 Ghz"
set wlan2 comment="Wlan 5 Ghz"
/interface wireless nstreme
set wlan1 comment="Wlan 2.4 Ghz"
set wlan2 comment="Wlan 5 Ghz"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes authoritative=after-2sec-delay \
    disabled=no interface=bridge name="DHCP Home"
/ppp profile
set *0 dns-server=192.168.0.1 local-address=dhcp remote-address=vpn
set *FFFFFFFE address-list="Indirizzi VPN" dns-server=192.168.0.1 \
    interface-list=LAN local-address=dhcp remote-address=vpn
/queue tree
add name=ALL_ELSE_IN packet-mark=ALL_ELSE_IN parent=global queue=default
add name=ALL_ELSE_OUT packet-mark=ALL_ELSE_OUT parent=global queue=default
add name=VOIP_IN packet-mark=VOIP_IN parent=global priority=1 queue=default
add name=VOIP_OUT packet-mark=VOIP_OUT parent=global priority=1 queue=default
add name=NAS_IN packet-mark=NAS_IN parent=global priority=3 queue=default
add name=NAS_OUT packet-mark=NAS_OUT parent=global priority=3 queue=default
add name=PS4_IN packet-mark=PS4_IN parent=global priority=2 queue=default
add name=PS4_OUT packet-mark=PS4_OUT parent=global priority=2 queue=default
/system logging action
add email-to=[HIDE] name=Email target=email
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=[HIDE] default-profile=\
    default-encryption enabled=yes force-aes=yes pfs=yes tls-version=only-1.2
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
    192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server config
set store-leases-disk=1h
/ip dhcp-server lease
[HIDE]
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
    192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.0.1 name=router
/ip firewall address-list
add list="Indirizzi VPN"
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
# no interface
add action=accept chain=input comment=\
    "Collegamento LAN  -->> LAN locale" dst-address=192.168.0.0/24 \
    in-interface=*F00096 src-address=192.168.51.0/24
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    disabled=yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=drop chain=input comment="Blocco richieste DNS TCP da WAN" \
    dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="Blocco richieste DNS UDP da WAN" \
    dst-port=53 in-interface=ether1 protocol=udp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
/ip firewall mangle
add action=mark-packet chain=prerouting comment=ALL_ELSE_IN in-interface=\
    ether1 new-packet-mark=ALL_ELSE_IN passthrough=no
add action=mark-packet chain=postrouting comment=ALL_ELSE_OUT \
    new-packet-mark=ALL_ELSE_OUT out-interface=ether1 passthrough=no
add action=mark-packet chain=prerouting comment="VOIP IN" new-packet-mark=\
    VOIP_IN passthrough=no src-address=192.168.0.8
add action=mark-packet chain=postrouting comment="VOIP OUT" dst-address=\
    192.168.0.8 new-packet-mark=VOIP_OUT passthrough=no
add action=mark-packet chain=prerouting comment=NAS_IN new-packet-mark=NAS_IN \
    passthrough=no src-address=192.168.0.6
add action=mark-packet chain=postrouting comment=NAS_OUT dst-address=\
    192.168.0.6 new-packet-mark=NAS_OUT passthrough=no
add action=mark-packet chain=prerouting comment=PS4_VALE_IN new-packet-mark=\
    PS4_IN passthrough=no src-address=192.168.0.34
add action=mark-packet chain=postrouting comment=PS4_VALE_OUT dst-address=\
    192.168.0.34 new-packet-mark=PS4_OUT passthrough=no
add action=mark-packet chain=prerouting comment=PS4_LUCA_IN new-packet-mark=\
    PS4_IN passthrough=no src-address=192.168.0.27
add action=mark-packet chain=postrouting comment=PS4_LUCA_OUT dst-address=\
    192.168.0.27 new-packet-mark=PS4_OUT passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Rotta --> LAN 1" \
    dst-address=192.168.50.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Rotta --> LAN 2" \
    dst-address=192.168.51.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Rotta --> LAN 3" \
    dst-address=192.168.52.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Rotta --> LAN 4" \
    dst-address=192.168.55.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Rotta --> LAN 5" \
    dst-address=192.168.53.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Rotta --> LAN 6" \
    dst-address=192.168.54.0/24 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-port=2124 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.1.1 to-ports=2124
add action=dst-nat chain=dstnat comment="Porta1 UDP Centralino VOIP" \
    dst-address=[HIDE] dst-port=5004 in-interface=ether1 protocol=udp \
    to-addresses=192.168.0.8 to-ports=5004
add action=dst-nat chain=dstnat comment="Porta2 UDP Centralino VOIP" \
    dst-address=[HIDE] dst-port=5060 in-interface=ether1 protocol=udp \
    to-addresses=192.168.0.8 to-ports=5060
add action=dst-nat chain=dstnat comment="WinBox RB_HAP_AC2_Salotto" dst-port=\
    8292 in-interface=ether1 protocol=tcp to-addresses=192.168.0.4 to-ports=\
    8292
add action=dst-nat chain=dstnat comment="WebFig RB_HAP_AC2_Salotto" dst-port=\
    8082 in-interface=ether1 protocol=tcp to-addresses=192.168.0.4 to-ports=\
    8082
add action=dst-nat chain=dstnat comment="FTP RB_HAP_AC2_Salotto" dst-port=\
    2191 in-interface=ether1 protocol=tcp to-addresses=192.168.0.4 to-ports=\
    2191
add action=dst-nat chain=dstnat comment="SSH RB_HAP_AC2_Salotto" dst-port=\
    2296 in-interface=ether1 protocol=tcp to-addresses=192.168.0.4 to-ports=\
    2296
add action=dst-nat chain=dstnat comment=\
    "Accesso Web HTTP interfaccia DSM NAS_Casa" dst-port=8080 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=8080
add action=dst-nat chain=dstnat comment=\
    "Accesso Web HTTPS interfaccia DSM NAS_Casa" dst-port=5001 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=5001
add action=dst-nat chain=dstnat comment="SFTP NAS_Casa" dst-port=2224 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=2224
add action=dst-nat chain=dstnat comment="FTP/FTPS 1\B0 NAS_Casa" dst-port=\
    2121 in-interface=ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=\
    2121
add action=dst-nat chain=dstnat comment="FTP/FTPS 2\B0 NAS_Casa" dst-port=\
    55536-55599 in-interface=ether1 protocol=tcp to-addresses=192.168.0.6 \
    to-ports=55536-55599
add action=dst-nat chain=dstnat comment="SSH NAS_Casa" disabled=yes dst-port=\
    2240 in-interface=ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=\
    2240
add action=dst-nat chain=dstnat comment="Torrent NAS_Casa" dst-port=16881 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=16881
add action=dst-nat chain=dstnat comment="Torrent NAS_Casa" dst-port=6881 \
    in-interface=ether1 protocol=udp to-addresses=192.168.0.6 to-ports=6881
add action=dst-nat chain=dstnat comment="eMule NAS_Casa" dst-port=4662 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=4662
add action=dst-nat chain=dstnat comment="eMule NAS_Casa" dst-port=4672 \
    in-interface=ether1 protocol=udp to-addresses=192.168.0.6 to-ports=4672
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
/ip route
add comment="Rotta -->> LAN 1" distance=1 dst-address=\
    192.168.50.0/24 gateway=192.168.89.200
add comment="Rotta -->> LAN 2" distance=1 dst-address=192.168.51.0/24 \
    gateway=192.168.89.201
add comment="Rotta -->> LAN 3" distance=1 dst-address=192.168.52.0/24 \
    gateway=192.168.89.202
add comment="Rotta -->> LAN 4" distance=1 dst-address=\
    192.168.53.0/24 gateway=192.168.89.203
add comment="Rotta -->> LAN 5" distance=1 dst-address=\
    192.168.54.0/24 gateway=192.168.89.204
add comment="Rotta -->> LAN 6" distance=1 dst-address=\
    192.168.55.0/24 gateway=192.168.89.205
/ip service
set telnet disabled=yes
set ftp port=2190
set www port=8081
set ssh port=2295
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set comment=USB_RB_HAP domain=WORKGROUP enabled=yes interfaces=bridge
/ip smb shares
add directory=/disk1 name=USB_RB_HAP
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=[HIDE]
add local-address=192.168.0.200 name=LAN1 remote-address=\
    192.168.89.200
add local-address=192.168.0.201 name=LAN2 remote-address=192.168.89.201
add local-address=192.168.0.202 name=LAN3 remote-address=\
    192.168.89.202
add local-address=192.168.0.203 name=LAN4 remote-address=\
    192.168.89.203
add local-address=192.168.0.204 name=LAN5 remote-address=\
    192.168.89.204
add local-address=192.168.0.205 name=LAN6 remote-address=\
    192.168.89.205
/system clock
set time-zone-name=Europe
/system identity
set name=HAP_AC2
/system leds
add interface=wlan1 leds=user-led type=interface-activity
/system logging
add action=Email disabled=yes prefix="[RB_HAP_AC2-Casa]" topics=account
/system package update
set channel=long-term
/system routerboard settings
set cpu-frequency=565MHz
/system scheduler
add comment="Abilita il wireless" interval=1d name=Wlan-on on-event=\
    "/interface wireless enable wlan1\r\
    \n/interface wireless enable wlan2" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    jan/15/2016 start-time=06:30:00
add comment="Disabilita il wireless" interval=1d name=Wlan-off on-event=\
    "/interface wireless disable wlan1\r\
    \n/interface wireless disable wlan2" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    jan/15/2016 start-time=01:30:00
/tool e-mail
set address=smtp.gmail.com from=<RB951> port=587 start-tls=yes user=\
    [HIDE]
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Beginner with routeros and VPN

