I have two Mikrotik RB3011 routers that each work independently very well. I am just above a newbie in Networking.
I need to travel around, and I want to carry one (the "client", Identity set to Travel) so that I can connect to the other one, server ("Identity" set to Home), so I enabled up the SSTP protocol, following the wiki, and then modifying as per various forum indicators. But on testing the pings are not working. Need help.
The server side settings export is here :
Code: Select all
# aug/21/2022 06:16:50 by RouterOS 6.49.6
# software id = AGEK-8YNP
#
# model = RB3011UiAS
# serial number = E7EA0E3205F9
/interface bridge
add name=home-bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.16.2-192.168.16.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=home-bridge lease-time=30m name=dhcp1
/interface bridge port
add bridge=home-bridge interface=ether2
add bridge=home-bridge interface=ether3
add bridge=home-bridge interface=ether4
add bridge=home-bridge interface=ether5
add bridge=home-bridge interface=ether6
add bridge=home-bridge interface=ether7
add bridge=home-bridge interface=ether8
add bridge=home-bridge interface=ether9
add bridge=home-bridge interface=ether10
/interface list member
add interface=ether1 list=WAN
add interface=home-bridge list=LAN
add interface=sfp1 list=LAN
/interface sstp-server server
set authentication=mschap2 certificate=server enabled=yes force-aes=yes pfs=yes verify-client-certificate=\
yes
/ip address
add address=192.168.16.1/24 interface=home-bridge network=192.168.16.0
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.16.0/24 dns-server=192.168.16.1 gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.16.1 name=home-lan
add address=8.8.8.8 name=google
/ip firewall address-list
add address=192.168.16.2-192.168.16.254 list=within-home
add address=0.0.0.0/8 list=not-internet
add address=172.16.0.0/12 list=not-internet
add address=192.168.0.0/16 list=not-internet
add address=10.0.0.0/8 list=not-internet
add address=169.254.0.0/16 list=not-internet
add address=127.0.0.0/8 list=not-internet
add address=224.0.0.0/4 list=not-internet
add address=100.64.0.0/10 list=not-internet
add address=198.18.0.0/15 list=not-internet
add address=198.51.100.0/24 list=not-internet
add address=203.0.113.0/24 list=not-internet
add address=240.0.0.0/4 list=not-internet
add address=255.255.255.255 list=not-internet
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input log-prefix=icmp protocol=icmp
add action=accept chain=input connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=drop chain=input in-interface-list=!LAN log=yes log-prefix=!LAN
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid log-prefix=!fw
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=fasttrack-connection chain=forward connection-state=established,related,untracked
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ipv6 firewall address-list
add address=::1/128 list=not-internet-ipv6
add address=::/128 list=not-internet-ipv6
add address=64:ff9b::/96 list=not-internet-ipv6
add address=::ffff:0.0.0.0/96 list=not-internet-ipv6
add address=100::/64 list=not-internet-ipv6
add address=2001:2::/48 list=not-internet-ipv6
add address=2001:10::/28 list=not-internet-ipv6
add address=2002::/16 list=not-internet-ipv6
add address=fc00::/7 list=not-internet-ipv6
add address=fe80::/10 list=not-internet-ipv6
add address=2001::/32 list=not-internet-ipv6
add address=2001:5::/32 list=not-internet-ipv6
/lcd
set default-screen=stats-all
/ppp profile
add local-address=192.168.16.1 name=vpn_profile remote-address=*2
/ppp secret
add local-address=192.168.32.1 name=quasar66 remote-address=192.168.32.2 routes=\
"192.168.24.0/24 192.168.32.1 1" service=sstp
/system clock
set time-zone-name=America/New_York
/system identity
set name="US Home"
Code: Select all
# aug/21/2022 06:28:03 by RouterOS 6.49.6
# software id = IJ0H-KR40
#
# model = RB3011UiAS
# serial number = HCT084QBYPZ
/interface bridge
add name=home-bridge
