I set up the VPN on the Quickset page of WebFig, which generally seems to perform well. I can connect to the router gateway/webfig and route packets from the WAN side through the router to the client but I can't access anything on the gateway's subnet. I am sure this needs a simple config setting changed but I don't know what it is. The only thing I changed that might be important is the default subnet to a 10.x.y.z range. I set the local address to be 10.x.y.1 (gateway) and the remote address to 10.x.y.200 (or dhcp or vpn), with no effect.

Any suggestions about what I've done wrong?

Darren.

Are using the same subnet for LAN and VPN? If they are both in the same subnet, you have to set proxy-arp on the bridge.

OK. Are there any instructions how to do this using WebFig? This is a bit beyond my expertise.

Hi,

After you connected via WebFig, on the left menu click on the "bridge" option. Then in the right you should see your current bridge name. Click on bridge name, then also into the right side of the screen, you should see bridge settings.

Check for ARP, is right almost the top of the page, and from values list ( default value is "enabled" ) select "proxy-arp". Back to top of the page and hit "OK".

That's all.

P.S. Do not forget on the left menu to click on LOGOUT; it is last option.

kind regards,

There is no bridge set. If I create a Bridge using the default settings with ARP enabled, then I select that Bridge in the appropriate PPP Profile is that all I should need to do? I don't see how it knows what to bridge to where, or is it a yes/no kind of rule?

Hi,

After you connected via Webfig, from left menu click on "New terminal" option. It will open a new window ( terminal window ). In that windows please type the following command:
( meaning "showing" current config )
Copy & paste here in order to have a better view of your config.

kind regards,

Here it is. Warning about memory frequency as well

# feb/22/2017 19:18:35 by RouterOS 6.38.1

# software id = UCMM-DSKY

#

/interface bridge

add name=bridge1

/interface ethernet

set [ find default-name=ether2 ] name=ether2-master

set [ find default-name=ether3 ] master-port=ether2-master

set [ find default-name=ether4 ] master-port=ether2-master

set [ find default-name=ether5 ] master-port=ether2-master

/ip neighbor discovery

set ether1 discover=no

/ip hotspot profile

set [ find default=yes ] html-directory=flash/hotspot

/ip ipsec proposal

set [ find default=yes ] pfs-group=none

/ip pool

add name=dhcp ranges=10.160.100.2-10.160.100.120

add name=vpn ranges=192.168.89.2-192.168.89.255

/ip dhcp-server

add address-pool=dhcp disabled=no interface=ether2-master name=defconf

/ppp profile

set *0 local-address=192.168.89.1 only-one=no remote-address=vpn use-encryption=yes

set *FFFFFFFE bridge=bridge1 dns-server=10.160.100.1 local-address=10.160.100.1 remote-address=vpn

/interface l2tp-server server

set authentication=mschap2 enabled=yes use-ipsec=yes

/interface pptp-server server

set enabled=yes

/ip address

add address=10.160.100.1/24 comment=defconf interface=ether2-master network=10.160.100.0

/ip cloud

set ddns-enabled=yes

/ip dhcp-client

add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1

/ip dhcp-server lease

add address=10.160.100.163 client-id=Gigaset mac-address=7C:2F:80:A8:90:F9 server=defconf

add address=10.160.100.2 client-id=1:9C:B6:54:04:54:47 comment=Zappa mac-address=9C:B6:54:04:54:47

add address=10.160.100.140 client-id=D-Link mac-address=6C:19:8F:CC:40:1C

add address=10.160.100.118 client-id=1:b8:27:eb:74:36:41 mac-address=B8:27:EB:74:36:41 server=defconf

/ip dhcp-server network

add address=10.160.100.0/24 comment=defconf gateway=10.160.100.1 netmask=24

/ip dns

set allow-remote-requests=yes

/ip dns static

add address=10.160.100.1 name=router

/ip firewall filter

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related

add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp

add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp

add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp

add action=accept chain=input comment="Allow ipsec" port=1701,500,4500 protocol=udp

add action=accept chain=input comment="Allow Homserver Dynamic DNS" dst-port=80,443,4125 protocol=tcp

add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \

connection-state=new in-interface=ether1

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1

add action=dst-nat chain=dstnat comment=Homeserver dst-port=443,80,4125 in-interface=ether1 protocol=tcp \

to-addresses=10.160.100.2 to-ports=443

add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.160.100.2 \

to-ports=80

add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 protocol=tcp to-addresses=10.160.100.2

add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1 protocol=tcp to-addresses=10.160.100.2 to-ports=\

32400

add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1 protocol=udp to-addresses=10.160.100.2 to-ports=\

32400

add action=dst-nat chain=dstnat dst-port=5060,5065 in-interface=ether1 protocol=udp to-addresses=10.160.100.163 \

to-ports=5060

add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 protocol=udp to-addresses=10.160.100.2 to-ports=\

3389

add action=dst-nat chain=dstnat disabled=yes dst-port=4125 in-interface=ether1 protocol=tcp to-addresses=\

10.160.100.2 to-ports=4125

add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24

/ip service

set www-ssl disabled=no

/ip upnp

set allow-disable-external-interface=yes enabled=yes

/ppp secret

add local-address=10.160.100.1 name=vpn remote-address=10.160.100.200

/system clock

set time-zone-name=Europe/London

/system routerboard settings

# Warning: memory not running at default frequency

set memory-frequency=1200DDR

/tool mac-server

set [ find default=yes ] disabled=yes

add interface=ether2-master

/tool mac-server mac-winbox

set [ find default=yes ] disabled=yes

add interface=ether2-master

Hi,

Sorry for delay i was away with job. One more question: is there any port ( ether2-ether5 ) unused ( meaning you do not have any device plugged in it) ?

kind regards,

Only port 2 is occupied. Port 1 is wan


Sent from my iPhone using Tapatalk

Hi,

As i can see your configuration is as follow:
ether1 - WAN
ether2-5 - LAN with ether2 as master port
Your LAN address range is 10.160.100.0/24
- DHCP server pool: 10.160.100.2-120
- ether2 ip address is 10.160.100.1
- you have pptp-server/l2tp-server both enabled

I skip over filter rules ( which some of them you should refine ), just an observation regarding nat filter rules:
first nat rule will masquerade also VPN pool and from this point of view i think you should disable last rule: Also, pool VPN is defined wrong! You defined address range 192.168.89.0/24, where 192.168.89.255 is broadcast address for network range.
It should be Go to IP -> POOL -> click on "vpn" pool and make correct change.

From left menu select IP option, then below POOL. On the right, into the "pools" tab click on "vpn" name.
- into Addresses field type correct range: 192.168.89.2-192.168.89.254;
- hit ok button from above.

Now, back to VPN.
/ppp profile
- first profile you have local-address=192.168.89.1 but there is no interface/bridge with that ip defined.
- second profile has defined bridge=bridge1 but bridge1 has no ports attached to it.
I guess it remains so after you have tested variants with VPN.

So, in my opinion,try the following:

1. I see you have already defined a bridge ( bridge1 ); then assign it ports, ether2-master, and make sure that bridge1 ARP option is "proxy-arp".
New terminal WebFig

From left menu select BRIDGE option.
1. Then, in the right, click on "ports" tab.
- click on "add new" button;
- interface: select from drop-down list "ether2-master";
- bridge: i presume that "bridge1" is already selected;
- hit "OK" button.
2. Click, in the right, on "bridge1" name
- scroll down and in front of "ARP" option select from drop-down list option: PROXY-ARP;
- hit "OK" button from above

2. make bridge1 default gateway for VPN pool 192.168.89.2-25, assigning it ip address 192.168.89.1
New terminal WebFig

From left mene select IP option, then addresses. Click on "add new":
- address field type: 192.168.89.1/24 ;
- network ( click on arrow): 255.255.255.0 ;
- interface: select BRIDGE1.
- hit OK button from above.

3. Let's define a new PPP profile to be used in PPTP/L2TP Server; it should look like this
New terminal WebFig

From left menu select PPP option; click, from the right, on the "Profiles" tab.
- click on button "Add new"; fill in the following:
- Name: Default VPN ;
- Local address: 192.168.89.1 ;
- Remote address: vpn ;
- Bridge: bridge1 ;
- DNS Server: 8.8.8.8 ;
- Change TCP MSS: yes ;
- Use Encryption: required ;
- Only One: no ;
- hit OK button from above.

4. Also, you have to go to PPTP/L2TP Server and point out that default profile is latest created.
New terminal WebFig

From left menu select PPP option; click on button "PPTP Server";
- Default profile: select from drop-down list "Default VPN" profile;
- Authentication: check only mschap2 and mschap1 ;
- hit OK button from above.
Do the same for L2TP Server.

5. Into Secrets option of profile, where you have defined username/passwords for VPN, you should change Profile to "Default VPN" also.
New terminal or for a specific user ( Ex.: test-user ) WebFig

From left menu select PPP option; click on Secrets tab.
- click on username(s) already defined;
- Profile: select from drop-down list "Default VPN";
- hit OK button from above.

6. Define a rule in firewall to accept pings from VPN ( move it before any drop rules)
New terminal WebFig

From left menu click on IP option, then on firewall, below.
- into "filter rules" tab click on "Add new" button ; Fill in the following:
- Chain: input ;
- Protocol: click on arrow and select from drop-down list "ICMP";
- In interface: click on arrow and select from drop-down list "all ppp" ;
scroll down until you'll find:
- Action: select from drop-down list "Accept";
- Log: check it ;
- Log prefix: click on arrow and type: VPN-ping;
- Comment ( last field): Accept ping from VPN.

Now you are ready to try again. After you have connected via VPN you should be able to:
- have internet throught your mikrotik device;
- ping and acces any device from 10.160.100.0/24 network range.

Hope it helps.

kind regards,

Many thanks for your help. I think that has worked. It disabled the DHCP server and the Quickset home page won't let me set an IP address other than 192.168.89.1 but after re-enabling the DHCP server it appears to be working for now. I connected via an iPhone and was able to get to a server in my 10.160.100.x range.

This is my config now (I only change L2TP since I don't want to use PPTP):

# feb/25/2017 14:08:49 by RouterOS 6.38.3

# software id = UCMM-DSKY

#

/interface bridge

add arp=proxy-arp name=bridge1

/interface ethernet

set [ find default-name=ether2 ] name=ether2-master

set [ find default-name=ether3 ] master-port=ether2-master

set [ find default-name=ether4 ] master-port=ether2-master

set [ find default-name=ether5 ] master-port=ether2-master

/ip neighbor discovery

set ether1 discover=no

/ip hotspot profile

set [ find default=yes ] html-directory=flash/hotspot

/ip ipsec proposal

set [ find default=yes ] pfs-group=none

/ip pool

add name=dhcp ranges=10.160.100.2-10.160.100.120

add name=vpn ranges=192.168.89.2-192.168.89.254

/ip dhcp-server

add address-pool=dhcp disabled=no interface=ether1 name=defconf

add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1

/ppp profile

set *0 local-address=192.168.89.1 only-one=no remote-address=vpn \

use-encryption=yes

add bridge=bridge1 change-tcp-mss=yes dns-server=8.8.8.8 local-address=\

192.168.89.1 name="Default VPN" only-one=no remote-address=vpn \

use-encryption=required

set *FFFFFFFE bridge=bridge1 dns-server=10.160.100.1 local-address=\

192.168.89.1 remote-address=vpn

/interface bridge port

add bridge=bridge1 interface=ether2-master

/interface l2tp-server server

set authentication=mschap2 default-profile="Default VPN" enabled=yes \

use-ipsec=yes

/interface pptp-server server

set enabled=yes

/ip address

add address=10.160.100.1/24 comment=defconf interface=ether2-master network=\

10.160.100.0

add address=192.168.89.1/24 interface=ether2-master network=192.168.89.0

/ip cloud

set ddns-enabled=yes

/ip dhcp-client

add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\

ether1

/ip dhcp-server lease

add address=10.160.100.163 client-id=Gigaset mac-address=7C:2F:80:A8:90:F9 \

server=defconf

add address=10.160.100.2 client-id=1:9C:B6:54:04:54:47 comment=Zappa \

mac-address=9C:B6:54:04:54:47

add address=10.160.100.140 client-id=D-Link mac-address=6C:19:8F:CC:40:1C

add address=10.160.100.118 client-id=1:b8:27:eb:74:36:41 mac-address=\

B8:27:EB:74:36:41 server=defconf

/ip dhcp-server network

add address=10.160.100.0/24 comment=defconf gateway=10.160.100.1 netmask=24

add address=192.168.89.0/24 gateway=192.168.89.1 netmask=24

/ip dns

set allow-remote-requests=yes

/ip dns static

add address=10.160.100.1 name=router

/ip firewall filter

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept established,related" \

connection-state=established,related

add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp

add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp

add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp

add action=accept chain=input comment="Allow ipsec" port=1701,500,4500 \

protocol=udp

add action=accept chain=input comment="Allow Homserver Dynamic DNS" dst-port=\

80,443,4125 protocol=tcp

add action=accept chain=input comment="Accept ping from VPN" in-interface=\

all-ppp log=yes log-prefix=VPN-Ping protocol=icmp

add action=drop chain=input comment="defconf: drop all from WAN" \

in-interface=ether1

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \

connection-state=established,related

add action=accept chain=forward comment="defconf: accept established,related" \

connection-state=established,related

add action=drop chain=forward comment="defconf: drop invalid" \

connection-state=invalid

add action=drop chain=forward comment=\

"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \

connection-state=new in-interface=ether1

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" \

out-interface=ether1

add action=dst-nat chain=dstnat comment=Homeserver dst-port=443,80,4125 \

in-interface=ether1 protocol=tcp to-addresses=10.160.100.2 to-ports=443

add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=ether1 \

protocol=tcp to-addresses=10.160.100.2 to-ports=80

add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 protocol=\

tcp to-addresses=10.160.100.2

add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1 protocol=\

tcp to-addresses=10.160.100.2 to-ports=32400

add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1 protocol=\

udp to-addresses=10.160.100.2 to-ports=32400

add action=dst-nat chain=dstnat dst-port=5060,5065 in-interface=ether1 \

protocol=udp to-addresses=10.160.100.163 to-ports=5060

add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 protocol=\

udp to-addresses=10.160.100.2 to-ports=3389

add action=dst-nat chain=dstnat disabled=yes dst-port=4125 in-interface=\

ether1 protocol=tcp to-addresses=10.160.100.2 to-ports=4125

add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes \

src-address=192.168.89.0/24

/ip service

set www-ssl disabled=no

/ip upnp

set allow-disable-external-interface=yes enabled=yes

/ppp secret

add name=vpn profile="Default VPN"

/system clock

set time-zone-name=Europe/London

/system routerboard settings

# Warning: memory not running at default frequency

set memory-frequency=1200DDR

/tool mac-server

set [ find default=yes ] disabled=yes

add interface=ether2-master

/tool mac-server mac-winbox

set [ find default=yes ] disabled=yes

add interface=ether2-master

Hi,

I have two issues with this VPN setup that I wonder if I could get some advice on.

If I route all traffic throught the VPN from either an iPhone or Windows all works well, except I can't resolve the windows names of servers behind my VPN - IP addresses work. How do I get resolution of windows names when connecting into the VPN?

If I disable sending all traffic through the VPN I can connect to my VPN's LAN on the iPhone (again, IP addresses only) but Windows won't - all settings identical apart from disabling routing all traffic through the remote gateway. Any idea why this happens?

Darren.

Hi,

Might help you this thread: viewtopic.php?f=13&t=118697
I think Sob has explained very well.

kind regards,

Hi Janus,

He explains the problem but I'm still not sure of the solution. With my config I have changed the DNS server for the VPN connection to my router's address but it still doesn't resolve the names if I don't route all traffic over the gateway or the IP addresses if I don't.

Adding my server as a static DNS entry as either \\Server ot Server did nothing (in all traffic routed mode, where IP addresses do work).

What I think I need is to do is to set the DNS server somewhere else in the config and tell the Windows box the DNS server automatically. ARP?

Any suggestions?

Darren.

Hi Darren,

I have made a simple test with VPN PPTP into one of my clients network and from my side it was working ( ping, RDP, access sharing on a workstation running Windows Xp ). It won't resolve your dns names because you have to "suffix" them, at least that's how worked for me.
Here is how i suggest you try.

Let's take for example one of your servers behind mikrotik, 10.160.100.2 ( for which you have a lot of forwarding rules ).

I. Mikrotik side
1. set static names with suffix ( i take for example: local ) into DNS 2. allow remote request ( from inside your LAN ) and change default cache-size ( 2048K )

BEWARE:
I would add 2 rules into firewall to prevent dns request from wan ( place them above any drop rules):

Code: Select all

/ip firewall filter
add action=drop chain=input comment="Prevent DNS request from WAN" dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp

3. on PPP profile be sure to add DNS Server only 10.160.100.1 as well as your local address: 10.160.100.1; only remote address would be your vpn pool: vpn ( as you have defined )

II. Windows size
1. Server 10.160.100.2 ( srv02) - ip address, dns suffix


2. Workstation that has VPn PPTP configuration ( is connecting via PPTP )


Now, after you have succesfully connected via PPTP and have any ip from your VPN range ( 192.168.89.2-254 ) you should be able to ping your server by hostname ( in fact, any static name from /ip dns static print ).

Example:
ping gw.local ( should return reply from 10.160.100.1 ...... )
ping srv02.local ( should return reply from 10.160.100.2 ...... )

Regarding, accesing shares like \\srv02\XX it would be only a problem of windows configuration, not mikrotik side.

Hope it helps.

kind regards,

Thanks Janus. That really helps me to understand what's going on. Here are my results:

If I put all the traffic through the router the static address addition of \\server.local works but \\server doesn't (I realise this probably shouldn't work) but that Windows address resolves on the network. The 10.160.100.x range can be reached.

If I don't put all the traffic through, and I follow your windows setup advice, I still can't connect to anything, by ping or otherwise, with the exception of webfig in a browser. Can't figure that one out.

I don't think there's a Windows thing here. This all works fine (and automatically) on my Cisco RV180 router without any special setup in Windows or on the Cisco router, so I think it's my Mikrotik router.

I'm a bit stuck. Do you have any more thoughts?

Darren.

hi,

what do you mean by ?

If I put all the traffic through the router

a. do not see any "local-arp" on defined bridge1 still no ping ?

b. try to put ip 192.168.89.1 not on ether2-master but on bridge1
from your config : should be: P.s. You could try with fasttrack disabled ( in my above test on rb750gr3 fasttrack was disabled. i forgot to mention this until i looked over your config )
disable followong rules from ip firewall filter: Any difference ?

Hope it helps.

kind regards,

Hmm that doesn't work either. I'm getting stuck on this. I tried your suggestions but no difference to behaviour.

This is the current config:


/interface bridge

add arp=proxy-arp name=bridge1

/interface ethernet

set [ find default-name=ether2 ] name=ether2-master

set [ find default-name=ether3 ] master-port=ether2-master

set [ find default-name=ether4 ] master-port=ether2-master

set [ find default-name=ether5 ] master-port=ether2-master

/ip neighbor discovery

set ether1 discover=no

/ip hotspot profile

set [ find default=yes ] html-directory=flash/hotspot

/ip ipsec proposal

set [ find default=yes ] pfs-group=none

/ip pool

add name=dhcp ranges=10.160.100.2-10.160.100.120

add name=vpn ranges=192.168.89.2-192.168.89.254

/ip dhcp-server

add address-pool=dhcp disabled=no interface=ether1 name=defconf

add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1

/ppp profile

set *0 local-address=192.168.89.1 only-one=no remote-address=vpn \

use-encryption=yes

add bridge=bridge1 change-tcp-mss=yes comment="Standard VPN Connection" \

dns-server=10.160.100.1 local-address=10.160.100.1 name=\

"Default VPN" only-one=no remote-address=vpn use-encryption=\

required use-upnp=yes

set *FFFFFFFE bridge=bridge1 dns-server=10.160.100.1 local-address=\

192.168.89.1 remote-address=vpn

/interface bridge port

add bridge=bridge1 interface=ether2-master

/interface l2tp-server server

set allow-fast-path=yes authentication=mschap2 default-profile=\

"Default VPN" enabled=yes use-ipsec=yes

/interface pptp-server server

set enabled=yes

/ip address

add address=10.160.100.1/24 comment=defconf interface=ether2-master \

network=10.160.100.0

add address=192.168.89.1/24 interface=bridge1 network=192.168.89.0

/ip cloud

set ddns-enabled=yes

/ip dhcp-client

add comment=defconf dhcp-options=Virgin,Mikrotik disabled=no interface=\

ether1

/ip dhcp-server lease

add address=10.160.100.163 client-id=Gigaset mac-address=\

7C:2F:80:A8:90:F9 server=defconf

add address=10.160.100.2 client-id=1:9C:B6:54:04:54:47 comment=Zappa \

mac-address=9C:B6:54:04:54:47

add address=10.160.100.140 client-id=D-Link mac-address=\

6C:19:8F:CC:40:1C

add address=10.160.100.118 client-id=1:b8:27:eb:74:36:41 mac-address=\

B8:27:EB:74:36:41 server=defconf

/ip dhcp-server network

add address=10.160.100.0/24 comment=defconf gateway=10.160.100.1 \

netmask=24

add address=192.168.89.0/24 gateway=192.168.89.1 netmask=24

/ip dns

set allow-remote-requests=yes cache-size=8192KiB

/ip dns static

add address=10.160.100.1 name=router

add address=10.160.100.2 name=Zappa.local

/ip firewall filter

add action=accept chain=input comment="defconf: accept ICMP" protocol=\

icmp

add action=accept chain=input comment=\

"defconf: accept established,related" connection-state=\

established,related

add action=accept chain=input comment="allow l2tp" dst-port=1701 \

protocol=udp

add action=accept chain=input comment="allow pptp" disabled=yes \

dst-port=1723 protocol=tcp

add action=accept chain=input comment="allow sstp" dst-port=443 \

protocol=tcp

add action=accept chain=input comment="Allow ipsec" port=1701,500,4500 \

protocol=udp

add action=accept chain=input comment="Allow Homserver Dynamic DNS" \

dst-port=80,443,4125 protocol=tcp

add action=accept chain=input comment="Accept ping from VPN" \

in-interface=all-ppp log=yes log-prefix=VPN-Ping protocol=icmp

add action=accept chain=forward comment=\

"defconf: accept established,related" connection-state=\

established,related disabled=yes

add action=fasttrack-connection chain=forward comment=\

"defconf: fasttrack" connection-state=established,related disabled=\

yes

add action=drop chain=input comment="Prevent DNS request from WAN" \

dst-port=53 in-interface=ether1 protocol=tcp

add action=drop chain=input dst-port=53 in-interface=ether1 protocol=\

udp

add action=drop chain=forward comment=\

"defconf: drop all from WAN not DSTNATed" connection-nat-state=\

!dstnat connection-state=new in-interface=ether1

add action=drop chain=input comment="defconf: drop all from WAN" \

in-interface=ether1

add action=drop chain=forward comment="defconf: drop invalid" \

connection-state=invalid

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" \

out-interface=ether1

add action=dst-nat chain=dstnat comment=Homeserver dst-port=443,80,4125 \

in-interface=ether1 protocol=tcp to-addresses=10.160.100.2 \

to-ports=443

add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=\

ether1 protocol=tcp to-addresses=10.160.100.2 to-ports=80

add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 \

protocol=tcp to-addresses=10.160.100.2

