Assistance getting my pptp clients accessible.

ulink · December 22, 2010, 4:13am

Have server setup with 3 client (750’s) connections. I am assigning IP’s to the clients from the existing IP pool I use on my LAN. Each client is responding to pings and keeps the sessions active. I have allowed port 1726 and GRE protocol through client firewalls.
What can I be missing?
The server is running Hotspot but clients are straight basic nat routers.

fewi · December 22, 2010, 4:37am

It is unclear from your post what specific issues you are experiencing. I’m also unclear on your network layout and how a Hotspot comes into it, and what you’re trying to achieve.

That said, PPTP consists of GRE for data and port tcp/1723 for control, not 1726 as you are referencing in your post.

ulink · December 22, 2010, 1:05pm

Fewi
Thank you for replying.
Network layout is as follows:
My PC–>450G–>Internet–>cable modem–>750–>remote lan

What I am trying to accomplish is vpn access to winbox on the 750 and the network devices behind it. At present, the 750 pptp IP is pingable and registers its VPN connection but stops short of allowing me to do the above.
The 1726 is a typo. I am using 1723.
Thanks again.

fewi · December 22, 2010, 2:22pm

Still not quit enough detail, but here some ideas: by PPTP IP you mean a private IP address on the 750? In that case, in decreasing likelihood, look at IP > Services, the IP firewall, and NAT. If you can ping the management IP address you’re trying to use Winbox against traffic is flowing, so either a firewall or access list is blocking it, or NAT is causing ICMP to be treated differently than Winbox traffic. You say you also want to reach network equipment behind the 750 - do the routers have routes to each other’s subnets via the PPTP tunnel interface? If not you can only reach the other tunnel interface, but nothing behind it.

If you need more specific help, post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, “/ip firewall export”, “/ppp export”, and “/ip services print detail” from both routers. You may want to edit secret information out of the PPP section.

ulink · December 28, 2010, 1:59am

Now that Xmas is behind me, I can get back to a solution for this.
Setup another 750 with its own acct, scenicd. Configs indicate that it is in session with the server.
I am pouring over this detail for oddities.
To answer your Q's Fewi, I plan on adding mapping for devices behind the router once I have access to its config via the VPN. By PPTP IP, I mean the IP that the client is receiving from the server IP pool. With the VPN operational, I should be able to pop that into winbox on my home LAN and open the router interface or terminal into it. What I may do next to test your ICMP idea is to drop the firewall entirely on the client and see what goes.
Client Router (750 4.11) at pptp acct scenicd

IP address print detail

0 ;;; default configuration
address=192.168.5.1/24 network=192.168.5.0 broadcast=192.168.5.255
interface=ether2-local-master actual-interface=ether2-local-master

1 D address=173.22.125.40/21 network=173.22.120.0 broadcast=173.22.127.255
interface=ether1-gateway actual-interface=ether1-gateway

2 D address=10.0.0.165/32 network=10.0.0.1 broadcast=0.0.0.0 interface=pptp-out1
actual-interface=pptp-out1

Ip route print detail

0 ADS dst-address=0.0.0.0/0 gateway=173.22.120.1
gateway-status=173.22.120.1 reachable ether1-gateway distance=1 scope=30
target-scope=10

1 ADC dst-address=10.0.0.1/32 pref-src=10.0.0.165 gateway=pptp-out1
gateway-status=pptp-out1 reachable distance=0 scope=10

2 ADC dst-address=173.22.120.0/21 pref-src=173.22.125.40 gateway=ether1-gateway
gateway-status=ether1-gateway reachable distance=0 scope=10

3 ADC dst-address=192.168.5.0/24 pref-src=192.168.5.1 gateway=ether2-local-master
gateway-status=ether2-local-master reachable distance=0 scope=10

Interface print

NAME TYPE MTU L2MTU

0 R ether1-gateway ether 1500 1526
1 R ether2-local-master ether 1500 1524
2 ether3-local-slave ether 1500 1524
3 R ether4-local-slave ether 1500 1524
4 ether5-local-slave ether 1500 1524
5 R pptp-out1

