Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Can't access LAN over VPN  [SOLVED]

Post Reply
 
tophermiller
just joined
Topic Author
Posts: 11
Joined: Mon Jul 11, 2022 11:40 pm

Can't access LAN over VPN

Wed Jul 20, 2022 8:06 pm

I setup the Mikrotik Routerboard as a ipsec/l2tp VPN server by following a couple blog posts I found online. I can successfully connect to my VPN remotely, but I cannot access any resources on the Mikrotik's LAN other than the router itself. The Mikrotik IP is 10.1.11.1 and I can access this remotely just fine with Winbox. My vpn connection is assigned an IP from the VPN pool, e.g. 10.1.11.11. Then, for example, I cannot ping a server located at 10.1.11.91. Screen shots attached show my VPN connection and Winbox configuration. Notice that my subnet mask is assigned as 255.255.255.255 with default gateway 0.0.0.0, but why?
You do not have the required permissions to view the files attached to this post.
Last edited by tophermiller on Wed Jul 20, 2022 8:32 pm, edited 1 time in total.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19321
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Can't access LAN over VPN

Wed Jul 20, 2022 8:23 pm

Can you post your config please /export
and hide any public IP numbers (wanip, gateway info etc.)
Top
 
tophermiller
just joined
Topic Author
Posts: 11
Joined: Mon Jul 11, 2022 11:40 pm

Re: Can't access LAN over VPN

Wed Jul 20, 2022 8:33 pm

see attachment config.txt
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1845
Joined: Sat May 05, 2018 11:55 am

Re: Can't access LAN over VPN

Wed Jul 20, 2022 9:43 pm

As the VPN client uses an address from the LAN you have to enable proxy ARP on that interface (bridge1). This is so the Mikrotik can answer ARP requests from devices connected to the local LAN ethernet on behalf of the VPN client.

You may wish to change your IPsec secret not having redacted it, and pick something with suitable complexity - search for ipsec shared secret length or ipsec shared secret entropy.

Hopefully you have more firewall rules than just those shown, otherwise the device is open to attack. Depending on what there are you may have to add rules allow traffic from the VPN interface.
Top
 
tophermiller
just joined
Topic Author
Posts: 11
Joined: Mon Jul 11, 2022 11:40 pm

Re: Can't access LAN over VPN

Wed Jul 20, 2022 10:58 pm

Thanks. I changed the ARP setting from "enabled" to "proxy-arp" but it didn't seem to help. Still can't ping IP's of servers on the LAN?
Code: Select all
/interface bridge
add arp=proxy-arp name=bridge1
Top
 
tophermiller
just joined
Topic Author
Posts: 11
Joined: Mon Jul 11, 2022 11:40 pm

Re: Can't access LAN over VPN

Wed Jul 20, 2022 11:01 pm

The gateway and subnet mask I'm getting from ipconfig on my client seem suspect?
Code: Select all
PPP adapter AUP:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.1.11.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19321
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Can't access LAN over VPN

Wed Jul 20, 2022 11:02 pm

Do you have to have a VPN pool, dont you just set an IP address somewhere in vpn settings......
In any case set it different FROM THE LAN.

Then make firewall rules allow VPN IP to LANIP etc.........

Wireguard for me is much easier........... made for the brain dead. :-)
Top
 
tophermiller
just joined
Topic Author
Posts: 11
Joined: Mon Jul 11, 2022 11:40 pm

Re: Can't access LAN over VPN

Thu Jul 21, 2022 5:37 pm

anav, Can you elaborate further on these firewall rules I may need? I don't quite follow. My VPN pool is 10.1.11.10-29 because I want to allow multiple clients. My LAN DHCP is 10.1.11.100-250, and I have some reserved IPs on the LAN between 10.1.11.30-99. Why can't my VPN clients ping the hosts on the rest of the LAN? Why is my VPN client getting a subnet mask of 255.255.255.255 and gateway of 0.0.0.0?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19321
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Can't access LAN over VPN

Thu Jul 21, 2022 5:59 pm

Sorry I cannot as I would never use the same pool for vpn and my LAN, I dont have the networking skillset to parse that out.
Further one probably cannot separate that traffic being in the same pool.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9120
Joined: Mon Apr 20, 2009 9:11 pm

Re: Can't access LAN over VPN

Thu Jul 21, 2022 7:33 pm

There's nothing to it, you just need proxy ARP as suggested. On client, mask 255.255.255.255 is normal, it gets only single address. Route to remote subnet is Windows "magic" that works with long-dead subnet classes. But you don't need to worry about that when you have VPN configured as default gateway, which it seems you do, because there's gateway 0.0.0.0 (it shows like that). So yeah, it should work.

