Community discussions

MikroTik App
 
User avatar
apitsos
newbie
Topic Author
Posts: 35
Joined: Tue Feb 22, 2022 9:36 pm
Location: Bielefeld, Germany
Contact:

Can't access the internal network with SSTP VPN road-warrior connection

Thu Nov 24, 2022 4:41 pm

Hi there,

I would like to ask for the help of the experts. I have configured SSTP server on a MikroTik router and I can successfully connect from a Windows computer from outside. But I have no access to the internal network. I understand that the problem could may be the firewall rules, but I have allowed the whole network (VPN pool) to access the internal and vice versa.

In the meantime, I am not sure on which interface should be the IP from the VPN subnet and the route. I have configured the SFP1 as WAN and the SFP3 to SFP6 are in a LAN bridge. I also created a VPN-Bridge. I am really confused and I am not sure how should I really configured this. Can someone try to help me with this, please?

I really appreciate any kind of help and advises. Please try to explain things on a simple way.
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Can't access the internal network with SSTP VPN road-warrior connection

Thu Nov 24, 2022 5:04 pm

Most VPN solutions require routes...have you configured one for the VPN clients?
Can you please share your config?

/export hide-sensitive file=anynameyoulike (don't leave any personal info in it)
 
User avatar
ingdaka
Trainer
Trainer
Posts: 452
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: Can't access the internal network with SSTP VPN road-warrior connection

Thu Nov 24, 2022 6:42 pm

Try to change ARP to proxy-arp to LAN interface (if you have a bridge for LAN ports change it on Bridge interface)
Image
 
User avatar
apitsos
newbie
Topic Author
Posts: 35
Joined: Tue Feb 22, 2022 9:36 pm
Location: Bielefeld, Germany
Contact:

Re: Can't access the internal network with SSTP VPN road-warrior connection

Thu Nov 24, 2022 9:27 pm

Most VPN solutions require routes...have you configured one for the VPN clients?
Can you please share your config?

/export hide-sensitive file=anynameyoulike (don't leave any personal info in it)
Hi @elinden,

Thanks a lot for your reply. I am placing here the configuration, as per your request. Any personal info has been replaced with asterisks.