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.24.2-192.168.24.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=home-bridge lease-time=30m name=\
dhcp1
/interface sstp-client
add authentication=mschap2 certificate=client connect-to=100.19.64.235 \
disabled=no name=sstp-client pfs=yes profile=default-encryption user=\
quasar66 verify-server-certificate=yes
/interface bridge port
add bridge=home-bridge interface=ether2
add bridge=home-bridge interface=ether3
add bridge=home-bridge interface=ether4
add bridge=home-bridge interface=ether5
add bridge=home-bridge interface=ether6
add bridge=home-bridge interface=ether7
add bridge=home-bridge interface=ether8
add bridge=home-bridge interface=ether9
add bridge=home-bridge interface=ether10
/interface list member
add interface=ether1 list=WAN
add interface=home-bridge list=LAN
add interface=sfp1 list=LAN
/ip address
add address=192.168.24.1/24 interface=home-bridge network=192.168.24.0
add address=100.19.64.235 interface=ether1 network=100.19.64.235
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.24.0/24 gateway=192.168.24.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 list=not-internet
add address=172.16.0.0/12 list=not-internet
add address=192.168.0.0/16 list=not-internet
add address=10.0.0.0/8 list=not-internet
add address=169.254.0.0/16 list=not-internet
add address=127.0.0.0/8 list=not-internet
add address=224.0.0.0/4 list=not-internet
add address=100.64.0.0/10 list=not-internet
add address=198.18.0.0/15 list=not-internet
add address=198.51.100.0/24 list=not-internet
add address=203.0.113.0/24 list=not-internet
add address=240.0.0.0/4 list=not-internet
add address=255.255.255.255 list=not-internet
add address=192.168.24.2-192.168.24.254 list=within-home
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=new dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input connection-state=new dst-port=53 \
in-interface-list=LAN protocol=udp
add action=drop chain=input in-interface-list=!LAN
add action=drop chain=input connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=\
established,related,untracked
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none
/ip route
add distance=1 gateway=100.19.64.1
add distance=1 dst-address=192.168.16.0/24 gateway=sstp-client
add distance=1 dst-address=192.168.16.0/24 gateway=sstp-client
/ip service
set www-ssl disabled=no
/ipv6 firewall address-list
add address=::1/128 list=not-internet-ipv6
add address=::/128 list=not-internet-ipv6
add address=64:ff9b::/96 list=not-internet-ipv6
add address=::ffff:0.0.0.0/96 list=not-internet-ipv6
add address=100::/64 list=not-internet-ipv6
add address=2001:2::/48 list=not-internet-ipv6
add address=2001:10::/28 list=not-internet-ipv6
add address=2002::/16 list=not-internet-ipv6
add address=fc00::/7 list=not-internet-ipv6
add address=fe80::/10 list=not-internet-ipv6
add address=2001::/32 list=not-internet-ipv6
add address=2001:5::/32 list=not-internet-ipv6
/system clock
set time-zone-name=America/New_York
/system clock manual
set time-zone=-04:00
/system identity
set name=Travel
On the server side I created CA certificate, a server certificate, and a client certificate. The only difference between server cert and client cert is that server cert contains key usage : tls_server tick checked. The CA certificate is attached as screenshot_CA - the CN is set to the IP address provided by the ISP. The key usage is key.cert sign, & clr sign, and its trusted. Thereafter all three certs were signed. After import at the client side, the certificates were visible with private keys. Secrets and SSTP server on server side :
Created the user/login, and set the Local address as 192.168.32.1 & remote address as 192.168.32.2. The corresponding SSTP server was enabled, and the certificate "server" was selected. On Client side, same credentials (user/password) and the connect to (erased) is set to the public IP address of the server side of the router. Lastly, the route list : server side and the route on the client side Problem : cannot ping either from the other
Please advise.
Thanks...