Greetings,
I am new to MikroTik, but I am not new to networking and have used Astaro, PFSense, etc. in the past.
Basically I want to create a wireless access point, but I want to use WiFi as my WAN connection so multiple wired devices can connect over WAN. I would need a DHCP server for the wired ports as well as a NAT.
Once I get this working I would like to create a VPN client to connect to a VPN server.
Is this possible? Any suggestions on where to start?
It can do everything you need. I would start here.
Thanks!
I got most of things to work. It took me awhile, but I realized I had two bridges. Once I disabled one I removed the loop in my topology and now NAT and everything was working great.
Next step is the VPN.
What kind of VPN are you trying to connect to?
What kind of VPN is a great question. I have been able to setup a PPTP client that connects to my Astaro router at home, but I can use any VPN protocol. Below is what I am trying to solve.
I want to use the 751U device to connect multiple wired devices to a public WiFi that uses NAT (school, hotel, hospital, airport, etc.) I got this much to work great. However, I want to be able to remotely access these wired devices from a mobile device (iPad, laptop, etc). Since I can’t control the public router and setup port forwarding, I figured I would need to setup a VPN server somewhere that is always on. Then both the mobile user as well as these wired devices using public WiFi can be on the same VPN subnet so that they can all talk together.
I drew a diagram of what I have right now. I imagine I need a VPN client on the iPad/laptop as well as VPN client on the 751U device and a VPN server sitting somewhere publicly in the “cloud.”
What I don’t know is which VPN protocol to use so that the mobile laptop/iPad can see computer A, B, C, and D on the same network.
Any ideas?
Route the different subnets over the pptp connections. Do you know how to do this?
Thanks for the suggestion.
I don’t know how to do this, but I just ran a search and found some good material. I will give it a try. Thanks for point me in the right direction.
No problem. Let me know if you get it or need help.
So I thought I could do it on my own, but I am stumped. I have gone back and forth between a lot of setups, but as of right now I have “Router 1” connect to my home server using PPTP. My home network can ping “Router 1” and both “Computer A” and “Computer B” can ping everything on my home network.
The catch is that “Computer A” and “Computer B” can’t connect to anywhere on the internet. I imagine this is because I need to setup another route, but I can’t seem to be able to talk to the internet and intranet at the same time. When I fix one I break the other and vice versa.
And changing my original plan a little, I realized I only need to talk with one computer behind each router. So I was thinking port forwarding or using something like a DMZ. Port 80 (or any port for that matter) (connecting from PPTP) I would want to go to the router so I could remotely configure it and all the other ports I would want to go to a computer behind the MikroTik router. I tried to follow some examples to set up a dstnat and a srcnat, but it didn’t work. They are listed below but disabled.
To be able to ping my internal network I found that I had to enable “arp-proxy” on the “ether2-master-local” interface.
Any help in setting up the DMZ or port forwarding as well as routing to the internet would be greatly appreciated.
/ip interface
[admin@MikroTik] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R wlan1 wlan 1500 2290
1 X ether1-gateway ether 1500 1600 4076
2 R ether2-master-local ether 1500 1598 2028
3 R ether3-slave-local ether 1500 1598 2028
4 R ether4-slave-local ether 1500 1598 2028
5 ether5-slave-local ether 1500 1598 2028
6 R bridge-local bridge 1500 1598
7 R pptp-out1 pptp-out 1400
Here are my routes.
xxx.xxx.xxx.xxx- Is the public IP address of my home network with the PPTP server running
192.168.1.2 Is the IP that the currently connected wireless access point is giving out via DHCP. This address and range will change depending on what WiFi network I am connected to.
10.242.1.2- Assigned via the PPTP Server
192.168.101.x- Is the range that my internal network uses.
