Community discussions

MikroTik App
 
some
just joined
Topic Author
Posts: 20
Joined: Tue Jan 12, 2016 2:30 pm

VPN with acces form broadband wi-fi router to main lan

Tue Jan 12, 2016 2:44 pm

Hello,
I'm newbe (very). I have an rb450G and this scenario:

I pretend to have VPN to Access to main net. The internet connection is with ADSL broadband router. There is DHCP with range 192.168.0.50 - 192.168.0.50.

Than I pretend to has VPN Access to this net. Then I dicide to put the rb450G between the ADSL router and the switch.
Ok, I configured ether1 address to 192.168.0.3 - static. I created a lan in ether2 like 192.168.100.0/24 with DHCP - this will be from now "main" network.

I have configured VPN with 192.168.150.0 and it Works. I can Access remotely to 192.168.100.x on ether2.

But.... If a notebook is conected via wi-fi via ADSL broadband router, I can not acces to "main" network 192.168.100.x. What I have to do to acomplish that?

I think that now a have routing between ether1 and ether2. Maybe I have to briging? Or there is some firewall issue?

Thank you.
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: VPN with acces form broadband wi-fi router to main lan

Mon Jan 25, 2016 11:44 pm

Alright, let's see here.


So you are saying that you have:


-----------------[ADSL]--------------------------------------[RB450G]-------------------------------[SWITCH]
public IP.............192.168.0.?........192.168.0.3...............192.168.100.0/24


What is the IP of the LAN side of the ADSL modem?

You mention that there is a DHCP scope of 192.168.0.50-192.168.0.50. What is this for and where is it located?

You wrote that you created a VPN with an IP of 192.168.150.0... Is that a /24 or something else?

What IP is the laptop connected to the ADSL wifi pulling? is that in the 192.168.0.0/xx network?

What IP are you typing in to connect to the VPN? You should be typing in the WAN IP of the Mikrotik - 192.168.0.3 and there should be firewall rules "accepting" the traffic if you are using a firewall.

I need more info to be of any assistance to you, if you can answer the above questions we can start digging into your problem.
 
some
just joined
Topic Author
Posts: 20
Joined: Tue Jan 12, 2016 2:30 pm

Re: VPN with acces form broadband wi-fi router to main lan

Mon Feb 01, 2016 6:43 pm

Sorry, this days I changed the IP addressing to make it compatible whith other networks, so:

http://postimg.org/image/k8eti2uxh/ (I don't know how to show it inside this fórum, I think [Img] tag not works )

-----------------[ADSL]---------------guest network-----------------------[RB450G]--------main network------------------[SWITCH]
public IP.............192.168.2.1........................................192.168.2.3......192.168.100.1........................192.168.100.1/24

What I want that the multi copier printer in main network with address 192.168.100.50 be accesible from the guest network 192.168.2.x, so the laptops conected can print and maybe scan?

The printer is Canon iRC 2380i and I think it uses 9100 port for print.

I use this commands (with Brother printer for test):

from: https://www.mikrotik.com/documentation/ ... P/NAT.html

I use:

add action=dst-nat chain=dstnat comment="Brother printer" dst-address=\
192.168.2.3 to-addresses=192.168.100.50
add action=src-nat chain=srcnat src-address=192.168.100.50 to-addresses=\
192.168.2.3

but maybe I have misconception, because it not works.

Thank you for you help.
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: VPN with acces form broadband wi-fi router to main lan

Mon Feb 01, 2016 8:04 pm

-----------------[ADSL]---------------guest network-----------------------[RB450G]--------main network------------------[SWITCH]
public IP.............192.168.2.1........................................192.168.2.3......192.168.100.1........................192.168.100.1/24

What I want that the multi copier printer in main network with address 192.168.100.50 be accesible from the guest network 192.168.2.x, so the laptops conected can print and maybe scan?

The printer is Canon iRC 2380i and I think it uses 9100 port for print.
You want to be sure that the Mikrotik's WAN interface shows a network of 192.168.2.0/24. It should if the ADSL is providing DHCP to the Mikrotik. Just something to consider/check if you manually set the WAN IP of the Mikrotik.

Just for confirmation...
a) The Mikrotik can ping the LAN interface on the ADSL modem/router - correct?
b) The Mikrotik can ping the IP address of the printer - 192.168.100.50 - correct?

