PPTP client disconnect once mangle routing is enabled

clayntouch · November 7, 2019, 8:55am

Hi everyone,

I’m trying to implement PPTP VPN in order for our remote office (located in other town) to access our database server which is in our main office through PPTP. I’m using RB110AHx2 with the following diagram as shown below
1.Network diagram.jpg
In my existing setup, i have 2 WAN that load balance as shown below
2.Network firewall.jpg
My problem is PPTP clients can connect but cannot ping or access any of internal IPs’ from 192.168.1.0/24 once i enabled my routing marks in mangle.

Sorry in advance if i post common sense question or redundant question here. I only configured my RB though watching online videos. TIA!

Zacharias · November 7, 2019, 8:57pm

Use the main routing table for the 192.168.1.0/24 subnet by adding an accept rule for that in a prerouting chain…
Where is that PLDT route?

clayntouch · November 8, 2019, 7:46am

Oh. Apologies sir. this is the correct routing

ROUTE LIST

Gateway: 120.28.xx.xx, Distance: 1, Routing Mark: GLOBE
Gateway: 210.5.xx.xx, Distance: 1, Routing Mark: PLDT
Gateway: 120.28.xx.xx, Distance: 1

is this correct sir?

/ip firewall mangle
add action=accept chain=prerouting src-address=192.168.1.0/24

clayntouch · November 9, 2019, 9:20am

IT WORKS! Thank you very much sir!

clayntouch · November 9, 2019, 12:42pm

Hi my client pptp can now ping and access any of my LAN ip from the other site. But after i add accept for 192.168.1.0/24, routing mark no longer route 192.168.1.0/24 into PLDT (wan2) it keep using the GLOBE (isp1)

i also tried to route my database server ip using add action=accept chain=prerouting src-address=192.168.1.254 but it is not working.

please see my mangle config below :

/ip firewall mangle
add action=accept chain=prerouting src-address=192.168.1.0/24
add action=mark-routing chain=prerouting new-routing-mark=PLDT passthrough=yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting new-routing-mark=GLOBE passthrough=yes src-address=192.168.2.0/24
add action=mark-routing chain=prerouting new-routing-mark=GLOBE passthrough=yes src-address=10.0.0.0/22

Thanks!

Zacharias · November 9, 2019, 4:08pm

Oh i forgot you want to route the traffic through specific line…
Remove the first mangle rule and in the second mangle rule add dst-adress !192.168.1.0/24

clayntouch · November 10, 2019, 4:27am

Hi Zach,

Many thanks for your help. It resolves my problem as stated in the topic. Sharing my working mangle firewall below as reference for others. Thank you very much!

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.1.0/24 new-routing-mark=PLDT passthrough=yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting new-routing-mark=GLOBE passthrough=yes src-address=192.168.2.0/24
add action=mark-routing chain=prerouting new-routing-mark=GLOBE passthrough=yes src-address=10.0.0.0/22

Zacharias · November 10, 2019, 9:45am

Great…!