Page 1 of 1
Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Sun Dec 25, 2016 1:50 pm
by Tombstone
Hello
As I mentioned i have Site-to-Site VPN between 2 Mikrotik router.
I can ping any client/host on the network between both locations successfully but can not access in shared files.
Should I forward some port or any idea?
Thanks
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Wed Dec 28, 2016 10:53 am
by Tombstone
Interesting...
No ideas?
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Wed Dec 28, 2016 11:56 am
by pe1chl
When you can connect between systems but you cannot use the application level services, it likely is a
problem at the application level, not the MikroTik routers. You may need to change security settings,
deploy some inter-site name service (DNS), etc.
This all depends on details of your network, which you carefully omitted from your question.
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Wed Dec 28, 2016 1:25 pm
by lillis
Can you reach the shared files on the local network? If not you probably have some problems on the application level, as pe1chl described. Maybe you have blocked access in a local firewall or something?
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Wed Dec 28, 2016 1:47 pm
by zipvault
samba?
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Wed Dec 28, 2016 2:18 pm
by Tombstone
When you can connect between systems but you cannot use the application level services, it likely is a
problem at the application level, not the MikroTik routers. You may need to change security settings,
deploy some inter-site name service (DNS), etc.
This all depends on details of your network, which you carefully omitted from your question.
I already spoke to my service (network) provider and they said there is no problem from them.
Can you reach the shared files on the local network? If not you probably have some problems on the application level, as pe1chl described. Maybe you have blocked access in a local firewall or something?
I can't. I already disabled every "Drop" rule in a Router Firewall, but nothing...
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Wed Dec 28, 2016 3:36 pm
by pe1chl
I already spoke to my service (network) provider and they said there is no problem from them.
Unless you obtain file services from some provider, the place where you need to look is your own network.
Do you have the basic skills to operate a multi-site network for the secret operating system that you are using?
When this is your first experience with connecting some sites together and then sharing files between them,
you might have to do configuration tasks on the servers and clients that you have never done before.
But that is not a router issue.
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Fri Dec 30, 2016 2:24 am
by bennn
I have experienced the same, ping is possible but file shares are not. It was definitely a firewall filter rule that fixed it however my configured has changed so much since then that the rule no longer exists and I don't remember it!
Try adding an Accept rule for the other site's internal subnet and go from there.
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Fri Dec 30, 2016 2:26 pm
by Tombstone
It's Firewall issue...
Thanks everyone...
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Fri Jan 13, 2017 10:38 pm
by giga157
Hi everyone, I have a similar problem. I have a site-to-site vpn and it is working correctly, but I can not ping the router and no network computers.
I already have a NAT rule, but my problem continues.
Company: 192.168.100.0/24
Branch: 192.168.0.0/24
These rules are at the top.
Company Router: add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.100.0/24
Branch Router: add chain=srcnat dst-address=192.168.100.0/24 src-address=192.168.0.0/24
Any idea?
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Sat Jan 14, 2017 4:17 pm
by bennn
Have you got your routes set up in IP > Routes?
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Sat Jan 14, 2017 4:58 pm
by giga157
The only routes I have is for the links. How should it be done?
Company: 192.168.0.0/24 (lan branch) gateway: vpn link?
Branch: 192.168.100.0/24 (lan company) gateway: Link vpn?
Do I need to mark a route through IP> Firewall> Mangle?
Thank You.
Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Sun Jan 15, 2017 4:23 pm
by bennn
Can you post an export of your routes...?
You don't need to Mangle anything.
You should have at least three routes on each router; LAN, WAN and VPN. Post your config and I'll take a look.
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Sun Jan 15, 2017 8:26 pm
by giga157
Okay, take a look.