Thanks a lot in advance for your effort and your time. It is much appreciated.
# nov/24/2022 20:18:15 by RouterOS 7.6
# software id = ****-****
#
# model = CCR1016-12S-1S+
# serial number = ***********
/interface bridge
add arp=proxy-arp name=LAN-Bridge
add name=VPN-Bridge
/interface ethernet
set [ find default-name=sfp1 ] name="sfp1 (WAN)"
set [ find default-name=sfp2 ] disabled=yes name="sfp2 (WAN-LTE)"
set [ find default-name=sfp3 ] name="sfp3 (LAN1)"
set [ find default-name=sfp4 ] name="sfp4 (LAN2)"
set [ find default-name=sfp5 ] name="sfp5 (LAN3)"
set [ find default-name=sfp6 ] name="sfp6 (LAN4)"
set [ find default-name=sfp12 ] name="sfp12 (Management)"
/interface pppoe-client
add add-default-route=yes disabled=no interface="sfp1 (WAN)" name=\
    MK-Netzdienste user=***********@****.**
/interface vlan
add interface=LAN-Bridge name="WLAN \"**L\" (VLAN 5)" vlan-id=5
add interface=LAN-Bridge name="WLAN \"**L-Gast\" (VLAN 4)" vlan-id=4
add interface=LAN-Bridge name=vlan1 vlan-id=1
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="Subnet 192.168.1.0/24" name=dhcp ranges=\
    192.168.1.120-192.168.1.239
add comment="Subnet 192.168.3.0/24" name=WLAN-DHCP ranges=\
    192.168.3.10-192.168.3.250
add comment="Subnet 192.168.2.0/24" name=WLAN-GUEST-DCHP ranges=\
    192.168.2.10-192.168.2.250
add comment="Subnet 192.168.5.0/24 (VPN)" name=VPN-Pool ranges=\
    192.168.5.2-192.168.5.250
/ip dhcp-server
add address-pool=dhcp interface=LAN-Bridge name=192.168.1.120-239
add address-pool=WLAN-DHCP interface="WLAN \"**L\" (VLAN 5)" name=\
    192.168.3.0/24
add address-pool=WLAN-GUEST-DCHP interface="WLAN \"**L-Gast\" (VLAN 4)" name=\
    192.168.2.0/24
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add local-address=192.168.5.1 name=VPN remote-address=VPN-Pool
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=LAN-Bridge interface="sfp3 (LAN1)"
add bridge=LAN-Bridge interface="sfp4 (LAN2)"
add bridge=LAN-Bridge interface="sfp5 (LAN3)"
add bridge=LAN-Bridge interface="sfp6 (LAN4)"
add bridge=LAN-Bridge interface=vlan1
add bridge=LAN-Bridge interface="WLAN \"**L\" (VLAN 5)"
add bridge=LAN-Bridge interface="WLAN \"**L-Gast\" (VLAN 4)"
add bridge=VPN-Bridge interface=LAN
add bridge=VPN-Bridge disabled=yes interface=WAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=LAN-Bridge tagged="WLAN \"**L-Gast\" (VLAN 4)" vlan-ids=4
add bridge=LAN-Bridge tagged="WLAN \"**L\" (VLAN 5)" vlan-ids=5
add bridge=LAN-Bridge vlan-ids=1
/interface list member
add interface=LAN-Bridge list=LAN
add interface=VPN-Bridge list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set authentication=mschap2 certificate=**L-HQ-FW01 default-profile=VPN \
    enabled=yes pfs=yes
/ip address
add address=192.168.178.22/24 comment=WAN-LTE interface="sfp2 (WAN-LTE)" \
    network=192.168.178.0
add address=192.168.90.1/24 comment=Management interface="sfp12 (Management)" \
    network=192.168.90.0
add address=192.168.1.24/24 comment=LAN interface=LAN-Bridge network=\
    192.168.1.0
add address=192.168.3.1/24 interface="WLAN \"**L\" (VLAN 5)" network=\
    192.168.3.0
add address=192.168.2.1/24 interface="WLAN \"**L-Gast\" (VLAN 4)" network=\
    192.168.2.0
add address=192.168.5.1/24 comment=VPN interface=LAN-Bridge network=\
    192.168.5.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add interface="sfp2 (WAN-LTE)"
add interface=sfpplus1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.2 domain=*******.local \
    gateway=192.168.1.24 wins-server=192.168.1.2
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=**.******************.** list=Authorized_IPs
/ip firewall filter
add action=accept chain=input comment="Allow established connections" \
    connection-state=established
add action=accept chain=input comment="Allow related connections" \
    connection-state=related
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="Allow limited pings" limit=\
    50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=accept chain=input comment=\
    "Access WebFig & WinBox Management interface" dst-address=192.168.90.1 \
    dst-port=80,443,8291 protocol=tcp
add action=accept chain=input comment=\
    "Access WebFig & WinBox LAN interface list" dst-address=192.168.1.24 \
    dst-port=80,443,8291 protocol=tcp
add action=accept chain=input comment=\
    "Access Webfig & WinBox on any interface from Authorized IPs" dst-port=\
    80,443,8291 protocol=tcp src-address-list=Authorized_IPs
add action=accept chain=input comment="Access SSTP connections from WAN" \
    dst-port=443 log=yes log-prefix=SSTP-Input protocol=tcp
add action=accept chain=input comment="Custom SSH port for secure shell" \
    dst-address=192.168.1.24 dst-port=2202 protocol=tcp
add action=accept chain=input comment="Allow local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
add action=accept chain=input comment="Access Wireguard VPN" dst-port=13233 \
    in-interface="sfp1 (WAN)" protocol=udp
add action=drop chain=input comment="Block DNS request from WAN" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop any TCP port left OPEN" protocol=\
    tcp
add action=drop chain=input comment="Drop any UDP port left OPEN" protocol=\
    udp
add action=drop chain=input comment="Drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow established connections" \
