1

We have a corporate network in office 1 with Forefront TMG as a gateway. Internal office 1 network IP range is 192.168.0.0/24.

We have a branch office 2 with Mikrotik router (you can think of it as iptables powered Linux firewall if you are not aware of Mikrotik stuff in particular). IP range in office 2 is 192.168.88.0/24. 192.168.88.1 is an IP of the gateway.

I've setup a Site-to-site VPN connection, where only Mikrotik utilizes its PPTP Client to connect to office 1 VPN gateway on TMG.

TMG uses route relationship to communicate with computers in office 2 range.

If "Add Default Route" is checked on PPTP Client config on Mikrotik, all the traffic flows via TMG to both internet and office 1 network. Office 1 computers can access office 2 network as well, all works great.

But there is an overhead, where we don't want all the internet traffic from office 2 to flow through the TMG in office 1. We only need the office 1 IP's routed through VPN, while everything else goes through Internet uplink in office 2.

So I've disabled the "Add default route" checkmark in PPTP Client config and used Mingle setup in Firewall on Mikrotik to add a routing mark to all the traffic that targets office 1 network. In Routes table on Mikrotik I've basically added a route that says: all the traffic with office 1 mark goes through VPN gateway.

This almost gives me what I want. Office 2 connects to office 1 IP's over VPN gateway, other requests go through local Internet uplink. But the only thing that doesn't work in this setup, with "Add Default Route" unchecked, is that office 1 computers can't get neither to VPN'ed Mikrotik IP, or any IP in the office 2 network. Mikrotik basically doesn't route traffic that is coming from Office 1. I've tries several approaches (routes) based on routing mark as well, but neither allowed me to have office 1 access office 2. Only if "Add default route" is check, I can connect both ways.

Please assist in giving a hint of what's so special behind this "Add default route" in my setup, since I basically manually adding the same, which enables only half of communication setup to work.

Maxim V. Pavlov
  • 653
  • 2
  • 11
  • 29

1 Answers1

0

You need to create static routes on each router so that they know how to reach each office's network.

On Office 1 router:
Create a route for destination network 192.168.88.0/24 with gateway the IP or interface of your VPN. (I don't know what TMG is and how it might reference to static routes, but the concept is the same regardless of the router vendor).
Since you mention some 'route relationship' (I guess this is a vendor specific terminology) you might not need to add any routes on the TMG router.

On Office 2 router:
You create a static route either via Winbox (IP > Router> Add) or via cli.

/ip route add dst-address=192.168.0.0/24 gateway=pptp-interface

Now Office 2 router know how to reach 192.168.0.0/24 (via the VPN) and likewise, Office 1 router should know how to reach 192.168.88.0/24.

Also I don't think you need any mangle rules. This can all be done without any iptables (IP>Firewall in MikroTik terminology) since it's just static routing between two networks.

Cha0s
  • 2,432
  • 2
  • 15
  • 26
  • Thanks. So your assumption is that nothing else is blocking in Mikrotik site, and once PPTP is established, given there is a route on the TMG side, traffic from it should flow freely to Mikrotik network. I will check this and let you know. Although I personally suspect that routes on TMG are present, but once the traffic arrives at Mikrotik gateway, it isn't allowed inside Mikrotik network either by firewall rule of the absence of some route on Mikrotik site to allow communication from an external router that Mikrotik is VPN'ed into. – Maxim V. Pavlov May 08 '17 at 14:48
  • In order for mikrotik to reach (back) the office 1 network (192.168.0.0/24) it needs to know how. ie: it needs a static route telling it via which gateway ip/interface it should route the packets destined to 192.168.0.0/24. If you used the quick setup wizard when you fist set up the mikrotik then it has a default firewall that blocks input traffic to the router. IIRC it doesn't have any firewall rules on the forward chain, so it shouldn't interfere with the vpn traffic, unless you have your own firewall rules in which case you should configure them accordingly. – Cha0s May 08 '17 at 18:34
  • mikrotik and it's network computers can reach the Office 1 just fine, this was obvious to me in the beginning and placing an appropriate routing rule allowed this to work. The problem is routing Office 1 requests to machines in Mikrotik network. – Maxim V. Pavlov May 10 '17 at 09:49