katit
June 3, 2015, 3:55pm
1
I use PPTP VPN to connect to “worklplace”. From my windows PC.
Created PPTP Client interface under PPP. Added credentials info and remote IP. Client connected OK!
Remote network: 192.168.1.0/24, Local network 192.168.33.0/24
Connection established and I see: Local address: 192.168.33.211 and remote address: 192.168.1.180
But I can’t ping or access any network resources on remote network. What should I do?
You have to add a route to your companies subnet
add check-gateway=ping distance=1 dst-address=192.168.1.0/24 gateway=vpn client interface
katit
June 3, 2015, 5:41pm
3
Added gateway as specified but still no luck. Nothing changed, link up but I can’t ping anything on that subnet. And I can’t RD to computers, etc.
Did you check if the firewall is not blocking the traffic
Check/create appropriate firewall/nat rules.
Make sure the reverse route is set as well, i.e., can you ping from any host to 192.168.33.x? A route on the VPN server should be set that specifies to reach 192.168.33.x/24 gw is 192.168.1.180…
katit
June 4, 2015, 4:36pm
7
How can I check that? Also, if Link UP, it means all is well? It’s just a routing issue that I need to figure out.
Check/create appropriate firewall/nat rules
Sorry, but I put it in beginner forum because I’m not quite sure what is “appropriate firewall/nat rules” in this case. As I said, connection established and up.
Make sure the reverse route is set as well, i.e., can you ping from any host to 192.168.33.x? A route on the VPN server should be set that specifies to reach 192.168.33.x/24 gw is 192.168.1.180
Not sure I understand. I don’t have access to VPN server.
Now I figured why can’t I setup this connection on Mikrotik so I don’t have to connect every time from my PC? 192.168.1.180 is address THEY give me when connecting via Mikrotik. So, I think all is well as far as connecting. I just need something so all members of my local network can access far network..
do you want all computers in your network to be able to access the VPN?
paste the output of this command in a Terminal
/export
editing out sensitive info.
BTW what happens if you tick the “set default route” on your VPN client, which gateway gets assigned?
katit
June 4, 2015, 6:36pm
9
Here we go. Hopefully you can decipher all this
# jun/04/2015 13:27:03 by RouterOS 6.29.1
# software id = HDBW-JD4V
#
/interface bridge
add admin-mac=4C:5E:0C:D0:82:10 arp=proxy-arp auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
ether5-slave-local
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
ether10-slave-local
set [ find default-name=sfp1 ] disabled=yes
/interface pptp-client
add add-default-route=yes connect-to=AA.BB.CC.164 disabled=no mrru=1600 \
name=pptp-aexp password="6" user=i
/interface gre
add !keepalive local-address=A.B.C.129 name=gre-home remote-address=\
H.O.M.63
/ip neighbor discovery
set ether1-gateway discover=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.33.101-192.168.33.200
add name=vpn-pool ranges=192.168.33.201-192.168.33.210
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/port
set 0 name=serial0
/ppp profile
set [ find name=default ] name=default
set [ find name=default-encryption ] bridge=bridge-local local-address=\
192.168.33.211 name=default-encryption remote-address=vpn-pool
/queue simple
add burst-limit=3M/3M burst-threshold=3M/3M burst-time=5s/5s disabled=yes \
limit-at=512k/512k max-limit=3M/3M name=queue-hyper-v-1-host \
packet-marks=pkt-3M priority=7/7 target=192.168.33.0/24
add burst-limit=3M/3M burst-threshold=2M/3M burst-time=5s/5s disabled=yes \
limit-at=2M/2M max-limit=3M/3M name=queue-aster packet-marks=pkt-aster \
priority=4/4 target=192.168.33.0/24
add burst-time=5s/5s disabled=yes limit-at=2M/2M max-limit=5M/20M name=other \
packet-marks=no-mark target=192.168.33.0/24
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret=# use-ipsec=yes
/interface pptp-server server
set authentication=mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.33.1/24 comment="default configuration" interface=\
ether2-master-local network=192.168.33.0
add address=A.B.C.130/29 interface=ether1-gateway network=A.B.C.128
add address=A.B.C.131/29 interface=ether1-gateway network=A.B.C.128
add address=A.B.C.129/29 comment="DNS from office.abc.net" interface=\
ether1-gateway network=A.B.C.128
add address=A.B.C.132/29 interface=ether1-gateway network=A.B.C.128
add address=A.B.C.133/29 interface=ether1-gateway network=A.B.C.128
