Hello!
I’m novice at MikroTik.
I have PPTP VPN server running on CentOS with NAT to public network with IP address aaa.bbb.ccc.ddd
PPTP VPN server IP: 10.0.0.1
PPTP VPN clients IP pool: 10.0.0.10-10.0.0.250
VPN client can successfully access server both from private and public networks (PPTP server placed in DMZ). Each PPTP VPN client can ping each other and reach available resources at any PPTP client. PPTP server of course can ping and reach any it’s client (if the client is online in that moment).
Each client has it’s own unique IP linked to login/password pair at PPTP server side.
[172.27.135.30][private IP]------[CentOS]----[public IP][ aaa.bbb.ccc.ddd]
So as I already told, there are two types of clients. Some of them placed in private network anothers in public.
Everything was explainable and workable until I bought 2 Mikrotik routers. I need to add them to this network infrastructure as PPTP clients. Behind each MikroTik router there will be some resources.
After I bought 2 Mikrotik routers I successfully connected them to VPN server with new VPN accounts. I checked that IP addresses were assigned to Mikrotik PPTP clients successfully. Than I checked that I can ping this clients from CentOS machine. (ICMP from 10.0.0.1 to 10.0.0.19 is fine, the same vice versa)
I added NAT rules to be able to reach some HTTP resources behind MIkroTik PPTP clients for example:
10.0.0.19:88 → 192.168.88.100:80
10.0.0.19:89 → 192.168.88.101:80
All hosts behind MikroTik router which are placed in its private network (host that behind PPTP Client) can reach any PPTP member. For example my laptop with IP 192.168.88.100 can ping 10.0.0.1 (PPTP server) , 10.0.0.10 (PPTP client), 10.0.0.15 (PPTP client) successfully.
The problem is that I can not maintain the MikroTik PPTP client (10.0.0.19) from another PPTP client (10.0.0.101 or 10.0.0.100 etc..), while it’s possible to reach MikroTik PPTP client (10.0.0.19) from the PPTP server (10.0.0.1).
When I try to ssh the Microtik PPTP client from PPTP server (10.0.0.1) I see this log:
00:21:17 firewall,info ssh_access: input: in:StrongVPN out:(none), proto TCP (SYN), 10.0.0.1:38384->10.0.0.19:22, len 60
00:21:18 system,error,critical login failure for user vpn from 10.0.0.1 via ssh
00:21:19 system,info,account user admin logged in from 10.0.0.1 via ssh
At the same time, when I try to do this from 10.0.0.101 I see strange log records:
00:22:48 firewall,info ssh_access: input: in:StrongVPN out:(none), proto TCP (SYN), 10.0.0.101:61330->10.0.0.19:22, len 64
00:23:07 firewall,info ssh_access: input: in:StrongVPN out:(none), proto TCP (SYN), 10.0.0.101:61330->10.0.0.19:22, len 48
00:23:23 firewall,info ssh_access: input: in:StrongVPN out:(none), proto TCP (SYN), 10.0.0.101:61330->10.0.0.19:22, len 48
It seems like Mikrotik just dropped the packets because it doesn’t know what to do. From the 10.0.0.101 VPN client after approximately one minute of delay I can see: ssh: connect to host 10.0.0.19 port 22: operation timed out. The same with web-gui access to MikroTik PPTP client from another PPTP client.
00:16:11 firewall,info http_access: input: in:StrongVPN out:(none), proto TCP (SYN), 10.0.0.101:61179->10.0.0.19:80, len 64
00:16:31 firewall,info http_access: input: in:StrongVPN out:(none), proto TCP (SYN), 10.0.0.101:61179->10.0.0.19:80, len 48
00:16:47 firewall,info http_access: input: in:StrongVPN out:(none), proto TCP (SYN), 10.0.0.101:61179->10.0.0.19:80, len 48
I tried to add NAT rule for SSH to NAT packets coming on VPN interface to local IP of the router, and I cansee that MikroTik tries to do this:
00:38:15 firewall,info ssh_netmap: dstnat: in:StrongVPN out:(none), proto TCP (SYN), 10.0.0.101:61413->10.0.0.19:22, len 48
00:38:15 firewall,info ssh_access: input: in:StrongVPN out:(none), proto TCP (SYN), 10.0.0.101:61413->192.168.88.1:22, NAT 10.0.0.101:61413->(10.0.0.19:22->192.
168.88.1:22), len 48
00:38:17 firewall,info ssh_netmap: dstnat: in:StrongVPN out:(none), proto TCP (SYN), 10.0.0.101:61421->10.0.0.19:80, len 48
00:38:17 firewall,info ssh_access: input: in:StrongVPN out:(none), proto TCP (SYN), 10.0.0.101:61421->192.168.88.1:22, NAT 10.0.0.101:61421->(10.0.0.19:80->192.
168.88.1:22), len 48
But again nothing happens. Again at client side I can see message that operation was timed out.
I can ping PPTP server and any PPTP connected client from MikroTIK PPTP client, but I can not ping Mikrotik from any client. Only PPTP server received this honor. I can see in the log that ICMP is coming from 10.0.0.101 successfully:
01:42:32 firewall,info input: in:StrongVPN out:(none), proto ICMP (type 8, code 0), 10.0.0.1->10.0.0.19, len 84
01:50:18 firewall,info input: in:StrongVPN out:(none), proto ICMP (type 8, code 0), 10.0.0.101->10.0.0.19, len 84
The log for ICMp requests is the same, but I can see echo replies at server (10.0.0.1) and can not at another PPTP client…
I tried to switch off all firewall rules. There is no effect at all.
One more thing both these MikroTik routers shall be placed behind another router with NAT.
Will be glad to any help and advices!
Regards,
Alexey