I am having the issue of not being able to reach my local subnet devices e.g. 192.168.50.200 from my vpn subnet 192.168.150.0/24 while connected remotely e.g. road warrior.
Local subnet
192.168.50.0/24
dhcp pool 192.168.50.10-200
VPN subnet
192.168.150.0/24
vpnpool 192.168.150.1-10
Local LAN Bridge address 192.168.50.254
VPN Bridge address 192.168.150.254
l2tp ppp profile
local address 192.168.150.254
remote address vpnpool
dns 8.8.8.8,8.8.4.4
VPN server on MIkrotik being logged in to from a 4g connected notebook via L2TP IPSec. I have added a route in Win 10 to direct 192.168.50.0/24 traffic over that vpn connection, default gateway is
unticked in ipv4 properties. i can ping and connected to the mikrotik router via winbox fine e.g. connect to 192.168.50.254 over the vpn remotely.
i have firewall filters to allow traffic from 192.168.50.0/24 -> 192.168.150.0/24 and 192.168.150.0/24 -> 192.168.50.0/24 and a input rule to accept connections from 192.168.150.0/24
Proxy arp is enabled on the LAN bridge for the local subnet.
When i have the VPN on the same subnet e.g. local devices receive ip's from 192.168.50.10-200 and VPN devices receive ip's from 192.168.50.201-210 all works fine and i can connect to all local devcies and ping but i would like to separate the two networks and still allow some vpn client access to local devices.
Can anyone tell me what i am missing here?
Re: VPN Subnet cannot access Local Subnet Hosts
Often the problem is firewall on LAN devices, e.g. Windows only allow some connections or even ping only from local subnet.
If that's not it, then look closely what happens, check interfaces with Tools->Torch, to see if packets are going where they should. Or use few strategically placed logging rules in prerouting/forward/postrouting.
And you don't need proxy ARP for different subnets.
If that's not it, then look closely what happens, check interfaces with Tools->Torch, to see if packets are going where they should. Or use few strategically placed logging rules in prerouting/forward/postrouting.
And you don't need proxy ARP for different subnets.
Re: VPN Subnet cannot access Local Subnet Hosts
if i add the below to the nat table i can access the local subnet devices from the vpn subnet.
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.50.0/24 out-interface=!ether1 src-address=192.168.150.0/24
I didn't think i needed to use NAT. Is this the correct way or should i configure it differently?
Thanks for your help
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.50.0/24 out-interface=!ether1 src-address=192.168.150.0/24
I didn't think i needed to use NAT. Is this the correct way or should i configure it differently?
Thanks for your help
Re: VPN Subnet cannot access Local Subnet Hosts [SOLVED]
Once again, check firewall config on target device. If NAT helps, it means that packets to device were routed correctly even before. So either target device doesn't accept them with source address from .150 subnet (that would be the firewall), or it has some problem with gateway, either it uses something else than this router, or it doesn't have any.
Re: VPN Subnet cannot access Local Subnet Hosts
Looks like the firewall didn't disable on the host.
All working well now.
Thanks again.
All working well now.
Thanks again.