I know, I'm checking the simple stuff, just bare with me on those.

add action=dst-nat chain=dstnat comment="Brother printer" dst-address=\
192.168.2.3 to-addresses=192.168.100.50
You need to add all ports needed for the printer. At the moment, your dst-nat would point all traffic destined for your Mikrotik's WAN interface to your printer. You'll need to add src-port and dst-port to your dst-nat config.
add action=src-nat chain=srcnat src-address=192.168.100.50 to-addresses=\
192.168.2.3
This is not needed. Just ensure there is a default src-nat rule in place.

You may need to check your firewall. Ensure that their is an accept statement for traffic destined for the printer. i.e. chain=forward src=192.168.2.0/24 dst=192.168.100.50. Syntax is not fully there, I can update it when I get home and get in front of my CCR.
 
some
just joined
Topic Author
Posts: 20
Joined: Tue Jan 12, 2016 2:30 pm

Re: VPN with acces form broadband wi-fi router to main lan

Tue Feb 02, 2016 8:49 am

Thank you Revelation,

From MikroTik and any computer I can ping from main network to guest network and to internet. I can ping from MikroTik to printer 192.168.100.50.

With you suggestion I did:

/ip firewall nat
add action=dst-nat chain=dstnat comment="Brother printer" dst-address=192.168.2.3 dst-port=9100 protocol=tcp \
to-addresses=192.168.100.50 to-ports=9100

and now I can print from guest network 192.168.2.x/24.

But there is another issues: Windows says "printer without connection". So I think that there is another port/protocol that have to be nat? Or have to be source nat?

Thank you.
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: VPN with acces form broadband wi-fi router to main lan

Tue Feb 02, 2016 10:23 pm

With you suggestion I did:

/ip firewall nat
add action=dst-nat chain=dstnat comment="Brother printer" dst-address=192.168.2.3 dst-port=9100 protocol=tcp \
to-addresses=192.168.100.50 to-ports=9100

and now I can print from guest network 192.168.2.x/24.
Glad that helped.

But there is another issues: Windows says "printer without connection". So I think that there is another port/protocol that have to be nat? Or have to be source nat?
I'm not familiar with this issue. You may need to try and re-add the printer as a network printer. You can also go to the manufacturer's site and see if additional ports are needed.
 
some
just joined
Topic Author
Posts: 20
Joined: Tue Jan 12, 2016 2:30 pm

Re: VPN with acces form broadband wi-fi router to main lan

Wed Feb 03, 2016 1:45 pm

In my test scenario it works, but when I go to the costumer, it not works. I have this config:

guest network main network - lan
-----------------[ADSL]--------------------------------------[RB450G]-------------------------------[SWITCH]
public IP.............192.168.1.1.........192.168.1.3...............192.168.100.0/24

The printer has 192.168.100.220. address.

Trying to do telnet 192.168.1.3 9100 not respond. In the log of Mikrotik :

192.168.1.121:58707->192.168.1.3:910, len 52
dstnat: in:ether1 out:(none), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN),

there is this config:

/ip firewall filter
add chain=forward connection-state=established,related

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.150.0/24
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=9100 log=yes protocol=tcp \
to-addresses=192.168.100.220 to-ports=9100
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=8613 log=yes protocol=tcp \
to-addresses=192.168.100.220 to-ports=8613
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=8612 log=yes protocol=tcp \
to-addresses=192.168.100.220 to-ports=8612
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=8611 log=yes protocol=tcp \
to-addresses=192.168.100.220 to-ports=8611


Thank you
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: VPN with acces form broadband wi-fi router to main lan

Wed Feb 03, 2016 3:09 pm

In my test scenario it works, but when I go to the costumer, it not works. I have this config:

guest network main network - lan
-----------------[ADSL]--------------------------------------[RB450G]-------------------------------[SWITCH]
public IP.............192.168.1.1.........192.168.1.3...............192.168.100.0/24

The printer has 192.168.100.220. address.
Okay.
Trying to do telnet 192.168.1.3 9100 not respond. In the log of Mikrotik :

192.168.1.121:58707->192.168.1.3:910, len 52
dstnat: in:ether1 out:(none), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN),
Is Telnet permitted on your firewall? Has the telnet service been disabled by chance?

there is this config:
/ip firewall filter
add chain=forward connection-state=established,related

