Need help to trouble shot VPN

Pilgrim · October 8, 2012, 10:50am

Hi Guys

I am trying to set up a VPN to my network at home, but as so many times before my knowledge goes in in short, so I am again counting on some help from this great board.

I tried to follow Gregs’s guide http://gregsowell.com/?p=680 and also tried a couple of other guides, but with the same result.

I have tried from both windows 7 and windows XP, but all attempts seems to be stopped in my firewall. Could you tip me in the right direction what to look out for - or what I should open in the firewall / services.

Thanks, Pilgrim

This is what I found in the log.

37.188.xxx.xxx – is the remote pc trying to connect to the VPN server.
172.18.xxx.xxx – is in fact not the public IP of the Mikrotik VPN server, I don’t know what that IP is, maybe an IP used by my provider. I do not have any problem accessing other servers from outside using the correct public IP (81.0.xxx.xxx).

12:30:51 firewall,info DROP INPUT input: in:Public out:(none), src-mac 00:0c:42:xx:xx:xx, proto TCP (SYN), 37.188.xxx.xxx:13573->172.18.xxx.xxx:1723, len 44
12:30:54 firewall,info DROP INPUT input: in:Public out:(none), src-mac 00:0c:42:xx:xx:xx, proto TCP (SYN), 37.188.xxx.xxx:13573->172.18.xxx.xxx:1723, len 44
12:31:00 firewall,info DROP INPUT input: in:Public out:(none), src-mac 00:0c:42:xx:xx:xx, proto TCP (SYN), 37.188.xxx.xxx:13575->172.18.xxx.xxx:1723, len 44
12:31:12 firewall,info DROP INPUT input: in:Public out:(none), src-mac 00:0c:42:xx:xx:xx, proto TCP (SYN), 37.188.xxx.xxx:13577->172.18.xxx.xxx:1723, len 44
12:31:36 firewall,info DROP INPUT input: in:Public out:(none), src-mac 00:0c:42:xx:xx:xx, proto TCP (SYN), 37.188.xxx.xxx:13582->172.18.xxx.xxx:1723, len 44
12:32:24 firewall,info DROP INPUT input: in:Public out:(none), src-mac 00:0c:42:xx:xx:xx, proto TCP (SYN), 37.188.xxx.xxx:13606->172.18.xxx.xxx:1723, len 44
12:32:31 firewall,info DROP INPUT input: in:Public out:(none), src-mac 00:0c:42:xx:xx:xx, proto TCP (SYN), 37.188.xxx.xxx:13608->172.18.xxx.xxx:1723, len 44
12:32:34 firewall,info DROP INPUT input: in:Public out:(none), src-mac 00:0c:42:xx:xx:xx, proto TCP (SYN), 37.188.xxx.xxx:13608->172.18.xxx.xxx:1723, len 44

ditonet · October 8, 2012, 12:24pm

In firewall rules (input chain) port 1723/TCP and GRE protocol (47) must be allowed.
On local (LAN) interface ARP must be set to ‘proxy-arp’.

HTH,

cbrown · October 8, 2012, 12:25pm

Your firewall is dropping tcp 1723 which is needed for pptp.

Post /ip firewall filter export compact

Pilgrim · October 8, 2012, 2:25pm

Guy’s you are the best - Problem solved

Maybe I will run into some issues later, but it seems that it was enough just to open port 1723 (input chain).

Thanks a lot,

Pilgrim