But what I find really really weird, you posted config with non-existent firewall, and it didn't trigger @anav at all, as if he didn't see it. Could simple overlapping subnets confuse him so much? :D
Top
 
tophermiller
just joined
Topic Author
Posts: 11
Joined: Mon Jul 11, 2022 11:40 pm

Re: Can't access LAN over VPN

Thu Jul 21, 2022 11:04 pm

proxy-arp didn't solve my problem though. Sigh. After setting it, I still couldn't ping any other hosts in the LAN. Maybe I set it up wrong? Can you post the command-line I should use?
Top
 
tophermiller
just joined
Topic Author
Posts: 11
Joined: Mon Jul 11, 2022 11:40 pm

Re: Can't access LAN over VPN  [SOLVED]

Fri Jul 22, 2022 12:22 am

Problem solved! My bad. It turns out the windows server on the LAN that I was trying to ping had ping responses disabled in Windows Firewall! Argh!
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12001
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: Can't access LAN over VPN

Fri Jul 22, 2022 12:23 am

As usual...
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5472
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Can't access LAN over VPN

Fri Jul 22, 2022 12:39 am

As usual...
Should be some sort of sticky on a couple of forums.
WHEN PING FAILS TO A WINDOWS MACHINE, IT COULD BE NORMAL.
CHECK WINDOWS FIREWALL FIRST BEFORE POINTING AT YOUR ROUTER.

:lol:
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12001
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: Can't access LAN over VPN

Fri Jul 22, 2022 12:58 am

There are even worse situations...

A user of mine signed up with us to have Netfilx on the TV.

Up to here everything is normal...

Then he wanted us to configure the television for him...
Look, he didn't buy it from us, it's not our job, we only provide the connection...
And up to here... well imagine....

But then...

"I pay the subscription to see Netflix, but I can not reach to see it"...
Too bad that the subscription you pay us is only for the Internet,
If you want see Netflix you has to pay also one extra subscription to Netflix... not pay more us...

I let you imagine the sequel ...
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9120
Joined: Mon Apr 20, 2009 9:11 pm

Re: Can't access LAN over VPN

Fri Jul 22, 2022 1:03 am

@tophermiller: Since @anav is still scared away, I'll mention it once more myself, you don't have any firewall, everything is wide open. It's probably good idea to do something with that. See e.g. this for some inspiration: viewtopic.php?t=180838
Top
 
tophermiller
just joined
Topic Author
Posts: 11
Joined: Mon Jul 11, 2022 11:40 pm

Re: Can't access LAN over VPN

Fri Jul 22, 2022 2:36 am

@Sob Thank you and yes, I want to do something about that, but kinda clueless what is required. I'll read the link you suggested, and also I spoke with the guy who sold me on this mikotik and he recommended the following....what do you think?
Code: Select all
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9120
Joined: Mon Apr 20, 2009 9:11 pm

Re: Can't access LAN over VPN

Fri Jul 22, 2022 5:39 am

That's almost like default config, which looks like this:
Code: Select all
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
Yours is missing the last drop rule in input chain, so it doesn't prevent connections from internet to router (that's not good). And default one has fasttrack, which can improve throughput, but also has some side-effects. Both use "block unwanted things and allow the rest", while the linked thread works with "allow wanted things and block the rest". I like the latter, but it's not like the former is wrong, just different way.
Top
 
ahmtdrsn
just joined
Posts: 3
Joined: Sat Jan 14, 2023 2:27 pm
Location: Istanbul

Re: Can't access LAN over VPN

Sun Jan 15, 2023 5:51 pm

Hello,

VPN connection is working properly but I cannot ping local servers. When I make a VPN connection, I can get an IP from the pool I reserved for the VPN, but I cannot ping the servers or other devices. I made my Bridge connection "Proxy_ARP". I added the firewall rules you recommended, but it still didn't work. I am sharing my backup file attached, could you please be interested?
Thank you so much.
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19321
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Can't access LAN over VPN

Sun Jan 15, 2023 10:07 pm

I recommend not using proxy arp, it seems like a dirty trick sob conjured making people think that using the same pool of addresses for two different things is a good idea !!!
I personally dont like such tricks........... What is proxy arp anyway, probably some way of monkeying with traffic at the mac address level........
Top
Post Reply

Who is online

Users browsing this forum: pstrauts and 45 guests
  4. RouterOS
  5. Beginner Basics