Ip Firewall Export

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s
tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=
icmp
add action=accept chain=input comment="default configuration" connection-state=
established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" connection-state=related
disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no in-interface=
ether1-gateway
add action=drop chain=forward comment="p2p filter" disabled=no p2p=all-p2p
add action=drop chain=forward comment="p2p user" disabled=no src-mac-address=
0C:EE:E6:DA:E6:E2
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no
out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="port forward for D North side" disabled=no
dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.5.2
to-ports=8080
add action=dst-nat chain=dstnat comment="port forward for D South side" disabled=no
dst-port=8081 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.5.3
to-ports=8081
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

ppp export

/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default
use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=default comment="" name=default-encryption
only-one=default use-compression=default use-encryption=yes use-vj-compression=
default
/ppp aaa
set accounting=yes interim-update=0s use-radius=no

IP Service Print Detail

Flags: X - disabled, I - invalid
0 X name="telnet" port=23 address=0.0.0.0/0

1 X name="ftp" port=21 address=0.0.0.0/0

2 name="www" port=80 address=0.0.0.0/0

3 X name="ssh" port=22 address=0.0.0.0/0

4 X name="www-ssl" port=443 address=0.0.0.0/0 certificate=none

5 X name="api" port=8728 address=0.0.0.0/0

6 name="winbox" port=8291 address=0.0.0.0/0

Server router (450G 4.11)

IP Address Print Detail

0 address=10.0.0.1/24 network=10.0.0.0 broadcast=10.0.0.255 interface=lan
actual-interface=lan

1 address=10.10.10.1/32 network=10.10.10.1 broadcast=10.10.10.1
interface=bridge1 actual-interface=bridge1

2 D address=xxx.xxx.109.202/32 network=xxx.xxx.179.166 broadcast=0.0.0.0
interface=pppoe-out1 actual-interface=pppoe-out1

3 D address=10.0.0.5/32 network=10.0.0.158 broadcast=0.0.0.0 interface=
actual-interface=

4 D address=10.0.0.5/32 network=10.0.0.159 broadcast=0.0.0.0
interface= actual-interface=

5 D address=10.0.0.5/32 network=10.0.0.160 broadcast=0.0.0.0
interface= actual-interface=

6 D address=10.0.0.1/32 network=10.0.0.165 broadcast=0.0.0.0
interface= actual-interface=

IP Route Print Detail

0 ADS dst-address=0.0.0.0/0 gateway=69.29.179.166
gateway-status=69.29.179.166 reachable pppoe-out1 distance=1 scope=30
target-scope=10

1 ADC dst-address=10.0.0.0/24 pref-src=10.0.0.1 gateway=lan
gateway-status=lan reachable distance=0 scope=10

2 ADC dst-address=10.0.0.158/32 pref-src=10.0.0.5 gateway=
gateway-status= reachable distance=0 scope=10

3 ADC dst-address=10.0.0.159/32 pref-src=10.0.0.5 gateway=
gateway-status= reachable distance=0 scope=10

4 ADC dst-address=10.0.0.160/32 pref-src=10.0.0.5 gateway=
gateway-status= reachable distance=0 scope=10

5 ADC dst-address=10.0.0.165/32 pref-src=10.0.0.1 gateway=
gateway-status= reachable distance=0 scope=10

6 ADC dst-address=10.10.10.1/32 pref-src=10.10.10.1 gateway=bridge1
gateway-status=bridge1 reachable distance=0 scope=10

7 ADC dst-address=xxx.xxx.179.166/32 pref-src=xxx.xxx.109.202 gateway=pppoe-out1
gateway-status=pppoe-out1 reachable distance=0 scope=10

Interface Print

\

NAME TYPE MTU L2MTU

0 R wan ether 1500 1524
1 R lan ether 1500 1524
2 lan2 ether 1500 1524
3 X ether4 ether 1500
4 X ether5 ether 1500
5 R bridge1 bridge 1500 65535
6 R pppoe-out1 pppoe-out 1480
7 X pptp-bridge bridge 1500
8 DR pptp-in 1460
9 DR pptp-in 1460
10 DR pptp-in 1460
11 DR pptp-in 1460

IP Firewall Export

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
disabled=yes src-address=10.10.10.1
add action=accept chain=input comment="Accept established connections"
connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections"
connection-state=related disabled=no
add action=drop chain=input comment="Drop invalid connections" connection-state=
invalid disabled=yes
add action=accept chain=input comment=udp disabled=no protocol=udp
add action=accept chain=input comment="allow limited pings" disabled=no limit=
50,1 protocol=icmp
add action=accept chain=input comment="from my lan" disabled=no in-interface=lan
src-address=10.0.0.0/24
add action=accept chain=input comment="" disabled=yes dst-address=10.10.10.0/24
in-interface=lan protocol=tcp src-address=20.20.20.0/24
add action=log chain=input comment="Log everything else" disabled=no log-prefix=
"Drop Input"
add action=drop chain=input comment="drop excessive pings" disabled=yes protocol=
icmp
add action=drop chain=input comment="Drop everything else" disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=
no out-interface=pppoe-out1 src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=8080
in-interface=pppoe-out1 protocol=tcp to-addresses=10.0.0.157 to-ports=8080
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=9443
in-interface=pppoe-out1 protocol=tcp to-addresses=10.0.0.157 to-ports=9443
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

