non-mikrotik PPTP vpn connections got dropped

hmontoliu · September 20, 2011, 3:30pm

Hi all

This may be a very basic question. However I’ve searched through this forum without succeed.

I have replaced a linksys router in one our offices with a RB450 (RouterOS 4.14). Since then connections to a remote vpn got dropped immediately or just after some seconds. As far as I know the VPN is just a Windows server VPN service in the remote end. I’m trying to figure out what is causing this behaviour but my mikrotik experience is quite short.

Our mikrotik has a very simple configuration:

# GW interface and LAN Switch
/interface ethernet set ether1 name ether1-gateway
/interface ethernet set ether2 name ether2-local-master
/interface ethernet set ether3 name ether3-local-slave
/interface ethernet set ether4 name ether4-local-slave
/interface ethernet set ether5 name ether5-local-slave
/interface ethernet set ether3-local-slave master-port=ether2-local-master
/interface ethernet set ether4-local-slave master-port=ether2-local-master
/interface ethernet set ether5-local-slave master-port=ether2-local-master

# LAN config
/ip address add address=192.168.1.1/24 interface=ether2-local-master comment "lan default gateway"

# WAN config (dhcpclient from de DSL)
/ip dhcp-client add interface=ether1-gateway disabled=no
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1-gateway

# DNS and clock settings
/ip dns set servers=8.8.8.8,8.8.4.4
/system ntp client set mode=unicast enabled=yes primary-ntp=128.2.201.216

# LAN DHCP server
/ip pool add name=dhcp-lan-pool ranges=192.168.1.30-192.168.1.199
/ip dhcp-server add name=dhcp-lan address-pool=dhcp-lan-pool interface=ether2-local-master lease-time=72h
/ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=8.8.8.8,8.8.4.4
/ip dhcp-server enable dhcp-lan

# QoS for our VoIP devices
/ip firewall mangle add action=mark-packet chain=forward comment=VoIP disabled=no new-packet-mark=VoIP passthrough=no src-address=192.168.1.130-192.168.1.148
/ip firewall mangle add action=mark-packet chain=forward comment=VoIP disabled=no dst-address=192.168.1.130-192.168.1.148 new-packet-mark=VoIP passthrough=no
/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=ether1_gw_voip packet-mark=VoIP parent=ether1-gateway priority=2 queue=default
/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=ether2_lan_voip packet-mark=VoIP parent=ether2-local-master priority=2 queue=default

As you see there is no special firewall settings.

However I’ve tried to avoid the droppings of the remote VPN with the following rules but it seems that it hasn’t helped:

/ip firewall filter add chain=forward connection-state=established action=accept
/ip firewall filter add chain=forward connection-state=related action=accept  
/ip firewall filter add chain=input connection-state=established action=accept 
/ip firewall filter add chain=input connection-state=related action=accept

Any help or hints would be appreciated.

[EDIT] Here are the firewall settings as per the export command:

[admin@MikroTik] > /ip firewall export
# sep/20/2011 16:13:55 by RouterOS 4.14
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=\
    5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="permitir conexiones previamente establecidas" connection-state=established disabled=no
add action=accept chain=forward comment="permitir conexiones relativas" connection-state=related disabled=no
add action=accept chain=input comment="permitir conexiones previamente establecidas" connection-state=established disabled=no
add action=accept chain=input comment="permitir conexiones relacionadas" connection-state=related disabled=no
/ip firewall mangle
add action=mark-packet chain=forward comment=VoIP disabled=no new-packet-mark=VoIP passthrough=no src-address=192.168.1.130-192.168.1.148
add action=mark-packet chain=forward comment=VoIP disabled=no dst-address=192.168.1.130-192.168.1.148 new-packet-mark=VoIP passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] > ip service export
# sep/20/2011 16:14:01 by RouterOS 4.14
#
/ip service
set telnet address=0.0.0.0/0 disabled=yes port=23
set ftp address=0.0.0.0/0 disabled=yes port=21
set www address=192.168.1.0/32 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=9999
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=192.168.1.0/32 disabled=no port=8291

jandafields · September 21, 2011, 12:49am

You need to turn on pptp debug log in Mikrotik and then paste the log to the forum. It will give information on why the connection is dropping.

hmontoliu · September 21, 2011, 6:52am

Thanks, I’ll will do as soon as possible.

