Mikrotik VPN: why is there a link, but no computers?

Diman892014-02-19 21:33:29

VPN

Diman89, 2014-02-19 21:33:29

Given:
- Source: www.youtube.com/watch?v=cHBkf5UeYIQ
- VPN link between two 951 mikrotiks
- disabled firewall on both ticks
-

ip firewall nat add action=masquerade chain=srcnat out-interface=vpn_work

on both ticks
- proxy-arp is enabled on both local bridges of the tick-server and tick-client
- on each tick in the properties of the PPP profile used, the local bridge
of microtics is specified among themselves, pings do not go to the computers, although there are pings in the video
- what Did I do too much, or did I not finish it?
- at what settings (minimum) should everything work 100%?

Answer the question

In order to leave comments, you need to log in

10 answer(s)

Diman89, 2014-02-20
@Diman89

From client:

ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; allow internet for bridge_lan+bridge_guest
     chain=srcnat action=masquerade out-interface=mts_ipv4 
 1   chain=srcnat action=masquerade out-interface=mts_ipv6 
 2   chain=srcnat action=masquerade out-interface=vpn_comodo 
 3   chain=srcnat action=masquerade out-interface=vpn_work 

interface bridge print  
Flags: X - disabled, R - running 
 1  R name="bridge_local" mtu=1500 l2mtu=1598 arp=proxy-arp 
      mac-address=D4:CA:6D:CC:B9:FF protocol-mode=rstp priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 

ppp profile print 
Flags: * - default 
 0 * name="default" remote-ipv6-prefix-pool=(unknown) bridge=bridge_local 
     use-ipv6=yes use-mpls=default use-compression=default 
     use-vj-compression=default use-encryption=default only-one=default 
     change-tcp-mss=yes address-list=""

From the server:

ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Added by webbox
     chain=srcnat action=masquerade out-interface=pppoe_domru 
 1   chain=srcnat action=masquerade out-interface=pppoe_rtcom 
 2   chain=srcnat action=masquerade out-interface=pptp-tunnel

interface bridge print  
Flags: X - disabled, R - running 
 0  R name="bridge-local" mtu=1500 l2mtu=1598 arp=proxy-arp 
      mac-address=D4:CA:6D:BA:BE:F8 protocol-mode=none priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 

ppp profile print 
Flags: * - default 
 0 * name="default" bridge=bridge-local use-mpls=default use-compression=default 
     use-vj-compression=default use-encryption=default only-one=default 
     change-tcp-mss=yes

kodi, 2014-02-20
@kodi

@Diman89
there is a bridge, but where are the "participants"?
vpn settings itself?
Why do you need NAT between networks? on purpose or just like that?

Diman89, 2014-02-20
@Diman89

Why do you need NAT between networks? on purpose or just like that?

I wrote that I do not know how to do it right. you see the previous rules in print, for each interface - its own, here I did it by analogy
On server:

ppp profile print 
Flags: * - default 
 0 * name="default" bridge=bridge-local use-mpls=default use-compression=default 
     use-vj-compression=default use-encryption=default only-one=default 
     change-tcp-mss=yes 

 1 * name="default-encryption" use-mpls=default use-compression=default 
     use-vj-compression=default use-encryption=yes only-one=default 
     change-tcp-mss=yes 

ppp secret print     
Flags: X - disabled 
 #   NAME       SERVICE CALLER-ID      PASSWORD      PROFILE      REMOTE-ADDRESS 
 0   tun1       pptp                   tun1          default      192.168.5.2

On the client - I didn't understand how to copy the config, in words:
PPTP-Client, login+pass from the server, profile=default, use default route=no, allow=pap, chap, mschap1, mschap2; local address=192.168.5.1
I did not understand the question - the output of which command to provide?

Dmitry, 2014-02-20
@plin2s

Obviously there are not enough routes to internal subnets.

Diman89, 2014-02-20
@Diman89

I added routes on the server and client -
I found such a bug/feature at random: on the client in IP / ARP, I add mac + ip machines from another subnet with my hands - pings appear, the ball opens from it, everything is as it should; if on the server I add it manually to the client machine, it doesn't work,
but it's not right, what should I add by hand?
maybe it's in different versions of ROS? on server 5.25, on client 6.9

mormotcattery, 2014-02-23
@mormotcattery

on the first mikrotik
/routing ospf network
add area=backbone network=local network on the first mikrotik
add area=backbone network=vpn mesh
on the second mikrotik
/routing ospf network
add area=backbone network=local network on the second mikrotik
add area=backbone network= vpn network
after that, mikrotiks will know where is which network... and now they send you answers to packets coming from a remote LAN not to the tunnel to the default gateway...

Diman89, 2014-02-23
@Diman89

did:
on the first mikrotik (which is the server)

/routing ospf network
add area=backbone network=192.168.1.0/24
add area=backbone network=192.168.5.0/24

on the second Mikrotik (which is the client)

/routing ospf network
add area=backbone network=192.168.0.1/24
add area=backbone network=192.168.5.0/24

to no purpose :)

kodi, 2014-03-01
@kodi

@Diman89
1. on the first router, set up a pptp server
2. on the second, set up a pptp client
3. on the first router, set a permanent route to the subnet behind the second router via the pptp-ip address of the second router
4. on the second router, set a permanent route to the subnet behind the first router through the pptp-ip-address of the first router
ps in both networks routers are the default gateways?
Briefly, such a scheme. Do you know how to implement these points?

dannyzubarev, 2014-03-06
@dannyzubarev

Turn off VPN masquerade because you don't need it to communicate between networks. It is quite logical that clients do not respond; they are behind NAT.
For example, network #1 is 192.168.1.0/24 and network #2 is 192.168.2.0/24. Let's imagine that you are pinging a computer on network #1 (192.168.1.2) to a computer on network #2 (192.168.2.2). If it is very rude, then the packet flies to router #1, which looks at the route and sends this packet to router #2, which in turn sends it to the recipient. Yes, now everything is correct, but there is one important but. Because you have masquerading, then computer #2 sends a response to its router #2, which in turn, due to masquerdae, changes the source address from 192.168.2.2 to 192.168.2.1 and further down the chain to the computer in network #1. Only this one the computer will not accept this packet, since it is waiting for a packet with the source 192.168.2.2, but arrives at it with the address 192.168.2.1. That's where the hitch comes in.
The solution can be a simple disabling of masquerade, or it can be trite to enter into the masquerading rule not to convert the address of transit packets sent to the neighboring network.
192.168.0.0/16 replace with your subnet

MihaelSA, 2014-12-02
@MihaelSA

Faced a completely similar problem.
I have 2001UiAS models.
As a result, I solved it like this:
1. Reset the router settings to default
2. Go to Mikrotik via winbox on MAC
3. Press the button to clear the default configuration
4. And set everything up completely from scratch. To help this guide - spw.ru/solutions/razumnaya_nastrojka_rb2011
5. Next, create a PPtP connection according to the wiki or that video
6. On other routers, everything is the same
No proxy-arp, nothing is needed. Everything starts to work.
It looks like there is some kind of snag in the default configuration.
The only thing worth paying attention to is that on my routers 10 port with PoE support and it (PoE) must be disabled, otherwise the speed on the port is cut to 10Mbps