PPTP behind ISP Router (NAT problem)

ioannis99 · September 14, 2018, 10:15am

Hello everyone,

I am a newbie in MKTs and I have set up a pptp connection between 2 MKTs and it works fine.

Each MKT is behind an ISP Adsl modem-router.
I want the PC1 to be able to ping PC2, but that doesn’t work.

The only thing that works is that the MKT 1 can ping PC2 and vice versa.

I am sure the problem is in NAT configuration.
The only NAT configuration for both MKTs is the following (ether1 is the interface to the ISP Router)

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Can anyone help me?
Thanx a lot!

CZFan · September 15, 2018, 9:57pm

You can make this work with NAT, but that is a workaround and not the correct way.

First make sure there are no firewall rules blocking icmp on the pc’s, add routes to the other sides LAN range on the routers to be routed via tunnel

ioannis99 · September 16, 2018, 6:21pm

Thanx for the answer.

There are no firewall rules or they are disabled during the tests.

The routes I enabled are the following:

for MKT2
/ip route
add check-gateway=ping distance=2 gateway=192.168.1.1
add distance=1 dst-address=192.168.5.0/24 gateway=192.168.9.2

for MKT1
/ip route
add check-gateway=ping distance=2 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=192.168.3.0/24 gateway=192.168.9.1

(192.168.9.1 and 2 are the vpn local/remote addresses)

Each PC can only ping the local vpn remote address.

what else routes should I try?

Edit: If the pptp client is my android phone, I can ping from my PC to the phone and vice versa. So, the problem is when the pptp client is the MKT.
So, I think there is a NAT problem. Or not?

Anumrak · September 17, 2018, 8:36am

Do the ISP routers have a routes to your LANs?

ioannis99 · September 17, 2018, 9:34am

Yes, everything work fine.

Also Port Forwarding works fine.

I am almost sure there is a NAT problem.

CZFan · September 17, 2018, 8:34pm

Are you sure you allow the other LAN IP’s in via firewall on Mikrotik?

ioannis99 · September 18, 2018, 5:17am

I have no firewall rules.

Only NAT.

Should I have?

Thank you

CZFan · September 18, 2018, 11:14am

please provide a new diagram and include the VPN addresses.

Also the config of both routers after obfuscating any sensitive information

ioannis99 · September 18, 2018, 3:47pm

Mikrotik 1 (pptp server)

model = RouterBOARD 750G r3

/interface bridge
add arp=proxy-arp fast-forward=no name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether4 trusted=yes
add bridge=bridge1 interface=ether5 trusted=yes
/interface bridge settings
set use-ip-firewall=yes

/ip address
add address=192.168.2.2/24 interface=ether1 network=192.168.2.0
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0

/ip pool
add name=dhcp_pool1 ranges=192.168.5.2-192.168.5.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp1
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/ppp profile
add local-address=192.168.9.1 name="server" remote-address=192.168.9.2
use-encryption=required
/interface pptp-server server
set default-profile="server" enabled=yes
/ppp secret
add local-address=192.168.9.1 name=test profile="server" remote-address
192.168.9.2 service=pptp

/ip route
add check-gateway=ping distance=2 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=192.168.3.0/24 gateway=
192.168.9.2

Mikrotik 2 (pptp client)

model = RouterBOARD 750G r3

/interface bridge
add arp=proxy-arp name=bridge1
/interface bridge port
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
/interface bridge settings
set use-ip-firewall=yes

/ip address
add address=192.168.1.36/24 interface=ether1 network=192.168.1.0
add address=192.168.3.1/24 interface=bridge1 network=192.168.3.0

/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/interface pptp-client
add connect-to=193.92.xxx.xxx disabled=no name=pptp-out1 user=test
/ppp profile
add local-address=192.168.9.2 name="client" remote-address=192.168.9.1
use-encryption=required

/ip route
add check-gateway=ping distance=2 gateway=192.168.1.254
add distance=1 dst-address=192.168.5.0/24 gateway=192.168.9.1

CZFan · September 19, 2018, 4:44pm

On the server side:
Change
/ppp secret
add local-address=192.168.9.1 name=test profile=“server” remote-address 192.168.9.2 service=pptp routes=“192.168.3.0/24 192.168.9.2 1”

Remove
/ip route
add check-gateway=ping distance=1 dst-address=192.168.3.0/24 gateway=192.168.9.2

The routes= under /ppp secret will dynamically create a route to the client network when the client connects.

On Client side:
Remove
/ppp profile
add local-address=192.168.9.2 name=“client” remote-address=192.168.9.1 use-encryption=required

Change
/ip route
add distance=1 dst-address=192.168.5.0/24 gateway=pptp-out1

ioannis99 · September 20, 2018, 6:50am

I tried these changes but the result is the same.

VPN works, I can still ping from my mikrotik to other LAN but not from a PC to other LAN.

I can’t find a solution

CZFan · September 24, 2018, 2:17pm

Any specific reasons you have Bridge ARP configured as “arp=proxy-arp”?

If not, change that to arp=enabled

ioannis99 · October 6, 2018, 8:42am

Ok i changed it.

I think the problem is that i miss one more route rule for the “incoming” packets but I can’t understand which one