Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

PBR and Packet lost somewhere

Post Reply
 
tommyd
just joined
Topic Author
Posts: 15
Joined: Mon Apr 03, 2017 10:37 am

PBR and Packet lost somewhere

Thu Jan 04, 2018 3:49 pm

I'm configuring sstp vpn server for remote users in a way traffic from remote users will be tunneled and access to the internet should go trough another firewall in my network. I got stuck i a situation where ping packets from vpn user go to the internet goes trough the company firewall. The reply comes back to the inside interface of Mikrotik VPN server and then it is lost somewhere. There is no NAT on Mikrotik router and one mangle rule adding mark to packet going from vpn to the internet. Packet capture from inside interface shows echo request and echo reply with correct addreses, but packet capture from sstp interface shows only echo request packets, the reply is lost somewhere. Communication to/from lan network is correct and possible both ways (i can ping lan adreses from vpn client and vpn client from lan machine.

A simple diagram of this setup:
Image


Could someone help me find the (possibly stupid) fault in my config (below)?

Important parts of the config:
VPN clinets get IP from
Code: Select all
/ip pool
add name=vpn-pool1 ranges=10.104.17.10-10.104.17.250
routing mark
Code: Select all
/ip firewall mangle
add action=mark-routing chain=prerouting connection-state="" dst-address=\
    !10.0.0.0/8 in-interface=all-ppp log=yes log-prefix=MANGLE1 \
    new-routing-mark=vpn-users passthrough=no src-address=10.104.17.0/24
routing
Code: Select all
/ip route
add distance=1 gateway=<internal_router> routing-mark=vpn-users
add distance=2 gateway=<internet_gateway>
add distance=1 dst-address=10.0.0.0/8 gateway=<internal_router>
add distance=1 dst-address=172.16.0.0/12 gateway=<internal_router>
and an active routing table
Code: Select all
[admin@VPN] > /ip ro pr
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          <internal_router>              1
 1 A S  0.0.0.0/0                          <internet_gateway>             1
 2 A S  10.0.0.0/8                         <internal_router>              1
 3 ADC  10.104.17.250/32   10.104.17.1     <sstp-ppp1>                    0
 4 A S  172.16.0.0/12                      <internal_router>              1
Top
 
User avatar
16again
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Fri Dec 29, 2017 12:23 pm

Re: PBR and Packet lost somewhere

Fri Jan 05, 2018 12:05 am

1st thing that comes to mind:
Both LAN router and "firewall" need to have route back to 10.104.17.x network
Top
 
tommyd
just joined
Topic Author
Posts: 15
Joined: Mon Apr 03, 2017 10:37 am

Re: PBR and Packet lost somewhere

Sun Jan 07, 2018 8:38 pm

Both LAN router and "firewall" need to have route back to 10.104.17.x network
The do. As I wrote I can see echo replies on the inside interface of the mikrotik router. .
Top
Post Reply
  4. RouterOS
  5. Forwarding Protocols