Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
N
N
nocufa2021-06-30 08:24:37
VPN
nocufa, 2021-06-30 08:24:37

Why does VPN access work in one direction?

60dbfe8784214104183788.png
Hello, such a problem: I set up vpn, in the main office, the Fortigate server, in the Mikrotik branch. From the branch from any PC there is access to any PC in the main office (ping, RDP, etc.), from the main office from computers you can only ping Mikrotik and Zyxel in the branch (both ping and web interface are available).
RDP to branch PC fails, tracert shows the following:
C:\Users\dsn>tracert 192.168.11.119
Tracert route to 192.168.11.119 with max hops 30
1 <1 ms <1 ms <1 ms 192.168.10.1
2 2 ms 1 ms 1 ms 192.168.11.5
3 * * * Request timed out.
4 * * * Query timed out.
5 * * * Query timed out.
6 * * * Query timed out.

Please tell me what could be the problem. firewall rules on mikrotik turned everything off. Thank you

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
S
Sand, 2021-06-30
@nocufa

The problem is in routing, your traffic loops between 192.168.11.5 192.168.11.1 192.168.11.119. At the same time, it seems that NAT is used somewhere in the network, and routing is used somewhere, so it works in one direction. Solutions:
1) send clients dhcp server 192.168.11.1 static routes (DHCP option 121), instructions here . It is necessary to send a static route via DHCP to the network 192.168.10.0/24 through 192.168.11.5
2) Change the network diagram, specify exactly where NAT will be, and where routing. It is possible to remove routers 192.168.11.1 and 192.168.11.5 from the same subnet
PS: the first option is a crutch, there will still be problems with it in the future, it is only suitable as a temporary solution. But it’s more correct, as Alexey Dmitriev wrote , to redo the network topology

Report
N
nocufa, 2021-06-30
@nocufa

I applied it as a temporary solution: on mikrotike I configured mangle to redirect all traffic from the fortigate network through zyxel (192.168.11.1). thanks everyone for the replies

Report
M
mbxmin, 2021-07-05
@mbxmin

Consider setting up a VPN like site-to-site.

Similar questions
I
Ivo792021-11-17 18:51:21
Remote access to office via VPN? 3Reply
V
Veritas232018-09-07 22:41:20
If I am authorized on the site, but I enter it through the included VPN, then the site sees my real IP when I close it and turn off the VPN? 1Reply
J
john-doe2018-09-14 16:00:21
Mikrotik how to forward ports through the tunnel? 1Reply
J
jerer2014-02-14 19:56:34
How to set up a vpn under Linux to a Windows server if a shared key is set for the vpn? 0Reply
T
TechStudent2016-04-22 20:27:32
OpenConnect+AnyConnect. How to make authorization by certificate? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question