    connection-state=established
add action=accept chain=forward comment="Allow related connections" \
    connection-state=related
add action=accept chain=forward comment="Allow all inbound traffic from VPN su\
    bnet (192.168.5.0/24) to LAN-Bridge (192.168.1.0/24)" dst-address=\
    192.168.1.0/24 src-address=192.168.5.0/24
add action=accept chain=forward comment="Allow all inbound traffic from LAN-Br\
    idge (192.168.1.0/24) to VPN subnet (192.168.5.0/24)" dst-address=\
    192.168.5.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop invalid connections" \
    connection-state=invalid log=yes log-prefix=Drop-invalid-Input
add action=drop chain=forward comment="Block Bogon IP Addresses" src-address=\
    0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=accept chain=forward comment="Allow limited pings" limit=\
    50/5s,2:packet protocol=icmp
add action=drop chain=forward comment="Drop excess pings" protocol=icmp
add action=accept chain=forward comment=\
    "Allow subnet 192.168.1.0/24 Web Surfing (HTTP & HTTPS)" dst-address=\
    0.0.0.0/0 dst-port=80,443 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=\
    "Allow subnet 192.168.1.0/24 DNS & NTP (TCP)" dst-address=0.0.0.0/0 \
    dst-port=53,123 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=\
    "Allow subnet 192.168.1.0/24 DNS & NTP (UDP)" dst-address=0.0.0.0/0 \
    dst-port=53,123 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=\
    "Allow subnet 192.168.1.0/24 Email communication" dst-address=0.0.0.0/0 \
    dst-port=465,587,25,993,995,110,143 protocol=tcp src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-address=0.0.0.0/0 dst-port=25 protocol=\
    udp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow FTP connections" dst-address=\
    0.0.0.0/0 dst-port=20,21,990,6000-6100 protocol=tcp src-address=\
    192.168.1.0/24
add action=accept chain=forward comment=\
    "Allow 3CX SBC communicating with our hosted 3CX PBX" dst-address=\
    ***.***.***.*** dst-port=5090,5001 protocol=tcp
add action=accept chain=forward dst-address=***.***.***.*** dst-port=5090 \
    protocol=udp
add action=accept chain=forward comment=\
    "Allow 3CX Web Clients communicating with our hosted 3CX PBX" \
    dst-address=***.***.***.*** dst-port=9000-10999 protocol=udp
add action=accept chain=forward comment="Allow 3CX Tunnels" dst-port=\
    5090,5001 protocol=tcp
add action=accept chain=forward dst-port=5090 protocol=udp
add action=accept chain=forward comment="Allow Speedtest" dst-port=8080 \
    protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow HBCI chip card" dst-port=3000 \
    protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow WhatsApp calls" dst-port=\
    5222,5223 log-prefix=WhatApp-Calls protocol=tcp src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-port=3478 log-prefix=WhatApp-Calls \
    protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow Wi-Fi calling" dst-port=\
    500,4500,16384-49327 log-prefix=WiFi-Calling protocol=udp
add action=drop chain=forward comment="Drop all outbound traffic" \
    dst-address=0.0.0.0/0 log-prefix=Drop-All-Outbound src-address=\
    192.168.1.0/24
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment="VPN with Road Warriors" dst-address=\
    192.168.5.0/24 src-address=192.168.1.0/24
add action=accept chain=srcnat comment="VPN with Road Warriors" disabled=yes \
    dst-address=192.168.1.0/24 src-address=192.168.5.0/24
add action=accept chain=dstnat comment="VPN with Road Warriors" dst-address=\
    192.168.5.0/24 src-address=192.168.1.0/24
add action=accept chain=dstnat comment="VPN with Road Warriors" dst-address=\
    192.168.1.0/24 src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.1.0/24" \
    ipsec-policy=out,none out-interface=MK-Netzdienste src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.2.0/24" \
    ipsec-policy=out,none out-interface=MK-Netzdienste src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.3.0/24" \
    ipsec-policy=out,none out-interface=MK-Netzdienste src-address=\
    192.168.3.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.4.0/24" \
    ipsec-policy=out,none out-interface=MK-Netzdienste src-address=\
    192.168.4.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.5.0/24" \
    ipsec-policy=out,none src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="masquerade for all networks" \
    ipsec-policy=out,none
add action=masquerade chain=srcnat disabled=yes out-interface=\
    "sfp2 (WAN-LTE)"
add action=netmap chain=dstnat dst-address=192.168.1.0/24 src-address=\
    192.168.5.0/24 to-addresses=192.168.1.0/24
/ip route
add comment="WAN (LTE)" disabled=yes distance=2 dst-address=0.0.0.0/0 \
    gateway=192.168.178.1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2202
/lcd
set backlight-timeout=never default-screen=stats
/lcd interface
set sfpplus1 disabled=yes
set sfp7 disabled=yes
set sfp8 disabled=yes
set sfp9 disabled=yes
set sfp10 disabled=yes
set sfp11 disabled=yes
/ppp secret
add name=a****** profile=VPN service=sstp
add name=t***** profile=VPN service=sstp
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=***-HQ-FW01
/system ntp client
set enabled=yes
/system ntp client servers
add address=de.pool.ntp.org
 
