Sounds like you need to masquerade or route.
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Tue, Mar 10, 2015 at 2:40 PM, Stavros Pap <spr41...@gmail.com> wrote: > Question > > I have a PPTP server set up everything works perfect on my remote site i > have 5 RB951Ui2HnD and 5 Engenius Access Points. > > The remote site is set up as a hotspot. > > My remote range is 172.21.0.0/16 and my access points have static ip's > ranging from 172.21.10.11 - 172.21.10.20 > > The 5 first are Mikrotik Access Points the rest 5 are the engenius. > > >From the server side i can ping 172.21.10.16 - 172.21.10.20 (engenius > access points) > I can't ping 172.21.10.11-172.21.10.15 (the mikrotik access points). > > Doing a traceroute to 172.21.10.11-15 shows me that the VPN assigned IP is > prohibiting access to it. > > I have added 172.21.10.11 to the IP Binding section with no success. > I have added 172.21.10.11 to the walled garden section with no success. > > I can ping and access the remote client gateway 172.21.1.1 > proxy arp is active > > Am i missing something out? Do i have to setup some special firewall rule > on these access points? Locally the mikrotik access points ping fine and > work fine. > > Any help would be much appreciated. > > Config as follows > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Server/interface bridgeadd arp=proxy-arp l2mtu=1598 name=Local/interface > ethernetset [ find default-name=ether1 ] name=WAN/interface pppoe-clientadd > ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 \ > default-route-distance=1 dial-on-demand=yes disabled=no interface=WAN \ > keepalive-timeout=60 max-mru=1460 max-mtu=1460 mrru=1600 name=pppoe-out1 > \ password=guest service-name=VODAFONE use-peer-dns=yes > user=gu...@adsl.gr <gu...@adsl.gr>/ip hotspot user profileset [ find > default=yes ] idle-timeout=none keepalive-timeout=2m \ > mac-cookie-timeout=3d/ip pooladd name=pool1 > ranges=192.168.0.1-192.168.0.253add name="VPN Pool" > ranges=10.0.0.1-10.0.0.253/ip dhcp-serveradd address-pool=pool1 disabled=no > interface=Local name=server1/ppp profileadd dns-server=8.8.8.8,4.4.4.4 > local-address=192.168.0.254 name=Sotos \ remote-address=192.168.0.218add > dns-server=8.8.8.8,4.4.4.4 local-address=192.168.0.254 name=Mirage \ > remote-address=10.0.0.1add dns-server=8.8.8.8,4.4.4.4 > local-address=192.168.0.254 name="VPN Profile" \ > remote-address=192.168.0.216add dns-server=8.8.8.8,4.4.4.4 > local-address=192.168.0.254 name=Moschos \ > remote-address=192.168.0.217add local-address=192.168.0.254 name=Athena > remote-address=192.168.0.220add dns-server=8.8.8.8,4.4.4.4 > local-address=192.168.0.254 name=Kporta \ > remote-address=192.168.0.221add dns-server=8.8.8.8,4.4.4.4 > local-address=192.168.0.254 name=Florida \ > remote-address=192.168.0.223add dns-server=8.8.8.8 > local-address=192.168.0.254 name=Semiramis \ > remote-address=192.168.0.224 wins-server=4.4.4.4/interface bridge portadd > bridge=Local interface=ether2add bridge=Local interface=ether3add > bridge=Local interface=ether4add bridge=Local interface=ether5/interface > pptp-server serverset authentication=pap,chap,mschap1,mschap2 enabled=yes > max-mru=1460 max-mtu=\ 1460/ip addressadd address=192.168.0.254/24 > <http://192.168.0.254/24> interface=Local network=192.168.0.0/ip > dhcp-server networkadd address=192.168.0.0/24 <http://192.168.0.0/24> > gateway=192.168.0.254/ip dnsset allow-remote-requests=yes > servers=8.8.8.8,4.4.4.4/ip firewall filteradd chain=input dst-port=1723 > protocol=tcpadd chain=input protocol=gre/ip firewall mangleadd > action=strip-ipv4-options chain=postrouting