192.168.88.1- Is the internal IP of the MikroTik router
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.1.1 1
1 DS 0.0.0.0/0 10.242.1.1 1
2 ADC 10.242.1.1/32 10.242.1.2 pptp-out1 0
3 A S xxx.xxx.xxx.xxx/32 192.168.1.1 1
4 ADC 192.168.1.0/24 192.168.1.2 wlan1 0
5 ADC 192.168.88.0/24 192.168.88.1 bridge-local 0
6 A S 192.168.101.0/24 10.242.1.1 1
And my /ip firewall nat configuration
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=pptp-out1
1 X chain=dstnat action=dst-nat to-addresses=192.168.88.250
dst-address=10.242.1.2
2 X chain=srcnat action=masquerade src-address=192.168.88.250
/ip firewall filter
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=tcp in-interface=pptp-out1 dst-port=80
1 ;;; default configuration
chain=input action=accept protocol=icmp
2 ;;; default configuration
chain=input action=accept connection-state=established
in-interface=wlan1
3 ;;; default configuration
chain=input action=accept connection-state=related in-interface=wlan1
4 ;;; default configuration
chain=input action=drop in-interface=wlan1
Phew! I was just able to figure out how to get connected to the internet through the PPTP connection.
I needed to turn masquerading on on my home firewall/VPN server.
Still need to figure out how to configure DMZ/port forwarding however.
This is done in NAT.
Thanks cbrown for not giving up on me.
I tried to follow the examples mentioned in http://www.mikrotik.com/testdocs/ros/2.8/appex/dmz.php and http://wiki.mikrotik.com/wiki/NAT_Tutorial
But I still can’t get it to work.
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses=192.168.88.250
dst-address=10.242.1.2
1 chain=srcnat action=src-nat to-addresses=10.242.1.2
src-address=192.168.88.250
2 ;;; default configuration
chain=srcnat action=masquerade out-interface=pptp-out1
Do I do something wrong with the NAT? Am I blocking something with my firewall?
Could you post
/ip firewall export
/ip route print detail
/ip address print detail
Thanks! The information you requested is below.
/ip firewall filter
add action=accept chain=input disabled=no dst-port=80 in-interface=pptp-out1 \
protocol=tcp
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=
established disabled=no in-interface=wlan1
add action=accept chain=input comment="default configuration" connection-state=
related disabled=no in-interface=wlan1
add action=drop chain=input comment="default configuration" disabled=yes \
in-interface=wlan1
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=10.242.1.2 \
to-addresses=192.168.88.250
add action=src-nat chain=srcnat disabled=no src-address=192.168.88.250 \
to-addresses=10.242.1.2
add action=masquerade chain=srcnat comment="default configuration" disabled=no
out-interface=pptp-out1
add action=masquerade chain=srcnat disabled=yes src-address=192.168.88.250
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
[admin@MikroTik] /ip firewall> /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=192.168.1.1 gateway-status=192.168.1.1 reachable wlan1
distance=1 scope=30 target-scope=10 vrf-interface=wlan1
1 DS dst-address=0.0.0.0/0 gateway=10.242.1.1 gateway-status=10.242.1.1 reachable pptp-out1
distance=1 scope=30 target-scope=10
2 ADC dst-address=10.242.1.1/32 pref-src=10.242.1.2 gateway=pptp-out1
gateway-status=pptp-out1 reachable distance=0 scope=10
3 A S dst-address=68.173.xxx.xxx/32 gateway=192.168.1.1 gateway-status=192.168.1.1 reachable wlan1
distance=1 scope=30 target-scope=10
4 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.2 gateway=wlan1 gateway-status=wlan1 reachable
distance=0 scope=10
5 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge-local
gateway-status=bridge-local reachable distance=0 scope=10
6 A S dst-address=192.168.101.0/24 gateway=10.242.1.1 gateway-status=10.242.1.1 reachable pptp-out1
distance=1 scope=30 target-scope=10
[admin@MikroTik] /ip firewall> /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=bridge-local
actual-interface=bridge-local
1 D address=192.168.1.2/24 network=192.168.1.0 interface=wlan1 actual-interface=wlan1
2 D address=10.242.1.2/32 network=10.242.1.1 interface=pptp-out1 actual-interface=pptp-out1
I have tried lots of different nat setups, but still don’t have any luck.
Is it possible to do port forwarding/DMZ setups using the PPTP address? Any ideas what I am missing?