Allow VPN

kditech · March 10, 2012, 11:13pm

Hi, sorry if this is asked already but I want to make sure i am doing this correctly. I did dig up info but just want to confirm.

chain=input protocol=tcp dst-port=1723 action=accept

chain=input protocol=47 action=accept

Based on what I understand, this will allow any user to connect throught the router with a VPN connection?

thx

mixig · March 12, 2012, 6:38pm

with that 2 rules you are allowing PPTP (port 1723) and GRE (47) protocol into the router, additional config must be configure (pptp server or pptp clinet…)

docmarius · March 14, 2012, 7:07am

It will allow users to connect TO the router.
To connect THROUGH the router you need those rules in the forward chain.

kditech · March 17, 2012, 6:36pm

Sorry i’m still learning. Can you show me the code?

docmarius · March 19, 2012, 9:30pm

Since i use mainly WinBox, here are the steps…

In the IP->firewall->NAT settings you have to set up a dstnat rule for protocol TCP port 1723, active on your WAN port, having as action dst-nat with the IP of your PPtP server.
In your IP->firewall->filter rules you have to set up a forward rule allowing forward of protocol 47 (gre) with action accept. I use 2 such rules, one for inbound and one for outbound traffic (by specifying the needed input interfaces).
Check that pptp service port is enabled in IP->firewall->service ports.
I think it is necessary that you have an masquerading srcnat rule on your wan interface.

Please note that this is the setup i use to access a PPtP server behind my mikrotik router (on another machine), not the settings needed to run the PPtP server on the router. If you want to run the sevice on the router, the setup is different.

docmarius · March 19, 2012, 9:34pm

Check also the topic below:

http://forum.mikrotik.com/t/vpn/55131/1