We have a customer - a hotel, using a shared internet connection for staff and guests. We have firewalled hotel network internally from guest network.
However hotel staff working off site need VPN (PPTP) access to their server. Currently PPTP traffic from a single external IP is forwarded to the server. This allows guests to use their own VPNs as well.
Now the staff are mobile and can’t restrict their VPN traffic to come from a single external IP. Can anyone recommend the best solution here? If we port forwarded all PPTP to the server the of course this would break guests VPN connections.
Make sure you’re using a recent version of PPTP, specifically v3, and that the PPTP helper is turned on on the router. V3 uses enhanced GRE headers contain a call ID negotiated in the control channel, so the router can determine who to forward GRE packets to.
I’m not entirely sure RouterOS can insect enhanced GRE headers, though. If it cannot your only realistic solution is to get a second public IP address and use one for customers and one for staff. That might be a good idea regardless of whether the helper works, btw - it makes it trivial to distinguish which party is at fault when someone comes to you with a public IP and says “this IP did something”.