Thu Jul 14, 2022 9:23 pm

Where is sob and his proxy arp solution for this one!!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Beginner with routeros and VPN

Thu Jul 14, 2022 10:14 pm

Proxy ARP doesn't solve much, it can make VPN client part of local subnet, but it's only L3. So for example all local name resolution protocols still won't work. Whole name resolution is another can of worms. Any local overrides (where you set something manually, like static records in RouterOS) are problematic, because everything must use the right servers and it's increasingly difficult to enforce that. There's mDNS as newer solution, but it still won't easily work across different L2 segments. You can find some interesting info in mDNS repeater feature thread. But I honestly don't know enough about this to easily come up with some good solution.
 
Valerio5000
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Fri Dec 06, 2013 2:38 am

Re: Beginner with routeros and VPN

Fri Jul 15, 2022 1:10 pm

Ok, thanks everyone for the answers ..;)

For point 2 I have to enable prxy-arp on the local bridge and in the PPP profile I have to indicate the bridge. Do I have to indicate the IP of the RB as a local address and an IP of the LAN subnet (192.168.0.0/24) as the remote address? Correct ? Currently as a local address I have the local DHCP Server that assigns local IPs (192.168.0.0/24) and as a remote address a pool for VPN clients (192.168.89.0/24). Should I delete this pool?

I understand that points 1 and 3 are connected with the mDNS function (in the discussion you indicated I entered my +1 to have this functionality in ROS: D) that in ROS 6 it is impossible to have and on ROS 7 I could having something with a Docker is correct?

Finally ... EoIP and BCP must be on the same subnet to work or is it possible to invent something to keep the subnets different?
 
Valerio5000
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Fri Dec 06, 2013 2:38 am

Re: Beginner with routeros and VPN

Tue Aug 02, 2022 4:25 pm

UP..
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Beginner with routeros and VPN

Tue Aug 02, 2022 5:00 pm

Did you research zerotier ?

Who is online

Users browsing this forum: Ahrefs [Bot] and 38 guests