No traffic to VPN client from internal network

RouterOS General
1

I have following set-up

RB 2011 acting as PPTP VPN server on ETH10 (PPPOE with static IP) and DHCP server on all other interfaces which are bridged

Router address internally 192.168.10.1
Internal network: 192.168.10.0/24

I have one synology NAS which is the master on 192.168.10.3

And another backup NAS which is on another location on ADSL. The backup NAS connects to VPN and can ping the router. It has local LAN IP of 192.168.5.120 and gets IP from VPN: 192.168.10.223

However I cannot connect or ping backup NAS from within the network.

The master NAS should sync data to backup NAS, so I need to reconfigure firewall to allow traffic to NAS conected VIA VPN

Here are firewall rules:

[admin@MikroTik] > ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established 

 2   ;;; default configuration
     chain=input action=accept connection-state=related 

 3   ;;; pptp
     chain=input action=accept protocol=tcp dst-port=1723 

 4   ;;; pptp
     chain=input action=accept protocol=tcp dst-port=8291 

 5   ;;; default configuration
     chain=input action=drop in-interface=ether10-WAN 

 6   ;;; default configuration
     chain=input action=drop in-interface=ether10-WAN 

[admin@MikroTik] > ip firewall nat print
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=pppoe-out1 

 1   chain=dstnat action=dst-nat to-addresses=192.168.10.3 to-ports=25 protocol=tcp src-address=!192.168.10.0/24 dst-port=25 

 2   ;;; brez !192.168.10.0/24 src ne dela https na ven
     chain=dstnat action=dst-nat to-addresses=192.168.10.3 to-ports=443 protocol=tcp src-address=!192.168.10.0/24 dst-port=443 

 3   chain=dstnat action=dst-nat to-addresses=192.168.10.3 to-ports=465 protocol=tcp dst-port=465 

 4   chain=dstnat action=dst-nat to-addresses=192.168.10.3 to-ports=993 protocol=tcp dst-port=993 

 5   chain=dstnat action=dst-nat to-addresses=192.168.10.2 to-ports=22 protocol=tcp dst-port=2222 

 6   chain=dstnat action=dst-nat to-addresses=192.168.10.180 to-ports=3389 protocol=tcp dst-port=3333 

 7 X chain=dstnat action=dst-nat to-addresses=192.168.10.2 to-ports=587 protocol=tcp dst-port=587 

 8 X chain=dstnat action=dst-nat to-addresses=192.168.10.3 to-ports=993 protocol=tcp dst-port=1993 

 9 X chain=dstnat action=dst-nat to-addresses=192.168.10.3 to-ports=443 protocol=tcp dst-port=1443
2

Can you ping 192.168.10.223 but not 192.168.5.120?

Have you tried making the LAN a /16 network?

3

The thing is, while external network is static, it could change as it’s customer’s home network - simple ISP provided ADSL.

The problem is I cannot get get traffic to VPN client.

4

chain 4 in firewall filter is labeled wrong.
8291 is Winbox
ALSO
TO make PPtP VPN work.
You need to add PROTOCOL 47 GRE to the firewall ACCEPT CHAIN.

5

OK, I added GRE and now I can ping VPN clients and connect to some but not all ports.

For example 3389 to VPN client from NAT works, 139 (CIFS/SAMBA/Windows File Sharing) does but 445 doesn’t.

Also Windows file sharing doesn’t work from within the LAN to PPTP client. I can see on PPTP client connection atempt to port 139 from within LAN across PPTP but connection does not get established.

I want to back up from synology to synology which listens on port 873. I can connect to the port of PPTP client (simulated, not the synology which is pptp client). There might be also an issuue at the other end causing backup not to work.

6

proxy-arp on the PPTP server’s end point? Also make sure you have a route to the remote network.