However, will “pptp debug” log what happens with a non-mikrotik-related vpn? I thought that it would just log the internal implementation of pptp server/client stuff

janisk · September 21, 2011, 7:36am

it will lok pptp-server communication with pptp client that is attempting to connect to it. It does not matter what client it is as server side will be logged. Usually this information helps to see what incompatibilities or problems you have on one or the other side.

hmontoliu · September 21, 2011, 8:02am

I’ve tried to log pptp traffic using the following commands w/o result:

/system logging add topics=pptp,debug action=memory
/log print follow where topics~".pptp"

Maybe I haven’t made my self clear (sorry if so). But the mikrotik is independent of the previous VPN client-server configuration.

Before the mikrotik, the configuration was something like this (I’m facing difficulties to contact the remote sysadmin to confirm the server side configuration though):

Our network  
                                                  Internet                                    Remote office (VPN service)
Client A \
              ---> [Linksys router] ---> Cable ----> ( Internet  ) ------------------> Remote router (NAT) ------> VPN server 
Client B /

AFAIK in the server side there is just a Windows Server with VPN service. Also from what I’ve been told, the remote router just does NAT to map the 1723 port to the internal server. There seems that there is no sophisticated VPN LAN-to-LAN configuration.

I have just substituted the Linksys with a RB450 with the configuration posted in my former post.

The fact is that now our problems are:

the client doesn’t connect at first. It has to “re-dial” several times
once the client is connected, it’s connection gets dropped after some time

Another fact we have seen is that if Client A is connected, when Client B connects, the connection of client A gets dropped. Dynamic nat issue?

I’m completely lost with this issue because neither the former linksys nor the new RB450 have special configuration nor firewall rules that would explain this change of behaviour.

Any help would be appreciated.

macgaiver · September 21, 2011, 11:17am

PPTP server must have public IP, and if using any NATs forget about PPTP - use L2TP or other more up-to-date tunnel.

hmontoliu · September 21, 2011, 11:38am

Thanks for your answer.

As I cannot provide information about how the VPN is implemented in the server side (Probably this afternoon I’ll be able to talk with the admin of that center) lets forget about its implementation.

The users have confirmed that the VPN establishes but that it drops when another client tries to connect to the VPN in the same origin LAN. It seems that despite what it seemed at first, the connection drops when another session starts in the same LAN to the remote VPN.

The fact is that the previous router wasn’t configured specially for the VPN (or that’s what they have told me). So what do you think that can cause the fact that if one client in this LAN has established the VPN connection a second VPN connection in this LAN drops the first one. Take in account that this has started happening once the mikrotik replaced de former router. And this is driving me nuts!

Notice that I’m always talking about the client LAN.

We have intensive VoIP traffic to a remote IPPBX that works like a charm with the RB450. The problem has arised with those VPN connections. :-/

Thanks in advance

macgaiver · September 21, 2011, 11:41am

To have more than one PPTP client from same local network to same server you need to enable PPTP NAT helper (cause PPTP is old and was not designed for NAT).
/ip firewall service-port menu

hmontoliu · September 21, 2011, 11:48am

That looks promising

This are my settings:

[admin@MikroTik] > ip firewall service-port print       
Flags: X - disabled, I - invalid 
 #   NAME                                                                 PORTS
 0   ftp                                                                  21   
 1   tftp                                                                 69   
 2   irc                                                                  6667 
 3   h323                                                                
 4   sip                                                                  5060 
                                                                          5061 
 5   pptp                                                                
[admin@MikroTik] > ip service 
disable  edit  enable  export  find  print  set
[admin@MikroTik] > ip service print 
Flags: X - disabled, I - invalid 
 #   NAME                  PORT  ADDRESS            CERTIFICATE                
 0 X telnet                23    0.0.0.0/0         
 1 X ftp                   21    0.0.0.0/0         
 2   www                   80    192.168.1.0/32    
 3   ssh                   9999  0.0.0.0/0         
 4 X www-ssl               443   0.0.0.0/0          none                       
 5 X api                   8728  0.0.0.0/0         
 6   winbox                8291  192.168.1.0/32

Can you elaborate a bit more what you mean? thank you

macgaiver · September 21, 2011, 11:55am

That means - everything is enabled, and your previous router had some workaround that is not according to RFC to make it work.

I suggest to move over to L2TP and forget about most of these problems. - Windows client have absolutely no difference from customer point of view - same as PPTP
Or even better go for most modern solution - SSTP, latest Windows 7 have it implemented (old Windows XP will have to go)

hmontoliu · September 21, 2011, 12:06pm

Thank you macgaiver

I believe that too. I’ll have to talk with the guy in the other side. Let’s see

If I get some relevant data I’ll post it back here.