DMZ and PPTP server

tailakh · September 20, 2008, 3:31pm

hello every body i have a small problem i have a web server and ftp server behind the mikrotik that`s why i configure my mikrotik to pass port 80 and 21 to my server as destination nat.
so my problem is when i configure PPTP server it does not work until i remove the destination nat so when i remove these 2 rules my vpn work correctly .

/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat to-addresses=192.168.0.109
/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat to-addresses=10.5.8.200

please how can i solve these problem

andrewluck · September 21, 2008, 7:46am

You haven’t specified TCP ports 80 & 21 in these NAT rules so they’re natting all traffic.

Kind regards

Andrew

tailakh · September 21, 2008, 9:44am

well thanks i have specified that ports and the problem remain my MT version 2.9 and i read from some sites thats we can not do it togother .

"PPTP connections may be limited or impossible to setup though a masqueraded/NAT "
from this link http://yoyok.wordpress.com/2007/08/21/tutorial-mikrotik-vpn-point-to-point-tunnel-protocol-pptp/

is there any way to do it please help me..

thanks a lot.

Chupaka · September 21, 2008, 3:28pm

tailakh, it’s not your case. you do not NAT PPTP connection

tailakh · September 21, 2008, 3:35pm

well today i am trying to connect to my office through pptp and it just did not log me on it gave me a message verfiying user name and password then give me Error 619
by the way i test it from inside my network and it`s work correctly but it dos not work from outside

Chupaka · September 21, 2008, 9:38pm

did you test it from outside from different machines? when our Windows users face with error 619, we suggest starting Windows Firewall Service - and it works =)

tailakh · September 22, 2008, 6:52am

well thanks for replay..

i will explain my configuration now

i have two Ethernet ( Int,Ext )

Int configuration
ip : 10.10.10.1 ( add ip address=10.10.10.1/24 interface Int )

Ext configuration ( my static ip )
ip : 212.175.52.186 ( add ip address=212.175.54.186/30 interface Ext )

then i have specified my gateway
Gateway : 212.175.54.185 ( ip route> add gateway=212.175.54.185 )

then i configure it as a masquerading nat
ip firewall nat> add chain=srcnat action=masquerade out-interface=Ext

then i started my pptp configuration
ppp secret> add name=ex service=pptp password=lkjrht local-address=10.10.10.1 remote-address=10.10.10.220
interface pptp-server> add name=FromLaptop user=ex
interface pptp-server server> set enabled=yes
interface ethernet> set Int arp=proxy-arp

so this is my configuration i did this then my problem was i could`t establish a pptp connection from out side then i test it from inside its work correctly please help me my manager need establish a pptp connection fro US and he is waiting me..

Chupaka · September 22, 2008, 7:03am

hmmm… do you have pptp nat helper enabled in Firewall - Service Ports?
maybe try ‘ip firewall nat> add chain=srcnat action=masquerade out-interface=Ext in-interface=Int’?..

and once more: do you test the connection from the same machine? what error do you have from outside?

tailakh · September 22, 2008, 7:09am

i just reset it and configure it again from the scratch and do these configuration again so my pptp nat helper does not work but i will test it again

thankx for replaying

hilton · September 22, 2008, 2:10pm

I assume this is a typo?

You don’t need ‘interface pptp-server> add name=FromLaptop user=ex’.

You don’t need to fiddle with anything here;
/ip firewall service-port

because this is all about helping YOU connect to external VPNs and other services like FTP.

You will need to add a rule in the /ip firewall filter section like this;
;;; Allow PPTP incoming TCP 1723
chain=input action=accept dst-port=1723 protocol=tcp

This is essential.