ppp export

/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default
use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=default comment="" local-address=10.0.0.1
name=default-encryption only-one=default remote-address=dhcp_pool2
use-compression=default use-encryption=yes use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=
ppp1 password=xxxxxxxx profile=default-encryption routes="" service=pptp
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=
scenicd password=xxxxxxx profile=default-encryption routes="" service=
pptp

IP Service Print Detail

0 X name="telnet" port=23 address=0.0.0.0/0

1 X name="ftp" port=21 address=0.0.0.0/0

2 name="www" port=80 address=0.0.0.0/0

3 X name="ssh" port=22 address=0.0.0.0/0

4 name="www-ssl" port=443 address=0.0.0.0/0 certificate=cert1

5 X name="api" port=8728 address=0.0.0.0/0

6 name="winbox" port=8291 address=0.0.0.0/0

fewi · December 28, 2010, 3:20am

If you’re trying to winbox into the server 750 from the client 750 you’re simply blocking that with your firewall rules.

Add

/ip firewall filter
add chain=input in-interface=<pptp-scenicd> action=accept

and move it just below this rule:

add action=accept chain=input comment="from my lan" disabled=no in-interface=lan 
src-address=10.0.0.0/24

The winbox traffic is to the router, so it goes into the input chain. The server firewall only allows established, related, UDP, rate limited ping, and traffic from 10.0.0.0/24. Winbox traffic via the PPTP interface doesn’t match that, and is dropped. Since you log all other traffic you should be seeing it dropped in the log, by the way. Some of your other firewall rules don’t make a lot of sense - why drop ICMP specifically just before you drop everything? That’s redundant.

ulink · December 28, 2010, 4:46am

Appreciate your input Fewi
No, Its the other way around. I am trying to get to the client from any network via the vpn. I can access the Server router (450g) with no troubles with the VPN from anywhere. Its getting to the clients (scenicd) that is not functional. Even from the home LAN where the server resides.
I could add that rule to the scenicd firewall router for the server?

/ip firewall filter
add chain=input in-interface=<pptp-out1> action=accept

The ICMP rule is disabled. Forget why I even had it in there. Same for the drop everything else. It caused problems with my hotspot at one point.

fewi · December 28, 2010, 5:01am

I don’t see anything blocking access in that direction, sorry.

ulink · December 29, 2010, 2:52pm

Okay Fewi
Any other encrypted access method you suggest? I have setup an l2tp server and client on this link with the same results. Going to drop firewall and rebuild piece by piece to hopefully identify whats blocking winbox.

fewi · December 29, 2010, 3:40pm

That’s probably the best approach. Sorry I couldn’t help more - read through it again and I don’t see where in your ruleset you’d be dropping this traffic.

ulink · January 2, 2011, 8:15pm

Well
I had not had the chance to get over to the remote site and play with the firewall so I sat around last night just throwing a few things at the issue and found a way in. However, Not sure if its the most secure way of using PPTP.
Here is how I went about it.
I setup secrets for each location. In this case “lofts” and added static local and remote addresses and a default route.

caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \
    local-address=172.16.1.1 name=lofts password=xxxxxxxxxxxx profile=\
    default-encryption remote-address=172.16.1.100 routes=\
    "10.0.0.0/24 172.16.1.100 1" service=pptp

Upon doing this, I found that I could still ping and all is connected but still could not reach winbox via the static local address I set. I could however, reach winbox via the public IP that was showing from the caller ID when it connected. Something I could not do before.
Thinking this odd, I checked the connections section under the firewall and noticed that GRE and PPTP connections were being assured between the two public IP’s

 9 SA gre      99.xxx.xxx.xxx         216.xxx.xxx.xxx

23 SA tcp      99.xxx.xxx.xxx:50600   216.xxx.xxx.xxx:1723     established

Question is, is this right? While this is what I am looking to do, obtain access to the remote routers, is this correctly VPN’d between server and client tunnels?