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.150.0/24
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=9100 log=yes protocol=tcp \
    to-addresses=192.168.100.220 to-ports=9100
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=8613 log=yes protocol=tcp \
    to-addresses=192.168.100.220 to-ports=8613
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=8612 log=yes protocol=tcp \
    to-addresses=192.168.100.220 to-ports=8612
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=8611 log=yes protocol=tcp \
    to-addresses=192.168.100.220 to-ports=8611
That all looks good. Have you confirmed the printers are listening on the correct port? From your Mikrotik, can you connect to those printers via the designated ports? Can a host machine communicate with those printers over those ports?
 
some
just joined
Topic Author
Posts: 20
Joined: Tue Jan 12, 2016 2:30 pm

Re: VPN with acces form broadband wi-fi router to main lan

Wed Feb 03, 2016 5:57 pm

Hello,

I can connect to MikroTik via telnet.

from MikroTik I can connect to the printer a port 9100:

[admin@MikroTik] /system> telnet 192.168.100.220 9100
Trying 192.168.100.220...
Connected to 192.168.100.220.
Escape character is '^]'.

From the main lan, I can connecto fromp PC to the printer with telnet 192.168.100.220 9100.

but when I try to do telnet 192.168.1.3 9100 from WAN-Guest Lan, there is no answer.

Thank you.
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: VPN with acces form broadband wi-fi router to main lan

Wed Feb 03, 2016 6:34 pm

You're going to have to enable the logging feature for this communication or get wireshark installed on the guest-WAN box.
 
some
just joined
Topic Author
Posts: 20
Joined: Tue Jan 12, 2016 2:30 pm

Re: VPN with acces form broadband wi-fi router to main lan

Fri Feb 12, 2016 1:33 pm

Hello,
I have the log enable:
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=9100 log=yes protocol=tcp \ to-addresses=192.168.100.220 to-ports=9100

but when I try to telnet WAN por of the router "telnet 192.168.2.3 9100" there is noting in the log? Instead if y connect to the router via telenet with "telnet 192.168.2.3" there is info in the log for the connection.

I connected my laptop directly with patchcord to the WAN interface with IP 192.168.2.5 and the same result: nothing.

The Wireshark says:
screen-wireshark.png
I note that the Mikrotik responds with RESET Flag on TCP with "set" thats mean thant reject the connection, but why?

Thank you very mach for your time.
You do not have the required permissions to view the files attached to this post.
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: VPN with acces form broadband wi-fi router to main lan

Fri Feb 12, 2016 3:20 pm

Typically when you see a reset immediately after the SYN, or the start of the communication it is due to the connection being refused.

Basically it means the communication is not permitted.
 
some
just joined
Topic Author
Posts: 20
Joined: Tue Jan 12, 2016 2:30 pm

Re: VPN with acces form broadband wi-fi router to main lan

Fri Feb 12, 2016 4:15 pm

but why is rejected? Here is my whole config, it is very simple:

[admin@MikroTik] > /export
# feb/12/2016 15:10:50 by RouterOS 6.33.3
# software id = 9VVE-VI90
#
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=spain disabled=no frequency=auto mode=ap-bridge name=Bodegas ssid=Bodegas \
wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa-pre-shared-key=password wpa2-pre-shared-key=Bodegas2016
/ip pool
add name="DHCP LAN" ranges=192.168.100.100-192.168.100.200
add name="VPN Pool" ranges=192.168.150.2/31
/ip dhcp-server
add address-pool="DHCP LAN" disabled=no interface=bridge1 name="DHCP LAN"
/ppp profile
set *FFFFFFFE local-address=192.168.150.1 remote-address="VPN Pool"
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=Bodegas
/interface l2tp-server server
set enabled=yes ipsec-secret=password use-ipsec=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.2.3/24 comment="default configuration" interface=ether1 network=192.168.2.0
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24
/ip dns
set servers=80.58.61.250,80.58.61.254,8.8.8.8,4.4.4.4
/ip firewall filter
add chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.150.0/24
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=9100 log=yes protocol=tcp \
to-addresses=192.168.100.220 to-ports=9100
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=8613 log=yes protocol=tcp \
to-addresses=192.168.100.220 to-ports=8613
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=8612 log=yes protocol=tcp \
to-addresses=192.168.100.220 to-ports=8612
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=8611 log=yes protocol=tcp \
to-addresses=192.168.100.220 to-ports=8611
/ip route
add distance=1 gateway=192.168.2.1
add comment="by Kiril" disabled=yes distance=1 dst-address=192.168.100.0/24 gateway=ether2 pref-src=192.168.100.1 scope=10
/ppp secret
add name=patricia password=password
add name=felipe password=password
add name=kiril password=password
/system clock
set time-zone-name=Europe/Madrid
[admin@MikroTik] >

Thank you.
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: VPN with acces form broadband wi-fi router to main lan

Sat Feb 13, 2016 1:17 am

but why is rejected? Here is my whole config, it is very simple:

/ip address
add address=192.168.2.3/24 comment="default configuration" interface=ether1 network=192.168.2.0
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0

add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=9100 log=yes protocol=tcp \
to-addresses=192.168.100.220 to-ports=9100
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=8613 log=yes protocol=tcp \
to-addresses=192.168.100.220 to-ports=8613
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=8612 log=yes protocol=tcp \
to-addresses=192.168.100.220 to-ports=8612
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.1.3 dst-port=8611 log=yes protocol=tcp \
to-addresses=192.168.100.220 to-ports=8611

What do you notice that is different? :)
 
some
just joined
Topic Author
Posts: 20
Joined: Tue Jan 12, 2016 2:30 pm

Re: VPN with acces form broadband wi-fi router to main lan

Mon Feb 15, 2016 4:44 pm

O! Thank you, you are right: for that is RST bit in answer package. I bring the router in my house to test and forgot to change de IP addres.

But still not working. I think that the NAT not working. Now I have:

# feb/15/2016 15:23:07 by RouterOS 6.34.1
# software id = 9VVE-VI90
#
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=spain disabled=no frequency=auto mode=ap-bridge ssid=Bodegas wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa-pre-shared-key=MyPass wpa2-pre-shared-key=MyPass
/ip pool
add name=dhcp ranges=192.168.100.100-192.168.100.200
add name=vpn ranges=192.168.150.2-192.168.150.10
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
set *FFFFFFFE local-address=192.168.150.1 remote-address=vpn
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
/interface l2tp-server server
set enabled=yes ipsec-secret=MyPass use-ipsec=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.2.3/24 comment="default configuration" interface=ether1 network=192.168.2.0
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24
/ip dns
set cache-max-ttl=0s query-server-timeout=0ms query-total-timeout=0ms servers=80.58.61.250,80.58.61.254,8.8.8.8,4.4.4.4
/ip firewall filter
add chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.150.0/24
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-address=192.168.2.3 dst-port=9100 log=yes protocol=tcp to-addresses=192.168.100.220 to-ports=9100
/ip route
add distance=1 gateway=192.168.2.1
/ppp secret
add name=vpn password=MyPass
/system clock
set time-zone-name=Europe/Madrid

Wireshark:
[img]
2016-02-15_150600-wireshark.png
[/img]

Packet 20:
[img]
2016-02-15_150520-paquet-20.png
[/img]

But what I see in the log is:
2016-02-15_150407-log.png
I note "out:none", so something is wrong.

Thank you.
You do not have the required permissions to view the files attached to this post.
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: VPN with acces form broadband wi-fi router to main lan

Wed Feb 17, 2016 4:47 pm

The "out interface = none" simply means that an outbound interface has not been specifically set in the configuration. That should not be an issue here.

I would look at your firewall. Ensure that you have an accept statement going into your WAN interface for these ports.

If that does not work, then we would want to capture all packets going into and out of the WAN interface to see what we are missing.
 
some
just joined
Topic Author
Posts: 20
Joined: Tue Jan 12, 2016 2:30 pm

[Solved] - VPN with acces form broadband wi-fi router to main lan - NAT forwarding to printer

Thu Feb 18, 2016 7:11 pm

Thank you Revelation,

Finaly, it was a printer issue, but MikroTik too.

It seems that the printer not accepts printing from another network, so I have to do src-nat to say to the printer that PC that wants to print is in the "same" network.

So, the config is:

/ip firewall filter
add chain=forward connection-nat-state=dstnat connection-state=invalid,established,related in-interface=ether1 log=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="Impresora Canon iRC 2380i" dst-port=9100 out-interface=bridge1 protocol=tcp
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.150.0/24
add action=dst-nat chain=dstnat comment="Impresora Canon iRC 2380i" dst-port=9100 protocol=tcp src-address=192.168.2.0/24 to-addresses=192.168.100.220

Remember 192.168.2.0/24 is WAN and 192.168.100.0/24 is LAN and the printer is 192.168.100.220.

Thank you again, Revelation,

and

MikroTik WiKi - put this like example for a NAT forward to a printer in you docs.

Who is online

Users browsing this forum: gsipos and 32 guests