750Gr3 Private Internet Access PPTP

RouterOS Beginner Basics
1

Hello MikroTik forum,

I have a relatively simple request; I want to configure my MikroTik 750Gr3 to work with the Private Internet Access (PIA) VPN service using PPTP. Now lucky for me PIA has a guide which I have followed here https://www.privateinternetaccess.com/helpdesk/guides/other-hardware/mikrotik/mikrotik-pptp-2. However the problem I have is when I create a new route, Step 8, and complete the setup of the PIA PPTP connection I find I am unable to connect to the internet as I receive the following error message in my choice of web browser:

What is strange, is that I am still “connected” to the internet but I cannot actually connect to any website.

Now before I made this thread I followed a few other guides from PIA’s competitors from scratch, https://support.hidemyass.com/hc/en-us/articles/204558497-Mikrotik-Client-Setup and https://nordvpn.com/tutorials/mikrotik/pptp/, however I still get the same problem where it seems that when I set the new route up things fall apart.

For reference this is what my Route List looks like:

Regarding my router configuration, the only thing I have done outside of the basics is implement basic router security practices that were covered in this video:
https://www.youtube.com/watch?v=IAmUTuStZlE

Thanks for the help everyone.

My config below:

nov/29/2018 20:04:51 by RouterOS 6.43.4

software id = W6VX-6J1G

model = RouterBOARD 750G r3

serial number = XXXXX

/interface bridge
add admin-mac=XXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-WAP speed=100Mbps
set [ find default-name=ether3 ] name=ether3-Homelab speed=100Mbps
set [ find default-name=ether4 ] name=ether4-Homelab speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pptp-client
add add-default-route=yes connect-to=XXXX.privateinternetaccess.com
dial-on-demand=yes disabled=no name=PPTP-PIA password=XXXXX user=
XXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-WAP
add bridge=bridge comment=defconf interface=ether3-Homelab
add bridge=bridge comment=defconf interface=ether4-Homelab
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-Gateway list=WAN
/ip address
add address=10.0.0.1/24 comment=defconf interface=ether2-WAP network=10.0.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
ether1-Gateway
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1
netmask=24
/ip dns
set allow-remote-requests=yes servers=209.222.18.222,209.222.18.218
/ip dns static
add address=10.0.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=input comment=“DROP SSH” dst-port=22 in-interface=
ether1-Gateway protocol=tcp
add action=drop chain=input comment=“DROP WINBOX” dst-port=8291 in-interface=
ether1-Gateway protocol=tcp
add action=drop chain=input comment=“DROP DNS” dst-port=53 in-interface=
ether1-Gateway protocol=udp
add action=drop chain=input comment=“DROP DNS” dst-port=53 in-interface=
ether1-Gateway protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=“PIA PPTP MARK”
passthrough=yes src-address=10.0.0.2-10.0.0.254
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
add action=masquerade chain=srcnat out-interface=PPTP-PIA
/ip route
add disabled=yes distance=1 gateway=PPTP-PIA routing-mark=“PIA PPTP MARK”
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/24
set api disabled=yes
set winbox address=10.0.0.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Edmonton
/system ntp client
set enabled=yes primary-ntp=74.82.59.150 secondary-ntp=199.180.133.100
server-dns-names=
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system resource irq rps
set ether1-Gateway disabled=no
set ether2-WAP disabled=no
set ether3-Homelab disabled=no
set ether4-Homelab disabled=no
set ether5 disabled=no
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

2

Your PPTP client is creating it’s own route which is not helping

/interface pptp-client
add add-default-route=yes connect-to=XXXX.privateinternetaccess.com \
dial-on-demand=yes disabled=no name=PPTP-PIA password=XXXXX user=\
XXXXX

Should be

/interface pptp-client
add add-default-route=no connect-to=XXXX.privateinternetaccess.com \
dial-on-demand=yes disabled=no name=PPTP-PIA password=XXXXX user=\
XXXXX

I would be inclined to add the routing-mark matcher to your NAT rule for the PPTP as well just to be sure it only nats traffic that is supposed to be NAT’d.

3

Thanks for the reply Steve.

Your PPTP client is creating it’s own route which is not helping

I turned that off, however that did not resolve my connection problems.

If you look at the image below, as soon as I turn off the PPTP-PIA route obliviously I am able to connect to the internet just fine:

Regarding the “routing-mark matcher”, did I turn it on properly on the image below?

Now is it possible that how I configured my Mangle Rule is causing all the problems? My home network is 10.0.0.0/24 and my router’s IP address is 10.0.0.1 therefore I wanted all IPs, besides my router’s, to go through the PIA VPN. Edit: I changed my Mangle Rule range to 10.0.0.10 to 10.0.0.254 as I do not want my Home lab + wap to go through VPN traffic.

4

Hi

If you want to route all (0.0.0.0/0) over vpn, I would suggest to work with routing priorities, instead of changing every packet.

So you pia would be distance say 10, with/without ping check
and have your normal route with distance of ex 20.

edit: corrected for terminology: priority → distance

5

Now that you mention it I should exclude my home WAP and my home Lab from using the VPN so my Mangle Rule should cover the addresses of 10.0.0.10-10.0.0.254 (which is my DHCP range as well).

6

that can still be done in routing: see /ip route rule. based on source ip give preference to lookup in a “vpn” table…
(And no need to mange. that will save you quite a bit of cpu)

7

Here’s what I use to route a set of ips through a vpn. You just need to change the login and network details to yours.
Btw, I wouldn’t route ALL your traffic through a vpn as a lot of sites don’t work well with them and it adds some latency..

/interface pptp-client
add allow=mschap2 connect-to=vpn.com disabled=no name=vpn password=vpnpass user=vpnuser

/ip firewall mangle
add action=mark-routing chain=prerouting comment=vpn-rt new-routing-mark=vpn-rt passthrough=no src-address=192.168.1.30-192.168.1.39

/ip route
add distance=1 gateway=vpn routing-mark=vpn-rt

/ip firewall nat
add action=masquerade chain=srcnat comment=vpn out-interface=vpn
8

Thanks for the commands. I just tried this and my VPN still does not work.

I contacted PIA and they are helping me with this problem as well.

Right now I have no clue why my VPN is not working with my router so what I am going to do is reset my router’s configuration from scratch and see if that helps.

9

Well that was painful…

I ended up completely resetting my router’s configuration then followed PIA’s steps and it worked!

Something that I followed in those “router” hardening videos broke VPN functionality on my router.

The bad news now is when I turn on the VPN my internet speeds collapse to the point where the internet is unusable but this is a problem with PIA not MikroTik unless someone else has some insight. When I run the PIA client on my PC I do not suffer from this issue.

No VPN:

With VPN: