**PLEASE HELP** Simple PPTP vpn client setup

RouterOS General
1

Hi,

I have been trying to get a simple VPN PPTP client setup on my x86 ROS router v6.7 but never got it to work.

I have setup a VPN PPTP client like this and it is connected

And then my router is already able to access the Internet using the following Masquerade rule

add action=masquerade chain=srcnat disabled=no out-interface=ether1

So, I just add one IP route rule like this, whenever I go to the IP 209.68.27.16, it will route thru the VPN I setup above

As simple as that, it didn’t work. So I add one more NAT rule like this

add action=masquerade chain=srcnat disabled=no out-interface=testvpn

And it still don’t work. I can go to any other website without problem, but when I try to access the site 209.68.27.16, it would just time out.


I have been messing with this for almost a month but still can’t get it to work, I would appreciate if anyone can give me a hand here.

PPTP VPN ERROR
PBR - Ensure traffic leaves the same interface it arrives on
2

Did you set up a route in the VPN server to your localnet ips in that VPN client?

3

The VPN server is a paid service, so I don’t own the VPN server. Something like this http://strongvpn.com/

I just try to setup my ROS router to route a specific IP thru the VPN tunnel.

4

I see. Did you add the masquerade as shown in the Mikrotik setup?

/ip firewall nat
add chain=srcnat action=masquerade out-interface=testvpn
5

I have two masquerade rules:

add chain=srcnat action=masquerade disabled=no out-interface=ether1
add chain=srcnat action=masquerade disabled=no out-interface=testvpn

6

Is the VPN running?

/interface pptp-client
print

There should be an ‘R’ after the ‘0’ and before the name.

edit: Did you follow all the instructions? There are “/ip firewall mangle” rules also.
http://strongvpn.com/setup_mikrotik_pptp.shtml

7

Yes, VPN is running, and I use iphone PPTP vpn connect and it works just fine. So, the VPN server itself is working.




I tried to use the mangle rules at the very beginning, but it never works. So, instead of using mangle rules to do marking, I just decide to make it simpler, just route on a specific IP to the testvpn. But then, I found out the “Route List” never work on x86 ROS router in the first place. I was using v5.24 and later upgrade to v6.7, but it never works… And thats why I have been messing with this VPN client setup for more than 1 month.

8

My route list has always worked, but I don’t use an X86 version.

Maybe you should post your entries in “/ip route”. It appears the recommended mangle rule sends everything (default route) through the VPN connection.

9

Here is the /ip route print

here is the interface

10

Can you ping 192.168.120.1?

11

Nope, I ping directly on ROS router terminal

[admin@MikroTik] /ip firewall nat>> /ping 192.168.120.1
HOST SIZE TTL TIME STATUS
192.168.120.1 timeout
192.168.120.1 timeout
192.168.120.1 timeout
192.168.120.1 timeout
192.168.120.1 timeout
sent=5 received=0 packet-loss=100%

[admin@MikroTik] /ip firewall nat>>

12

Then you have a problem there. You should be able to ping the VPN gateway. Maybe you should contact strongvpn tech support.

13

I don’t use strongvpn, I use strongvpn as an example, but I have tried 2 different VPN company, and I can’t ping none of them. I just test another VPN company, which you can try to setup and see if you can ping them. They are free. http://www.afreevpn.com/


Here is my result, I can’t ping them.

[admin@MikroTik] /ip firewall nat>> /ping 10.55.0.1
HOST SIZE TTL TIME STATUS
10.55.0.1 timeout
10.55.0.1 timeout
10.55.0.1 timeout
10.55.0.1 timeout
10.55.0.1 timeout
sent=5 received=0 packet-loss=100%

[admin@MikroTik] /ip firewall nat>>


So, if you can help me to test on http://www.afreevpn.com/ and see if you can ping them, that would be great. If you manage to ping them, that means something wrong with the PPTP VPN client on x86 version, and I can based on your testing and my testing and raise a ticket to the developer. Thanks.

14

I’m posting this from a RB433 using afreevpn.com

It took a routing mark in “/ip firewall mangle” and a new default gateway using that routing mark, but it seems to be working fine. I checked with whatsmyip.com and it shows the afreevpn.com’s public ip.

15

Just a route rule with routing mark and /ip firewall mangle to mark the packet?

So, you don’t even need masquerade rule?

add chain=srcnat action=masquerade disabled=no out-interface=testvpn

And you can ping the VPN IP just fine?

16

My bad. It did take a masquerade also. Everything is working fine. I am on a different computer now, but the other computer is up and running using the new VPN route.

edit: My localnet is 192.168.3.0/24. After I got the VPN running using the user and password from the afreevpn site using testvpn as the name, I entered this:

/ip firewall nat
add chain=srcnat action=masquerade out-interface=testvpn

/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=testvpn src-address=192.168.3.0/24

/ip route
add dst-address=0.0.0.0/0 gateway=testvpn routing-mark=testvpn
17

I can conclude something wrong with x86 version, I am gonna raise a ticket. I have the following , baiscally try to mimic your working setup

/ip firewall nat
add chain=srcnat action=masquerade out-interface=testvpn

/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=testvpn src-address=10.0.1.0/24

/ip route
add dst-address=0.0.0.0/0 gateway=testvpn routing-mark=testvpn

I can’t even ping the VPN IP address, which in my case is 10.55.0.1.

18

Mine shows a different dynamic ip assigned to the testvpn interface (10.55.0.54/32) with the same network ip as yours. You will have a routing problem with that setting. Yours has 10.0.1.1 as an address on testvpn. That looks like a routing conflict with one of your localnet interfaces (ether2). ??

19

I wonder where do I change the testvpn IP? It automatically assign to 10.0.1.1?

20

Mine was assigned by the VPN server (afreevpn.com). Yours should be also. Maybe that is the problem you are having?