I have a RB450 set up as an internet router for a small office. On my internal network, I have 2 separate servers that host VPN connections - one hosting a PPTP VPN, the other I don’t have much visibility on (it’s a vendor supplied Cisco - vendor requires UDP 4500 and 500 pass through, and pass through for IPSEC and GRE).
For my PPTP server, I set up a NAT rule to forward TCP port 1723.
For the Cisco, I set up a NAT rule for UDP 4500 and UDP 500.
Is there a way that I can set up GRE to NAT to both VPN servers? I’ve had other more mass market routers that simply “allow” GRE and IPSEC (Linksys, Dlink, Netgear) - is there something similar with Mikrotik?
As a test, I created a rule in the firewall to allow a general forward of GRE:
ip firewall filter add action=accept chain=forward protocol=GRE
and then connected to one of the PPTP servers while monitoring connections in Winbox.
Something I noticed was that GRE connections were automatically created (with the proper DST and SRC addresses). I tested again with the above rule disabled and noticed the same result - GRE connections were automatically created.
Do rules like:
ip firewall filter add chain=forward connection-state=established
ip firewall filter add chain=forward connection-state=related
help to create the GRE connections when a specific dst-nat rule doesn’t exist?
There is a PPTP helper (/ip fire service) that inspects the initial tcp control channel and takes care of the GRE tunnel as established traffic.
I am not sure what takes precedence, but it is possible that the helper fires first. In that case you should be able to forward GRE to the Cisco box to cover what the helper doesn’t catch as related to the PPTP box.
However, are you sure that the Cisco box requires GRE? While it is common to wrap GRE in IPSec to overcome the no broadcast/multicast IPSec limitation, that GRE traffic is not exposed to anything but the VPN endpoints. The traversed router would see the ESP or AH (more likely ESP) packets of the IPSec tunnel, and not the GRE packets encrypted inside of them.
Thanks for your reply - I think you’re right: the helper must take precedence. I’ll test tonight/in the morning by forwarding GRE to the Cisco and then try to connect to the PPTP server.
Petrn - just noticed your reply, not sure why it didn’t show up before. I’m wary about specifically forwarding GRE to my PPTP server - the Cisco supports business critical functions. So long as the test above works, I think I’ll end up forwarding GRE and IPSEC to the Cisco and rely on the connection tracker/helper to appropriately forward GRE for my PPTP server.
As for whether or not the Cisco really even requires GRE - maybe it’s for backup purposes, in case there’s a problem with connecting the IPSEC VPN? The engineer that I worked with during setup specifically asked for it to be allowed; getting back to them to confirm whether it’s truly required may be easier said than done
Write a firewall mangle rule that marks all packets from those clients with a routing mark. Install a rule in the routing table for that routing mark pointing out the VPN gateway.
Just like any other policy routing.