Company:
/ip address
add address=192.168.100.1/24 interface=LOCAL network=192.168.100.0
/ip firewall filter
add chain=forward out-interface=LOCAL
add chain=forward dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add chain=input comment=RDP dst-port=xxxx protocol=tcp
add chain=input dst-port=1723 protocol=tcp
add chain=input dst-port=1701 protocol=tcp
add chain=input dst-port=500 protocol=udp
add chain=input protocol=ipsec-ah
add chain=input protocol=ipsec-esp
/ip firewall nat
add chain=srcnat comment="VPN IPSEC NAT" dst-address=192.168.10.0/24 src-address=192.168.100.0/24
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=masquerade chain=srcnat out-interface=Imicro
add action=masquerade chain=srcnat out-interface=Velox
add action=dst-nat chain=dstnat comment=RDP dst-port=xxxxx protocol=tcp to-addresses=192.168.100.xxxx to-ports=xxxx
add action=dst-nat chain=dstnat comment=WINBOX dst-address=xxx.xxx.xxx.xxxx dst-port=xxxx protocol=tcp to-addresses=192.168.100.1 to-ports=xxxx
add action=dst-nat chain=dstnat comment="VPN PORTAS" dst-port=1723 protocol=tcp to-addresses=192.168.0.1 to-ports=1723
add action=dst-nat chain=dstnat dst-port=47 protocol=tcp to-addresses=192.168.0.1 to-ports=47
add action=dst-nat chain=dstnat dst-port=1723 protocol=tcp to-addresses=10.0.0.1 to-ports=1723
add action=dst-nat chain=dstnat dst-port=500 protocol=udp to-addresses=192.168.100.0/24 to-ports=500
add action=dst-nat chain=dstnat dst-port=1701 protocol=udp to-ports=1701
add action=dst-nat chain=dstnat dst-port=4500 protocol=udp to-ports=4500
add action=dst-nat chain=dstnat comment=SRV dst-port=xxxx protocol=tcp to-addresses=192.168.100.xxxx to-ports=xxx
/ip route
add distance=1 gateway=Imicro routing-mark=link1_route
add distance=1 gateway=Velox routing-mark=link2_route
add distance=1 gateway=Imicro
add distance=1 gateway=ISP1
add distance=1 gateway=192.168.100.1
add distance=2 gateway=Velox
Branch:
add address=192.168.0.1/24 interface=LOCAL network=192.168.0.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
/ip firewall filter
add chain=forward out-interface=LOCAL
add chain=forward dst-address=192.168.100.0/24 src-address=192.168.0.0/24
/ip firewall nat
add chain=srcnat comment=VPN dst-address=192.168.100.0/24 src-address=\
192.168.0.0/24
add action=masquerade chain=srcnat out-interface=Imicro
add action=dst-nat chain=dstnat comment=WINBOX dst-address=xxx.xxx.xxx.xxx\
dst-port=xxxx protocol=tcp to-addresses=192.168.0.1 to-ports=xxxx
add action=dst-nat chain=dstnat dst-port=500 protocol=tcp to-addresses=\
192.168.0.0/24 to-ports=500
add action=dst-nat chain=dstnat dst-port=1701 protocol=tcp to-addresses=\
192.168.0.0/24 to-ports=1701
add action=dst-nat chain=dstnat dst-port=4500 protocol=tcp to-addresses=\
192.168.0.0/24 to-ports=4500
/ip route
add distance=1 gateway=Imicro
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Sun Jan 15, 2017 9:18 pm
by bennn
OK, so I see you don't have routes, so traffic doesn't know how to reach the other network.
Add these, see how you get on.
Company:
/ip route
add comment=VPN distance=1 dst-address=192.168.0.0/24 gateway=192.168.0.1
Branch:
/ip route
add comment=VPN distance=1 dst-address=192.168.100.0/24 gateway=192.168.100.1
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Sun Jan 15, 2017 11:01 pm
by giga157
It worked perfectly my friend, thank you very much. I will continue to be present in the forum in search of knowledge. Now, I can find through the server, but through the terminal in rb, I get a ping timeout response, is that right?
Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Sun Jan 15, 2017 11:11 pm
by bennn
It helps to do a 'source address' when pinging, so the Mikrotik knows which route to use.
I would help with a command but I'm not near a computer. Sorry!
For example, if pinging from Company to Branch then set the source address as the local Mikrotik: 192.168.100.1
Re: Site-To-Site VPN. Hosts can ping each other but can't access any shared file
Posted: Mon Jan 16, 2017 12:07 am
by giga157
I understand, you've already helped me a lot. I owe you a cold beer here in Brazil. All the best!