dmz host and VPN

RouterOS Beginner Basics
1

Hello.

I have the next scenario in pptp client:

Router Amper(88.15.38.214)----DMZ—> RB951G(192.168.1.2)—> LAN(192.168.1.0/24)

Using this scenario I have achieved a pptp connection between the server and this client. The link is stablished and I can ping the two sides using the ping tool of both routerboards. The problem comes when I try to ping the network of both sides using the command line of windows, in the server side I can ping the client from cmd, but no from the client side.

My settings fro server are:

add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=\
    192.168.223.1 name=maga password=realaga profile=default-encryption \
    remote-address=192.168.1.2 routes=192.168.1.0/24 service=pptp

The client settings are in the attached picture:

Also the dstnat is as follows for connecting to the server network:

/ip route
add dst-address=192.168.223.0/24 gateway=pptp-out1

Client pptp settings:
router mikrotik.jpg
I have applied these settings to anothers routerboards with success and I really dont know how to solve this one.

Best regards and thank you.

2

I can’t read the client settings.

Have you tried tracert instead of ping?

3

Hi, I have tried to do a tracert to 192.168.223.1 but it says that the network is inaccessible

4

That indicates you do not have a route to the 192.168.223.0/24 network in that router. It is trying to send the request through your public network gateway. I get the same response if I try to ping or tracert to a localnet ip that does not exist in “/ip route”.

Post “/ip route” from that router your computer is connected to.
Also post “/ip firewall nat”, since you did mention “dmz”.

5

Hi tthere SurferTim, here you are the /ip route and the /ip firewall settings:

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.223.0/24 gateway=pptp-out1 \
    scope=30 target-scope=10
add disabled=no distance=1 dst-address=192.168.225.0/24 gateway=pptp-out1 \
    scope=30 target-scope=10




/ip firewall> export
# jan/02/1970 02:08:00 by RouterOS 5.26
# software id = 24CL-7DKJ
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
    10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="default configuration" \
    connection-state=established disabled=no
add action=accept chain=forward comment="default configuration" \
    connection-state=related disabled=no
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid disabled=no
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=yes \
    out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
6

One of these is wrong:

Router Amper(88.15.38.214)----DMZ—> RB951G(> 192.168.1.2> )—> LAN(192.168.1.0/24)



/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=> 192.168.1.1 > scope=30
target-scope=10

And do you have the 192.168.1.0/24 network routed back to the RB951G from the Amper router?

/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” > disabled=yes >
out-interface=ether1-gateway

BTW, if the VPN is not connected, it will fail in the same fashion. Look in “/interface pptp-server” or “/interface pptp-client” and insure the VPN shows running.

7

Hi the VPN is connected. I guess it is a problem with the router, althought I have open the ports 1723 and 47 for connecting , receive and sending data.

In the ip/firewall/ connections I can see a established connection in the 1723 port.

8

I think it is a problem with your setup in that router. I am a firm believer in “A good workman never blames his tools”.

9

:slight_smile: I’m setting all again and I have set my RB as a router instead of a switch, but I cant know the result until Saturday because I need someone access locally to the router to change some cables. Pd. I blame my isp router but not my RB :wink:

10

Hello, I have been trying but I cant get it to work.

I have added my settings in a txt file if anyone could help me.
Best regards.
settingsRb.txt (20 KB)
Untitled.png

11

I looked at your export. It seems you have the ip assigned to wlan1 instead of bridge-local

/ip address
add address=192.168.228.1/24 comment=“default configuration” disabled=no
interface=wlan1 network=192.168.228.0

Your ip adddress should be assigned to the bridge like your dhcp server below.

/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay bootp-support=
static disabled=no interface=bridge-local lease-time=3d name=default

I don’t know if this is your problem with the VPN, but it isn’t right.

12

I have added now but it still is not working

/ip address
add address=192.168.1.2/24 comment="default configuration" disabled=no \
    interface=wlan1 network=192.168.1.0

add address=192.168.1.2/24 disabled=no interface=ether1-gateway network=\
    192.168.1.0
13

This is the simple part. Add this and remove the assignment from wlan1. That interface is assigned to bridge-local, which now will be assigned this ip:

/ip address
add address=192.168.228.1/24 interface=bridge-local

After this assignment, wlan1 and ether2-master-local will “share” this ip, along with the dhcp server.