protocol=tcp src-port=8291/ip > firewall natadd action=masquerade chain=srcnat out-interface=WANadd > action=masquerade chain=srcnat src-address=192.168.0.0/24 > <http://192.168.0.0/24>/ip routeadd distance=1 dst-address=10.1.1.0/24 > <http://10.1.1.0/24> gateway=192.168.0.221add distance=1 > dst-address=172.21.0.0/16 <http://172.21.0.0/16> gateway=10.0.0.1add > distance=1 dst-address=172.31.0.0/16 <http://172.31.0.0/16> > gateway=192.168.0.217add distance=1 dst-address=172.41.0.0/16 > <http://172.41.0.0/16> gateway=192.168.0.220add distance=1 > dst-address=172.51.0.0/16 <http://172.51.0.0/16> gateway=192.168.0.224add > distance=1 dst-address=172.61.0.0/16 <http://172.61.0.0/16> > gateway=192.168.0.223add distance=1 dst-address=192.168.2.0/24 > <http://192.168.2.0/24> gateway=192.168.0.216/ip serviceset telnet > disabled=yesset ftp disabled=yesset ssh disabled=yesset api disabled=yes/ip > upnpset allow-disable-external-interface=no/ppp secretadd > local-address=192.168.0.254 name=admin password=15901590 profile=\ "VPN > Profile" service=pptpadd local-address=192.168.0.254 name=sotos > password=15901590 profile=Sotos \ service=pptpadd > local-address=192.168.0.254 name=mirage password=15901590 profile=Mirage > \ remote-address=10.0.0.1 service=pptpadd local-address=192.168.0.254 > name=moschos password=15901590 profile=Moschos \ service=pptpadd > local-address=192.168.0.254 name=athina password=15901590 profile=Athena > \ service=pptpadd local-address=192.168.0.254 name=kporta > password=15901590 profile=Kporta \ service=pptpadd > local-address=192.168.0.254 name=florida password=15901590 profile=Florida > \ service=pptpadd local-address=192.168.0.254 name=semiramis > password=15901590 profile=\ Semiramis service=pptp/system identityset > name=MultiCom[admin@MultiCom] > * > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *client/interface bridgeadd arp=proxy-arp l2mtu=1598 name=bridge1/interface > ethernetset [ find default-name=ether1 ] name=WAN1/interface wireless > security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip > firewall layer7-protocoladd name=torrentsites > regexp="^.*(get|GET).+(torrent|\r\ \n\r\ > \nthepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|\r\ > \n\r\ > \ntorrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|\r\ > \n\r\ > \nentertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|\r\ > \n\r\ \nflixflux|seedpeer|fenopy|gpirate|commonbits).*\$\r\ \n\r\ > \n"/ip hotspot profileset [ find default=yes ] login-by=http-pap > split-user-domain=yesadd hotspot-address=172.21.1.1 login-by=http-pap > name=hsprof1 \ split-user-domain=yes/ip hotspot user profileset [ find > default=yes ] add-mac-cookie=no idle-timeout=30m keepalive-timeout=\ 2m > rate-limit=300K/3000K shared-users=253add add-mac-cookie=no > idle-timeout=15m keepalive-timeout=2m name=uprof1 \ shared-users=5/ip > ipsec proposalset [ find default=yes ] enc-algorithms=3des/ip pooladd > name=hs-pool-6 ranges=172.21.0.1-172.21.1.0,172.21.1.2-172.21.255.254/ip > dhcp-serveradd address-pool=hs-pool-6 disabled=no interface=bridge1 > lease-time=1h name=\ dhcp1/ip hotspotadd address-pool=hs-pool-6 > disabled=no idle-timeout=30m interface=bridge1 name=\ hotspot1 > profile=hsprof1/interface pptp-clientadd add-default-route=no > allow=pap,chap,mschap1,mschap2 connect-to=\ 62.38.115.137 > dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=\ 1460 > max-mtu=1460 mrru=1600 name=pptp-out1 password=15901590 profile=\ > default user=mirage/system logging actionset 0 memory-lines=100set 1 > disk-lines-per-file=100/interface bridge portadd bridge=bridge1 > interface=ether2add bridge=bridge1 interface=ether3add bridge=bridge1 > interface=ether4add bridge=bridge1 interface=ether5/ip addressadd > address=192.168.100.200/24 <http://192.168.100.200/24> interface=WAN1 > network=192.168.100.0add address=172.21.1.1/16 <http://172.21.1.1/16> > interface=bridge1 network=172.21.0.0/ip cloudset update-time=no/ip > dhcp-server networkadd address=172.21.0.0/16 <http://172.21.0.0/16> > comment="hotspot network" gateway=172.21.1.1/ip dnsset > allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 \ > servers=208.67.222.123,208.67.220.123/ip firewall filteradd > action=passthrough chain=unused-hs-chain comment="place hotspot rules here" > \ disabled=yesadd action=drop chain=forward comment=torrentsites > layer7-protocol=torrentsites \ src-address=172.21.0.0/16 > <http://172.21.0.0/16>add action=drop chain=forward comment=dropDNS > dst-port=53 layer7-protocol=\ torrentsites protocol=udp > src-address=172.21.0.0/16 <http://172.21.0.0/16>add action=drop > chain=forward comment=keyword_drop content=torrent src-address=\ > 172.21.0.0/16 <http://172.21.0.0/16>add action=drop chain=forward > comment=trackers_drop content=tracker \ src-address=172.21.0.0/16 > <http://172.21.0.0/16>add action=drop chain=forward comment=get_peers_drop > content=getpeers \ src-address=172.21.0.0/16 <http://172.21.0.0/16>add > action=drop chain=forward comment=info_hash_drop content=info_hash \ > src-address=172.21.0.0/16 <http://172.21.0.0/16>add action=drop > chain=forward comment=announce_peers_drop content=\ announce_peers > src-address=172.21.0.0/16 <http://172.21.0.0/16>add action=drop > chain=forward comment=p2p_drop p2p=all-p2p src-address=\ 172.21.0.0/16 > <http://172.21.0.0/16>/ip firewall mangleadd action=strip-ipv4-options > chain=postrouting protocol=tcp src-port=8291/ip firewall natadd > action=passthrough chain=unused-hs-chain comment="place hotspot rules here" > \ disabled=yesadd action=masquerade chain=srcnat > out-interface=pptp-out1add action=masquerade chain=srcnat > src-address=192.168.100.0/24 <http://192.168.100.0/24>add > action=masquerade > chain=srcnat out-interface=WAN1add action=masquerade chain=srcnat > comment="masquerade hotspot network" \ src-address=172.21.0.0/16 > <http://172.21.0.0/16>/ip hotspot ip-bindingadd > mac-address=E8:94:F6:ED:0E:34 type=bypassedadd > mac-address=A4:17:31:5D:F6:FD type=bypassedadd > mac-address=E8:94:F6:DF:19:EC type=bypassedadd > mac-address=18:CF:5E:55:03:89 type=bypassedadd > mac-address=00:EB:2D:D7:F5:A2 type=bypassedadd > mac-address=00:24:D7:14:6F:44 type=bypassedadd address=172.21.10.11 > mac-address=D4:CA:6D:05:FD:50 server=hotspot1 \ to-address=172.21.10.11 > type=bypassedadd address=172.21.10.12 mac-address=D4:CA:6D:06:CE:C6 > server=hotspot1 \ to-address=172.21.10.12 type=bypassedadd > address=172.21.10.13 server=hotspot1 to-address=172.21.10.13 > type=bypassedadd address=172.21.10.14 server=hotspot1 > to-address=172.21.10.14 type=bypassedadd address=172.21.10.15 > server=hotspot1 to-address=172.21.10.15 type=bypassedadd > address=172.21.10.16 server=hotspot1 to-address=172.21.10.16 > type=bypassedadd address=172.21.10.17 server=hotspot1 > to-address=172.21.10.17 type=bypassedadd address=172.21.10.18 > server=hotspot1 to-address=172.21.10.18 type=bypassedadd > address=172.21.10.19 server=hotspot1 to-address=172.21.10.19 > type=bypassedadd address=172.21.10.20 server=hotspot1 > to-address=172.21.10.20 type=bypassedadd address=172.21.10.21 > server=hotspot1 to-address=172.21.10.21 type=bypassedadd > address=172.21.10.22 server=hotspot1 to-address=172.21.10.22 > type=bypassed/ip hotspot useradd name=mirage password=2468013570add > name=stavros password=1590 profile=uprof1/ip hotspot walled-gardenadd > comment="place hotspot rules here" disabled=yesadd > dst-host=static.ess.apple.com <http://static.ess.apple.com> > path=/connectivity.txtadd dst-host=captive.apple.com > <http://captive.apple.com>add dst-host=www.appleiphonecell.com > <http://www.appleiphonecell.com>add dst-host=*.apple.com > <http://apple.com>add dst-host=www.itools.info <http://www.itools.info>add > dst-host=www.ibook.info <http://www.ibook.info>add dst-host=www.airport.us > <http://www.airport.us>add dst-host=www.thinkdifferent.us > <http://www.thinkdifferent.us>add dst-host=*.apple.com.edgekey.net > <http://apple.com.edgekey.net>add dst-host=*.akamaiedge.net > <http://akamaiedge.net>add dst-host=*.akamaitechnologies.com > <http://akamaitechnologies.com>add dst-host=gsp1.apple.com > <http://gsp1.apple.com>/ip hotspot walled-garden ipadd action=accept > disabled=no dst-address=172.21.10.11-172.21.10.22 server=\ hotspot1 > src-address=172.21.10.11-172.21.10.22/ip ipsec policyadd template=yes/ip > routeadd distance=1 gateway=192.168.100.1add distance=1 > dst-address=172.21.0.0/16 <http://172.21.0.0/16> gateway=192.168.0.254/ip > serviceset www-ssl disabled=no/ip upnpset > allow-disable-external-interface=no/system identityset name="Mirage > Apts"[admin@Mirage Apts] > * > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *access point mikrotik/interface bridgeadd l2mtu=1598 > name=bridge1/interface wirelessset [ find default-name=wlan1 ] > band=2ghz-b/g/n default-forwarding=no disabled=\ no ht-rxchains=0 > ht-txchains=0 l2mtu=2290 mode=ap-bridge ssid=Mirage \ > wireless-protocol=802.11/ip neighbor discoveryset wlan1 > discover=no/interface wireless security-profilesset [ find default=yes ] > supplicant-identity=MikroTik/ip hotspot user profileset [ find default=yes > ] idle-timeout=none keepalive-timeout=2m \ mac-cookie-timeout=3d/ip > ipsec proposalset [ find default=yes ] enc-algorithms=3des/system logging > actionset 0 memory-lines=100set 1 disk-lines-per-file=100/interface bridge > portadd bridge=bridge1 interface=ether1add bridge=bridge1 > interface=wlan1add bridge=bridge1 interface=ether2add bridge=bridge1 > interface=ether3add bridge=bridge1 interface=ether4add bridge=bridge1 > interface=ether5/ip addressadd address=172.21.10.11/16 > <http://172.21.10.11/16> interface=bridge1 network=172.21.0.0/ip > dhcp-clientadd dhcp-options=hostname,clientid interface=bridge1/ip firewall > filteradd chain=input in-interface=!bridge1 src-address=172.21.0.0/16 > <http://172.21.0.0/16>add chain=forward comment="Allow HTTP" dst-port=80 > protocol=tcpadd chain=device-manageadd chain=input comment="Allow > Established connections" connection-state=\ establishedadd chain=input > comment="Allow ICMP" protocol=icmp/ip firewall natadd action=masquerade > chain=srcnat out-interface=bridge1add action=masquerade chain=srcnat > src-address=172.21.0.0/16 <http://172.21.0.0/16>/ip ipsec policyadd > template=yes/ip serviceset www-ssl disabled=no/ip upnpset > allow-disable-external-interface=no/system identityset > name=Hmiorofos/system ledsset 0 interface=wlan1[admin@Hmiorofos] > * > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mail.butchevans.com/pipermail/mikrotik/attachments/20150310/2606cd26/attachment.html > > > _______________________________________________ > Mikrotik mailing list > Mikrotik@mail.butchevans.com > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20150310/30d5005c/attachment.html> _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS