Hello

I want the Mikrotik router to act as a VPN-server (PPTP) for a VPN-Client (a PC). The configuration is:

[PC]----Internet----[DSL-Router]----LAN----[Mikrotik-Router]

That's what I've done so far:
1) I configured Mikrotik to accept incoming PPTP connections.
2) I tested the VPN from inside the LAN and everything works (the VPN is successfully established).
3) I configured the DSL-Router to forward PPTP-Packets to the Mikrotik Router.

Now when i try to access the VPN via the internet (via the public IP-address of the DSL-Router), my packet monitor inside the LAN shows, that the first pptp-packet (SYN) is correctly forwarded to the Mikrotik Router. But it also shows that Mikrotik is not responding to this SYN-Packet.
I thought that the mikrotik-firewall may block packets and opened it for all packets. Still it doesn't answer to the incoming syn-packet.

How do i have to configure the mikrotik router to let it respond correctly to a VPN-Client outside the LAN?
Any help would be appreciated.

Thomas

Make sure under IP -> firewall -> service ports that PPTP and GRE are enabled.

I entered a route definition (IP/Routes):
Destination: Internet IP Address of the calling PC
Pref. Source: LAN IP Address of the Mikrotik-Router
Gateway: LAN IP Address of the DSL-Router

Now it works, so it seems that there was just a kind of default gateway definition missing and the mikrotik router wasn't able to answer incoming requests from outside the LAN. I will look where this definition has to be made so that I can remove the route.

Does the router has a logging function for such errors?

The internet ip address of the calling pc is dynamic.
Any idea how to configure a gateway address to be used for _any_ ip address that is not inside the address range of eth1-3?

Regards, Thomas

I set up a route for "0.0.0.0/0" to the LAN-ip-address of the dsl-router (192.168.3.1/24). Everything's fine so far.


Now I have the problem that ARP doesn't work properly.

If I set up an ARP-entry on a windows client by hand: the windows client can talk to the vpn-client (and vice versa).

I tried to create a bridge on the vpn-port of the MT-Router (with option "proxy-arp") but then the whole network (two subnets) broke down because the MT-Router answered on each and every arp-broadcast-request with its own MAC-Address.

How do I have to configure the Router to handle arp requests correctly? (It may only answer arp-requests that are designated to go through the vpn-tunnel and ignore arp-requests from the other subnet B)

I added a picture with the network topology

correct me if wrong, easy way for connecting to your vpn server through internet
the way is you must have ip public for your vpn server from your DSL if possible.
please confirm to your ISP is possible to get ip public for your router

example configuration if you can pref ip public

PC Client -- [192.168.2.1: <internet gw> :ip public] -- [internet] -- [ip public: <DSL> :69.88.x.1/29] -- [69.88.x.2/29: <VPN router> :192.168.3.1] -- workstation

so from PC Client you can dial VPN router's ip public, don't forget to route ip public/29 from DSL to your router

thanks, i hope can help you

sory for my english

Hi neyman.

What you describe is what I've done. My VPN is established correctly (authentication is ok and the tunnel is up). But if a LAN-member "A" from one side of the Tunnel wants to speak to the VPN-Client on the other side, no data is transmitted because arp-requests are not answered so that they don't know their MAC-addresses. (The MT-Router should tell the LAN-member that the VPN-Client is behind the MAC-Address of the MT-Router)

I could set the interface the exposed LAN is connected to in proxy-arp mode but then my MT-Router answeres to _each_ broadcast ARP-Request with it's own MAC-Address. Then "A" can speak to the VPN-Client but the second subnet brakes down after a while because the MT-Router answeres every arp-request with the router's MAC-Address although there is no ip-route from the MT-Router to the other subnet.

I think I have to set up the MT-Router to just answer arp-requests from within the exposed LAN. Maybe I have to set up a filter rule but I don't know how to do that.

Regards Thomas

try to set proxy-arp insted of default or enabled on interface

That's what I tried. But the MT-Router then not only answers arp-requests out of the vpn-exposed subnet (192.168.3.0/24) but also answers the arp-broadcast-requests from another subnet connected to the same ethernet port of the MT-Router (on the same wire there are also arp-broadcast-packages from a 192.168.0.0/24 network, see attachment above).
Answering these "foreign" arp-broadcast-requests is bringing the 192.168.0.0/24 network down after a while!

I tried to set up a bridge on the ethernet port, setting it in proxy-arp mode and define some filter rules. I want the mikrotik-router drop every arp-package coming from the "foreign" subnet but I could not create a working ruleset until today (I'm beginner in defining chains, iptables, etc...).

Any suggestions would be appreciated.

Regards, Thomas

Ok, I tried the following ruleset on my bridge on ethernet port 1:

0 chain=input mac-protocol=arp arp-src-address=192.168.3.0/24 action=accept
1 chain=input mac-protocol=ip action=accept
2 chain=input action=drop

I set the arp mode of the bridge to "proxy-arp". It seems to work now but it would be nice if somebody could take a look whether these rules can produce a bad side effect.

Regards, Thomas

Hello!

Have the same config and the same problem!!

Is this final solution for this problem, writed by th0msn?

Thank u!