add address=172.16.1.2/30 comment=gre-home interface=gre-home network=\
172.16.1.0
/ip dhcp-server lease
add address=192.168.33.5 mac-address=10:BF:48:7B:3B:65
add address=192.168.33.30 mac-address=00:00:00:00:00:30
add address=192.168.33.31 mac-address=00:00:00:00:00:31
add address=192.168.33.32 mac-address=00:00:00:00:00:32
add address=192.168.33.33 mac-address=00:00:00:00:00:33
add address=192.168.33.51 mac-address=00:04:F2:3E:6D:D3
/ip dhcp-server network
add address=192.168.33.0/24 comment="default configuration" dns-server=\
192.168.33.1 gateway=192.168.33.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.33.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" protocol=ipsec-ah
add chain=input comment="default configuration" connection-state=\
established,related
add chain=input comment=" - allow L2TP" dst-port=1701,500,4500 protocol=\
udp
add chain=input comment=" ipsec-esp for L2TP" protocol=ipsec-esp
add chain=input comment=" Winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway log-prefix=DROP1
add chain=forward comment="default configuration" connection-state=\
established,related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=drop chain=forward comment="default configuration" \
connection-nat-state=!dstnat connection-state=new in-interface=\
ether1-gateway
/ip firewall nat
add action=dst-nat chain=dstnat comment="WWW XP" dst-address-type=local \
dst-port=8080 protocol=tcp to-addresses=192.168.33.30
add action=masquerade chain=srcnat dst-address=192.168.33.30 dst-port=8080 \
out-interface=bridge-local protocol=tcp src-address=192.168.33.0/24
add action=dst-nat chain=dstnat comment="WWW JIRA" dst-address-type=local \
dst-port=8081 protocol=tcp to-addresses=192.168.33.33 to-ports=8080
add action=masquerade chain=srcnat dst-address=192.168.33.33 dst-port=8080 \
out-interface=bridge-local protocol=tcp src-address=192.168.33.0/24
add action=dst-nat chain=dstnat comment=SVN dst-address-type=local dst-port=\
443 protocol=tcp to-addresses=192.168.33.32
add action=masquerade chain=srcnat dst-address=192.168.33.32 dst-port=443 \
out-interface=bridge-local protocol=tcp src-address=192.168.33.0/24
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
/ip firewall service-port
set sip disabled=yes
/ip route
add distance=1 gateway=A.B.C.134
add check-gateway=ping comment=pptp-aexp disabled=yes distance=1 dst-address=\
192.168.1.0/24 gateway=pptp-aexp
add distance=1 dst-address=192.168.99.0/24 gateway=172.16.1.1
/lcd
set backlight-timeout=never default-screen=stats
/lcd interface
set sfp1 disabled=yes
set ether2-master-local disabled=yes
set ether3-slave-local disabled=yes
set ether4-slave-local disabled=yes
set ether5-slave-local disabled=yes
set ether6-master-local disabled=yes
set ether7-slave-local disabled=yes
set ether8-slave-local disabled=yes
set ether9-slave-local disabled=yes
set ether10-slave-local disabled=yes
/ppp secret
add name=i password=1 profile=default-encryption
add name=a password=1 profile=default-encryption
add name=s password=1 profile=default-encryption
/system clock
set time-zone-name=America/Chicago
/system logging
add topics=ipsec,l2tp
add topics=firewall
/system ntp client
set enabled=yes primary-ntp=208.68.36.196
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=bridge-local
/tool romon port
add disabled=no
/tool traffic-monitor
add interface=ether1-gateway name=tmon1 threshold=0
add interface=ether1-gateway name=tmon2 threshold=0 traffic=received
Can you paste an /ip route print with the VPN running?
Have you tried pinging the remote network disabling all masquerade rules (as a quick check)?
katit
June 4, 2015, 6:56pm
11
Here is routes:
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 my.pub.ip.134 1
1 DS 0.0.0.0/0 192.168.1.180 1
2 ADC my.pub.ip.128/29 my.pub.ip.129 ether1-gateway 0
3 ADC 172.16.1.0/30 172.16.1.2 gre-home 0
4 X S ;;; pptp-aexp
192.168.1.0/24 pptp-aexp 1
5 ADC 192.168.1.180/32 192.168.33.211 pptp-aexp 0
6 ADC 192.168.33.0/24 192.168.33.1 bridge-local 0
7 ADC 192.168.33.201/32 192.168.33.211 <pptp-alxxxxxxx... 0
8 ADC 192.168.33.202/32 192.168.33.211 <pptp-alxxxxxxx... 0
9 ADC 192.168.33.208/32 192.168.33.211 <pptp-sexxxxxxx... 0
10 A S 192.168.99.0/24 172.16.1.1 1
Route 1 & 5 (dynamic) shows connection to VPN I’m talking about
Route 3&10 is gre tunnel to my home network
Right now I can’t disable NAT rules - will affect other people on network.