User avatar
apitsos
newbie
Topic Author
Posts: 35
Joined: Tue Feb 22, 2022 9:36 pm
Location: Bielefeld, Germany
Contact:

Re: Can't access the internal network with SSTP VPN road-warrior connection

Thu Nov 24, 2022 9:29 pm

Try to change ARP to proxy-arp to LAN interface (if you have a bridge for LAN ports change it on Bridge interface)
Hi @ingdaka,

Thanks a lot for your answer. This setting was done before, but didn't help at all. I think I have much more bigger problems with my configuration that this.
 
Guscht
Member Candidate
Member Candidate
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

Re: Can't access the internal network with SSTP VPN road-warrior connection

Fri Nov 25, 2022 12:05 am

Have you set the routes to the internal-network in the end-device (to go via the VPN)?

Du musst im VPN-Client/Betriebssystem des Endgeräts die Netzprefixe des Firmennetzes eintragen, die über das VPN geroutet werden sollen. Oder du legst gleiche ein Defaultroute an, dann geht alles, auch Internettraffic, über den VPN-Server.

Eine "VPN-Bridge" brauchst du nicht, weil SSTP (ein PPP-Derivat, also ein Punkt-zu-Punk-Tunnelprotokoll ist) eine ganz andere Technologie ist als eine Bridge. Du wirst nie ein PPP-Interface als Mitgliedsport einer Bridge hinzufügen können. Generell ist es eine "Best Practice" nur eine Bridge zu haben und nicht mehrere Bridges.

Du musst auch keinem Interface die IP des VPN-Servers geben. Die "Local Address" trägst du im PPP-Profil des Servers ein. Bei einer Einwahl erzeugt ROS daraus ein dynmisches Interface und die Route.
 
User avatar
apitsos
newbie
Topic Author
Posts: 35
Joined: Tue Feb 22, 2022 9:36 pm
Location: Bielefeld, Germany
Contact:

Re: Can't access the internal network with SSTP VPN road-warrior connection

Fri Nov 25, 2022 1:58 am

Hi Guscht,

Thanks a lot for your message. I tried to correct everything you mentioned, but I still am not able to access the internal network of the company. More specifically:
  • I disabled the "VPN-Bridge" from the bridges and now only the "LAN-Bridge" is there active
  • I removed the static IP 192.168.5.1 as you suggested. The PPP profile had already this IP as local and it appears in the Address List when a Road-warrior client is connected.
But I am not sure if I understand correctly what you mean about network prefixes and routes on the end-device. Should I create manually routes on each end device, in order to be aware which rout to follow in order to reach the internal network (192.168.1.0/24)? I'd like to avoid doing that manually on each laptop. And what about prefixes? The prefix is actually configured by the subnet, right?That is 255.255.255.0 and the VPN pool is on 192.168.5.0/24. Should it be something else, like /21, in order to include the 192.168.1.0/24?
 
User avatar
apitsos
newbie
Topic Author
Posts: 35
Joined: Tue Feb 22, 2022 9:36 pm
Location: Bielefeld, Germany
Contact:

Re: Can't access the internal network with SSTP VPN road-warrior connection

Fri Nov 25, 2022 2:33 am

I have done something and that gave me a solution. I searched more on the Internet about how to add a route on the end-computer when is connected via a SSTP VPN connection and I found this article: http://woshub.com/add-routes-after-connect-vpn-windows/

Then I ran on the end-computer the command:
Add-VpnConnectionRoute -ConnectionName workVPN -DestinationPrefix 192.168.1.0/24 –PassThru
And after a reconnection it worked like a charm!

But I am still having some questions:
  1. Would it be possible to avoid somehow to run this command on each end-computer and just be placed by itself? I already have to install manually the root certificate from the MikroTik on each laptop of the company.
  2. Is this route applied only when the VPN connection is up and running and then is disabled?
  3. Is there something else that I should be aware of, or that I should do in order to complete this task?
Thanks a lot for all comments and the precious help! It is very much appreciated.
 
Santi70
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Mon Sep 07, 2020 12:35 am

Re: Can't access the internal network with SSTP VPN road-warrior connection

Fri Nov 25, 2022 4:58 pm

After connecting the equipment I went to
PPP --> Interfaces
I selected the dynamic interface created and hit copy, then I deleted the dynamic one and included that static interface in the LAN list and with the default FireWall it works fine, with access to my LAN.

-hAP ac²

Who is online

Users browsing this forum: No registered users and 30 guests