Help Access Mikrotik's Port from VPN

carcaussa · October 31, 2021, 11:32pm

Hi, I’m new to Mikrotik and I’ve been trying and researching for over two weeks with no luck.
I have a WiFi router connected to my ISP’s ONT and a Mikrotik router connected to the WiFi router on Mikrotik’s WAN Port.
I want to use the Mikrotik router as a PPTP VPN Client and I need to have it connected to my WiFi router. My VPN provider gives me a static external IP address and Port Forwarding, I already tested successfully both features connecting directly to the service from a laptop with open ports. I already connected the Mikrotik to the VPN Service and got the public IP correctly. I can ping the external VPN address correctly from any of the Mikrotik’s WAN Hosts (192.168.1.0/24).

I added a filter firewall rule to allow input to port 80 from WAN and from PPP, both are triggering correctly on each respective case.

/ip firewall filter
add action=accept chain=input dst-port=80 in-interface=all-ppp log=yes protocol=tcp
add action=accept chain=input dst-port=80 in-interface-list=WAN log=yes protocol=tcp

I can successfully access port 80 from another Mikrotik’s WAN host (192.168.1.0/24) to the WAN IP Address but can’t access it to the PPP interface.

bash-3.2$ tcping 192.168.1.219 80
192.168.1.219 port 80 open.
bash-3.2$ tcping 206.123.145.67 80
206.123.145.67 port 80 closed.

These are the devices involved:
1 ISP ONT:

Public Address: 177.249.60.206
Internal Address: 192.168.0.1 (GW to Wireless Router)
2 Wireless Router:
WAN Address: 192.168.0.6
LAN Address: 192.168.1.1 (GW to Mikrotik)
3 Mikrotik Router:
Public VPN Address (PPTP Interface): 206.123.145.67
WAN Address: 192.168.1.219

Physical connection:
Mikrotik->Wireless Router->ISP ONT

This is my current configuration:

/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=PureVPN-PPTP
add action=masquerade chain=srcnat comment="defconf: masquerade" log=yes out-interface-list=WAN

/ip firewall mangle:
add action=mark-routing chain=prerouting in-interface=PureVPN-PPTP log=yes new-routing-mark=PureVPN-PPTP passthrough=yes src-address=177.249.60.206

/ip rote:
add distance=1 gateway=PureVPN-PPTP routing-mark=PureVPN-PPTP

I can see all rules correctly triggering on each respective case. The only difference, besides src IP address, that I can see is that when accessing from Mikrotik’s WAN host I have the src MAC address in the logs, and not when accessing from the VPN interface. I tried to add proxy-arp and local-proxy-arp to the WAN interface (ether1) of Mikrotik but didn’t change anything.

Eventually if I can get this resolved I will add a dst-nat redirection to Mikrotik’s WAN Hosts on specific ports.

Any help will be greatly appreciated,
Thanks

carcaussa · November 2, 2021, 1:43pm

any help? thank you very much in advance

carcaussa · November 8, 2021, 1:35am

I still can’t figure this out, just as an update, I see packets coming in but nothing going out. Not sure what could be needed.

Thanks!

ConnyMercier · November 8, 2021, 3:14am

Q1. What are the tasks of the Mikrotik-Device ?
only VPN-Gateway to your network?

Q2. Can you please export your FULL Config and Post it on the Forum
(/export hide-sensitive file=anynameyouwish)

carcaussa · November 8, 2021, 3:25pm

Sure, the configuration is attached.
The only task Mikrotik is running is the VPN client. Even when I have the DHCP enabled on the LAN ports, I am not using it and I have nothing connected on them.

Thank you very much.
config-20211108.rsc (4.27 KB)

ConnyMercier · November 8, 2021, 8:24pm

Servers
On the Pure-VPN Website, you can find a “Note”
Declaring limited support for PPTP starting June 15th, 2021.
(https://support.purevpn.com/mikrotik-configuration)

I found an unsupported Server in your Export-File…
Please try again, using a supported Server

2. Dial-on-demand
/interface pptp-client
add add-default-route=yes connect-to=us-ded-6.purevpn.net dial-on-demand=yes disabled=no keepalive-timeout=disabled name=PureVPN-PPTP user=xxxxxxxxxxx

I recomend disabling this feature during the “debugging” phase.
–>> dial-on-demand=no

carcaussa · November 8, 2021, 9:19pm

Unfortunately you have to use us-ded-6.purevpn.net to get a static IP with them. I tried all of their servers listed in the page and even open a support case, they told me to use this server. This server is the only one that gets the correct address.
I unchecked ‘Dial On Demand’ and still doesn’t work.
Just to verify again I tested on another computer on the Mikrotik’s WAN network this exact settings, the same PPTP server and started a simple HTTP server and I was able to connect remotely without a problem.

Thank you very much for your help, I really appreciate it.

ConnyMercier · November 8, 2021, 9:59pm

Can you Post a Screenshot of the LOG?

carcaussa · November 8, 2021, 10:22pm

Sure, I just attched it. This log is the result of a tcping to the external, static IP of the VPN 206.123.145.67 on port 80
I don’t see NAT entries in the log and in all counters for the interface there are only packets coming in, nothing coming out

Thank you

ConnyMercier · November 8, 2021, 10:28pm

Oh man , forgot you had so much Logging activ =)

Reboot the router and screenshot of LOG with filter !

/log print where topics~"pptp"

carcaussa · November 8, 2021, 10:43pm

Sure please find it attached

Thanks a lot
pptp log.png

ConnyMercier · November 8, 2021, 10:54pm

Could not resolve name indicates a DNS-Problem

We will have to find why…
But for now try the IP (192.253.246.2) and see what appends !

carcaussa · November 8, 2021, 11:07pm

The DNS problem only happens when rebooting the router, when disabling and enabling the interface it doesn’t happen.

I pinged the IP 192.253.246.2 and it responds, but it has the port 80 closed as well. It doesn’t produce any log on Mikrotik.

Thanks a lot

ConnyMercier · November 8, 2021, 11:12pm

Temporarily disable all Firewall-Rules
Disable and re-enable PPTP interface.

And Post screenshot of LOG (/log print where topics~“pptp”)

carcaussa · November 8, 2021, 11:28pm

Sure I disabled everything in the firewall and disabled-re-enabled the PPTP interface
pptp log 2.png

ConnyMercier · November 8, 2021, 11:34pm

Ok— So DNS is not the Problem..
Next Error → MPPE128 stateless

I looked it up in the Forum:
You may need to edit the PPP Profil and try again
http://forum.mikrotik.com/t/in-v6-45-6-l2tp-not-use-mppe-128/133847/1

carcaussa · November 8, 2021, 11:51pm

Thank you for your help, I changed the profile in the PPP interface from “default-encryption” to “default” and the “MPPE128 stateless” message is not showing anymore, but the problem persists, re-enabled the firewall rules and still can’t access port 80 from PPTP interface. I’m including the log of the interface restart.
pptp log 3.png

ConnyMercier · November 9, 2021, 12:12am

You won the First Fight =)
Log showes the VPN is working !

“PureVPN-PPTP: authenticated”
“PureVPN-PPTP: connected”

Can you export and post the Latest Config of your Router?

ConnyMercier · November 9, 2021, 12:22am

FYI
I am not 100% sure how PureVPN works…
But they sell an Option called “Port Forwarding” are you sure you have that option?!
And if you have this option, i don’t know if you need to configure something on there Website ?!

carcaussa · November 9, 2021, 12:23am

Thank you I appreciate it, I attached the current configuration
config-20211108-2.rsc (4.28 KB)