Hi Malcom, If all of your VPN clients are in one /24, eg 192.168.5.0/24, you can just have a single route on each VPN client with that destination rather than having multiple entries. That would avoid you needing to add more /32 entries to each device if/when you add more devices. Also, a route can have any CIDR, including /32 (which disappears in the MT interface). I even use /31 for some routes which is very rarely used in any other situation :) Regards, Philip Loenneker | Network Engineer | TasmaNet 40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia P: 1300 792 711 philip.loenneker@tasmanet.com.au www.tasmanet.com.au -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Dave Browning Sent: Monday, 21 January 2019 10:22 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] How to get connectivity between VPN clients. Or even better, run BGP across the VPN.
On 21 Jan 2019, at 8:17 pm, Malcolm Faed <malcolm@avcomm.com.au> wrote:
3rd time luck to get an image sent. :)
OK, maybe this is where my problem is.
How does one remote know how to get to another remote given the linked mspaint-CAD. https://malfunction.faed.name/2019/01/mikrotik-chr-vpn.html I know these are point to point links so perhaps the following would be appropriate.
On remote .2: /ip route add dst-address=192.168.5.3 gateway=192.168.5.1 /ip route add dst-address=192.168.5.4 gateway=192.168.5.1
On remote .3: /ip route add dst-address=192.168.5.2 gateway=192.168.5.1 /ip route add dst-address=192.168.5.4 gateway=192.168.5.1
On remote .4: /ip route add dst-address=192.168.5.2 gateway=192.168.5.1 /ip route add dst-address=192.168.5.3 gateway=192.168.5.1
The dst_address usually has a subnet after it e.g. /24. I need to check if this will work on a router tomorrow. Perhaps a /32 is legal in this case. I am statically assigning addresses (not using a pool)
Once i get this part working, I should be able to add the appropriate routes for the devices behind each remote MT on the orange LANs.
TIA
*Malcolm Faed*Network Broadcast Engineer malcolm@avcomm.com.au
Av-Comm +61 2 9939 4377 <++61+2+9939+4377> Unit 24 / 9 Powells Road, Brookvale - NSW 2100 avcomm.com.au
[image: Twitter] <https://twitter.com/AvCommSatellite>[image: Google Plus] <https://plus.google.com/+AvcommAustralia/>[image: Youtube] <https://www.youtube.com/channel/UCO8ZtcnwoTH7e54LAndE-yw>[image: Linkedin] <https://www.linkedin.com/company-beta/6583589/>
This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorised disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. Av-Comm is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.
On Mon, 21 Jan 2019 at 19:56, Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au> wrote:
Do your clients know where to route to to get to the other clients? What does each clients routing table looking?
On Mon, 21 Jan 2019 at 19:38, Malcolm Faed <malcolm@avcomm.com.au> wrote:
No. Not by default. Certainly worth trying.
I would prefer not to but can.
Malcolm Faed Network Broadcast Engineer malcolm@avcomm.com.au
Av-Comm +61 2 9939 4377 Unit 24 / 9 Powells Road, Brookvale - NSW 2100 avcomm.com.au
This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorised disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. Av-Comm is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.
On Mon., 21 Jan. 2019, 19:34 Dave Browning <dave@sentrian.com.au wrote:
Are your SSTP clients def routing via the VPN?
On 21 Jan 2019, at 6:26 pm, Malcolm Faed <malcolm@avcomm.com.au> wrote:
Thanks for responding. Just the automatically added routes.
I guess a question is should I be able to get connectivity between the clients by default? If so I have probably messed something up.
If not, something special needs to be done that is alluding me.
Cheers,
Malcolm Faed Network Broadcast Engineer malcolm@avcomm.com.au
Av-Comm +61 2 9939 4377 Unit 24 / 9 Powells Road, Brookvale - NSW 2100 avcomm.com.au
This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorised disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. Av-Comm is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.
On Mon., 21 Jan. 2019, 19:12 Jason Hecker (Up & Running Tech) < jason@upandrunningtech.com.au wrote:
What does your routing table look like?
> On Mon, 21 Jan 2019 at 18:23, Malcolm Faed <malcolm@avcomm.com.au> wrote: > > Hi all, > > I am attempting to get VPN connectivity between multiple SSTP Mikrotik VPN > clients. > > I have set up a cloud hosted router (CHR v 6.42.11) on a hosing service. > ($4 per month on Binary Lane) > > I can connect multiple clients and ping to the cloud router, but need to be > able to obtain connectivity between clients. > > I have added the bridge to the profile and selected proxy-arp on the CHR > bridge. > > Thanks for any assistance. > > Regards, > > > *Malcolm Faed*Network Broadcast Engineer > malcolm@avcomm.com.au > > Av-Comm > +61 2 9939 4377 <++61+2+9939+4377> > Unit 24 / 9 Powells Road, Brookvale - NSW 2100 > avcomm.com.au > > > [image: Twitter] <https://twitter.com/AvCommSatellite>[image: Google > Plus] > <https://plus.google.com/+AvcommAustralia/>[image: Youtube] > <https://www.youtube.com/channel/UCO8ZtcnwoTH7e54LAndE-yw>[image: > Linkedin] > <https://www.linkedin.com/company-beta/6583589/> > > This e-mail message may contain confidential or legally privileged > information and is intended only for the use of the intended recipient(s). > Any unauthorised disclosure, dissemination, distribution, copying or the > taking of any action in reliance on the information herein is prohibited. > E-mails are not secure and cannot be guaranteed to be error free as they > can be intercepted, amended, or contain viruses. Anyone who communicates > with us by e-mail is deemed to have accepted these risks. Av-Comm is not > responsible for errors or omissions in this message and denies any > responsibility for any damage arising from the use of e-mail. Any opinion > and other statement contained in this message and any attachment are solely > those of the author and do not necessarily represent those of the company. > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au >
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
>
-- Regards, Jason Hecker
<https://www.upandrunningtech.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Regards, Jason Hecker
<https://www.upandrunningtech.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au