Community discussions

MikroTik App
 
Sysxp
just joined
Topic Author
Posts: 4
Joined: Tue Oct 19, 2021 9:17 pm

VPN (PPTP, L2TP) + DHCP option 121 to add routes to clients

Mon Oct 31, 2022 8:06 am

Hello!

Simply put, I have some VPN clients (Windows 7+) connecting with IPs 192.168.20.0/24 (from pool on Mikrotik).
And I want them to be able to access 192.168.30.0/24, 192.168.40.0/24 etc, so I need routes on clients.
I dont like ROUTE ADD, so after a long time I found the solution - external DHCP server (in my case on Windows 2012) with option "121 - Classless route option".
To make it work the following rules needed:
/ip firewall nat 
add action=dst-nat chain=dstnat dst-address=255.255.255.255 dst-port=67 in-interface=all-ppp protocol=udp src-address=192.168.20.0/24 src-port=68 to-addresses='DHCP server IP here'
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.20.0/24 dst-port=68 protocol=udp src-address='DHCP server IP here' src-port=67

And it totally works - the clients get their routes automatically like magic, no scripts nothing "it just works".
My question is: all this was a long time ago. Is there a way to achieve the same result but using just Mikrotik, and no external DHCP? Is there a way to do it in RouterOS 7?
Is there a way to do it somehow different from what I use?

Thank you!
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 274
Joined: Mon Oct 02, 2006 11:47 am

Re: VPN (PPTP, L2TP) + DHCP option 121 to add routes to clients

Tue Nov 15, 2022 8:30 am

...I am not sure that I understood your post, but if you have a Mikrotik router in your setup and all your networks connected to the router, why do you need to push additional routes to your clients???
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN (PPTP, L2TP) + DHCP option 121 to add routes to clients

Tue Nov 15, 2022 4:23 pm

If VPN client does not use server as default gateway, then pushing routes definitely makes sense.

And no, I didn't find a way how to do it.
 
Sysxp
just joined
Topic Author
Posts: 4
Joined: Tue Oct 19, 2021 9:17 pm

Re: VPN (PPTP, L2TP) + DHCP option 121 to add routes to clients

Wed Nov 16, 2022 7:24 pm

...I am not sure that I understood your post, but if you have a Mikrotik router in your setup and all your networks connected to the router, why do you need to push additional routes to your clients???
When the client is connected, route ALL his traffic through the VPN connection is usually a bad idea. Thats why "Use default gateway on remote network" checkbox under TCP/IP is unchecked, and user can surf the internet using his local connection and still have access to corporate resourses at the same time, while not pushing all his youtube traffic with cats over the VPN.
This way, with an IP 192.168.20.x/24 he cannot access 192.168.30.x/24 etc, because the client have no route to this network.
I hope this make sense.

Anyway, I already understand by the amount of relpies, that nothing has been done in this particular problem and my solution is still the best. (I mean it is not mine, I just found it years ago, I guess someone really smart and desperate made it up initially).

And no, I didn't find a way how to do it.
Thank you, I thought so, this is somewhat sad. iOS 16 is sad, routerOS 7 is sad, I don't know, "earlier is better", I guess. :')
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN (PPTP, L2TP) + DHCP option 121 to add routes to clients

Thu Nov 17, 2022 4:26 am

If you didn't have to support Windows 7 and if your environment is not too dynamic, never versions (I'm not sure if since 8 or 10) support assigning routes to VPN connection (Add-VpnConnectionRoute in powershell). It's pretty good. Of course if RouterOS supported DHCP for VPN connections, it wouldn't be bad either. But AFAIK, so far it does it only for IPSec connections, see https://help.mikrotik.com/docs/display/ ... imitations.
 
Sysxp
just joined
Topic Author
Posts: 4
Joined: Tue Oct 19, 2021 9:17 pm

Re: VPN (PPTP, L2TP) + DHCP option 121 to add routes to clients

Thu Nov 17, 2022 7:07 am

If you didn't have to support Windows 7 and if your environment is not too dynamic, never versions (I'm not sure if since 8 or 10) support assigning routes to VPN connection (Add-VpnConnectionRoute in powershell). It's pretty good.

Yes, I heard about this one. But still, it is not the same - you have to connect to remote PC or send some script to add a route. Solution with DHCP is far more elegant, easy, flexible and requies ZERO configuration on client side, futhermore I can add a new route anytime I want and it will be applied to all new (or restarted) connections immediately, without the need to run over 100+ remote laptops which will be a pure madness.

Who is online

Users browsing this forum: No registered users and 83 guests