Access to Winbox via PPTP

zoj1 · October 14, 2013, 3:15pm

Hi,

My router is configured as a PPTP client.
I would like to manage it by winbox or http via vpn.

Unfortunately, I can not configure it to management access throught VPN.

gotsprings · October 14, 2013, 6:37pm

have a firewall rule to accept input on 8291?

Do you have direct access to the router?
Like a public IP?
Or is it dialing PPtP to you?

zoj1 · October 14, 2013, 9:47pm

My topology:

222.100.222.100------VPN Gateway-----VPN-PPTP-----192.168.100.1--MT PPTP Client--172.16.1.1-----172.16.1.10-PC1

All ports are forwarded from 222.100.222.100 to 192.168.100.1
On MT PPTP Client I turned off firewall for the test

When I’m trying connect by RDP to PC1 behind MT PPTP Client it works, but I can’t access to mgm interface on MT PPTP Client

samsung172 · October 14, 2013, 10:44pm

Do you try to access to the IP provided as pptp gateway? or another IP at the router? If so. remember to route (both ways)

gotsprings · October 15, 2013, 1:30am

/ip firewall filter
export

Copy and paste here.

zoj1 · October 15, 2013, 7:04am

I’m trying get to to the MT by 222.100.222.100

zoj1 · October 15, 2013, 7:25am

VPN Gateway:

chain=input action=accept dst-address=222.100.222.100
!
chain=srcnat action=src-nat to-addresses=222.100.222.100 src-address=192.168.100.1
chain=dstnat action=dst-nat to-addresses=192.168.100.1 dst-address=222.100.222.100

VPN Client:

chain=input action=accept dst-address=192.168.100.1
!
0   chain=dstnat action=dst-nat to-addresses=172.16.1.10 to-ports=3389 protocol=tcp dst-port=3389
1   chain=dstnat action=dst-nat to-addresses=172.16.1.1 to-ports=22 protocol=tcp dst-port=22 
2   chain=dstnat action=dst-nat to-addresses=172.16.1.1 to-ports=80 protocol=tcp dst-port=80
3   chain=dstnat action=dst-nat to-addresses=172.16.1.1 to-ports=8291 protocol=tcp dst-port=8291 
4   chain=srcnat action=masquerade 
!
DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
0   S  0.0.0.0/0                          pptp-out1                      1
1 ADS  0.0.0.0/0                        35.65.85.66                   0

If I deleted dst-nat to address 172.16.1.1 it still doesn’t work when I’m trying connect to winbox.

samsung172 · October 15, 2013, 9:43pm

If you add a src nat rule in both ends, it should work (but nated). To route, you need to have a manually set route in both ends, that have all IP in the “routing chain” both ways. PS, do you try to acces from the router, or a device behind router? To access from a device behind, you also need the subnet mask, set in nat (and routing). And a correct gateway to this “device”. PS! past routing info from both VPN box, so its possible to “read your routing”

Its also easier to route etc, using l2tp instead of pptp. Here you set routing option in profile, and don’t have to hassle with static routes.