Community discussions

MikroTik App
 
icemannz
newbie
Topic Author
Posts: 27
Joined: Fri Jul 02, 2010 4:47 am

MikroTik to MikroTik IPSEC VPN can ping but not browse

Wed Jul 02, 2014 12:47 pm

Hi all, I have setup a site to site IPSEC VPN between 2 Mikrotik 750's and the VPN is coming up fine and I can ping the server at the opposite site ok.
Both ways ping works ok.
But if I try to browse to a computer on the other side I cannot, it appears that some traffic is not passing.
I am wondering if I need Netbios or something ?

Note: used to have 2 ciscos running the vpn and they worked ok so it is not a Windows DNS etc... sort of issue.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Wed Jul 02, 2014 1:14 pm

Try putting this in both ends to limit the data size of every packet, so it won't exceed MTU afther adding all IPSec headers, checksums, etc.
/ip firewall mangle add chain=forward \
action=change-mss new-mss=1360 passthrough=yes
tcp-flags=syn protocol=tcp
src-address=10.1.1.0/24
dst-address=!10.1.1.0/24
tcp-mss=!0-1360
Change 10.1.1.0/24 with the address range of the "branch" site
 
icemannz
newbie
Topic Author
Posts: 27
Joined: Fri Jul 02, 2010 4:47 am

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Wed Jul 02, 2014 1:24 pm

Try putting this in both ends to limit the data size of every packet, so it won't exceed MTU afther adding all IPSec headers, checksums, etc.
/ip firewall mangle add chain=forward \
action=change-mss new-mss=1360 passthrough=yes
tcp-flags=syn protocol=tcp
src-address=10.1.1.0/24
dst-address=!10.1.1.0/24
tcp-mss=!0-1360
Change 10.1.1.0/24 with the address range of the "branch" site
Did that but it errors when I enter in the command with the following:
failure: tcp mss change works only on tcp syn packets
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Wed Jul 02, 2014 1:56 pm

Write all in the same line...
/ip firewall mangle add chain=forward action=change-mss new-mss=1360 passthrough=yes tcp-flags=syn protocol=tcp src-address=10.1.1.0/24 dst-address=!10.1.1.0/24 tcp-mss=!0-1360
 
icemannz
newbie
Topic Author
Posts: 27
Joined: Fri Jul 02, 2010 4:47 am

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Wed Jul 02, 2014 2:04 pm

Write all in the same line...
/ip firewall mangle add chain=forward action=change-mss new-mss=1360 passthrough=yes tcp-flags=syn protocol=tcp src-address=10.1.1.0/24 dst-address=!10.1.1.0/24 tcp-mss=!0-1360
I have now done that on both sides but it has made no difference.
I can still ping the other side ok and do dns lookups etc but not browse.
I should also mention that I am using the ip address eg: \\192.168.20.1 so it is not a dns type issue.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Wed Jul 02, 2014 2:41 pm

I would need a drawing of your network to try to help you and also the config of the routers.
 
icemannz
newbie
Topic Author
Posts: 27
Joined: Fri Jul 02, 2010 4:47 am

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Wed Jul 02, 2014 3:08 pm

I would need a drawing of your network to try to help you and also the config of the routers.
I will try and upload the two config files I got by doing an export.
I have changed the external addresses to 1.1.1.1 and 2.2.2.2
Basically it is just two networks, one with the external address of 1.1.1.1
The 2nd network has the external address of 2.2.2.2
The first network has the internal address range of 192.168.20.0/24
The 2nd network has the internal address range of 192.168.91.0/24
Last edited by icemannz on Thu Jul 03, 2014 8:29 am, edited 1 time in total.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Wed Jul 02, 2014 3:14 pm

And where's the gateway to Internet? Is one of the mikrotik devices or a different router?
 
icemannz
newbie
Topic Author
Posts: 27
Joined: Fri Jul 02, 2010 4:47 am

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Wed Jul 02, 2014 3:36 pm

And where's the gateway to Internet? Is one of the mikrotik devices or a different router?
I am not sure I understand your question.
Both routers can access the internet ok.
They both use a pppoe connection to the isp
The addresses 1.1.1.1 and 2.2.2.2 are both just aliases so I don't post the real addresses.
Does this help ?
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Thu Jul 03, 2014 9:26 am

Sorry but, what you mean with "try to browse to a computer on the other side"?

\\localip.in.remotevpn.network\c$ ??
 
exedra
just joined
Posts: 1
Joined: Wed Jan 12, 2011 12:28 pm

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Sun Jul 06, 2014 2:12 pm

Windows net bios protocol is supported only at ethernet level, so you have to create an EOIP link inside the IPSEC and bidge it with the ethernet ports in both the mikrotik routers.

According with your router configuration my be necessary to enable packet fragmentation (by firewall>mangle) on the ipsec tunnel

With this solution you'll obtain a unique ethernet segment.

I hope this is your solution.

A.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: MikroTik to MikroTik IPSEC VPN can ping but not browse

Mon Jul 07, 2014 9:26 am

I just don't agree with you, unless OP is using an ancient OS. Since Windows 2000 windows shares use SMB protocol over TCP and are completely IP routable. Older Windows used SMB over NetBIOS/NetBEUI, which is non-routable protocol.

You can read all the details here:

http://en.wikipedia.org/wiki/Server_Message_Block
http://en.wikipedia.org/wiki/NetBIOS_Frames_protocol
Windows net bios protocol is supported only at ethernet level, so you have to create an EOIP link inside the IPSEC and bidge it with the ethernet ports in both the mikrotik routers.

Who is online

Users browsing this forum: agus, CGGXANNX and 16 guests