add action=dst-nat chain=dstnat comment="Plex Server" dst-port=32400 \

protocol=tcp to-addresses=10.160.100.2 to-ports=32400

add action=dst-nat chain=dstnat disabled=yes dst-port=32400 \

in-interface=ether1 protocol=udp to-addresses=10.160.100.2 \

to-ports=32400

add action=dst-nat chain=dstnat comment=VOIP dst-port=5060,5065 \

in-interface=ether1 protocol=udp to-addresses=10.160.100.163 \

to-ports=5060

add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 \

protocol=udp to-addresses=10.160.100.2 to-ports=3389

add action=dst-nat chain=dstnat disabled=yes dst-port=4125 \

in-interface=ether1 protocol=tcp to-addresses=10.160.100.2 \

to-ports=4125

add action=masquerade chain=srcnat comment="masq. vpn traffic" \

disabled=yes src-address=192.168.89.0/24

/ip service

set www-ssl disabled=no

/ip upnp

set allow-disable-external-interface=yes enabled=yes

/ppp secret

add name=vpn profile="Default VPN"

/system clock

set time-zone-name=Europe/London

/system routerboard settings

# Warning: memory not running at default frequency

set memory-frequency=1200DDR

/tool mac-server

set [ find default=yes ] disabled=yes

add interface=ether2-master

/tool mac-server mac-winbox

set [ find default=yes ] disabled=yes

add interface=ether2-master

Hi,

What do you mean by ?

If I put all the traffic through the router the static address addition of \\server.local works but \\server doesn't (I realise this probably shouldn't work) but that Windows address resolves on the network. The 10.160.100.x range can be reached.

Well, i am not sure why is not working to you; i will look over tonight to your config and compare it with mine. Meanwhile i have another quick suggestion:

what if you put vpn pool from same lan network class ?

Change vpn pool from to You should also modify ppp profile, change local ip from 192.168.89.1 to 10.160.100.1.

Any difference ?

kind regards,

That did it. The ppp profile was already 10.160.100.1 in the local IP, so I guess that was the problem. \\server doesn't resolve, but I can live with the IP address.

many thanks for all your help.

I guess that means that the bridge isn't set up properly? Setting the VPN pool in the same subnet as the DHCP pool surely means that there's a problem connecting them up?

Hi,

I guess that means that the bridge isn't set up properly? Setting the VPN pool in the same subnet as the DHCP pool surely means that there's a problem connecting them up?

I am not so sure about that. Maybe we have missed some forwarding rules into firewall or alike. I have noticed some weird rules on nat side but point them later.

That did it. The ppp profile was already 10.160.100.1 in the local IP, so I guess that was the problem. \\server doesn't resolve, but I can live with the IP address.

many thanks for all your help.

Well, "\\server" i am pretty sure that won't ever resolve. I have done some researches on forum, out of curiosity, and seems to be a problem with netbios over PPTP that's why you need locally a dns or wins server. But, please, make one more time test with mikrotik static dns; i have already tested on two different clients and in both cases was working.

Test case:
1. make sure DNS accept remote request AND only from local, not from WAN
a. IP -> DNS -> make sure Allow remote requests is checked b. Block dns requests on WAN i've noticed that you already have it

2. Make sure in your pptp profile DNS is set to local interface ip 3. Make sure or change your DNS static list to "suffixed" names to Now, after you have connected via PPTP and have received an ip from 10.160.100.200-230 range ( if you did not change ) check on your laptop "ipconfig /all" to see if you have received correct pptp ip settings ( ip address: 10.160.100.2XX, netmask: 255.255.255.255, gateway: N/A, dns: 10.160.100.1 ). If so, you could issue command "ipconfig /flushdns " to flush your local dns cache, just in case

Basicaly, at least that i was able to do in my cases, you should be able to:
- ping any device in 10.160.100.0/24 network range
- ping your server by static name: zappa.local ( hit "ping zappa.local" from your laptop and from mikrotik terminal to see if reply )
- access your zappa.local share(s)

Can you confirm that ?

kind regards,

Hi,

Yes, that basically works as advertised. Why the other VPN DHCP range wouldn't talk to my main DHCP range I don't know, but putting then both on the same seems to work fine. Perhaps this is something I will figure out as I learn more.

Thanks again for your help.

Darren.