Hello everyone, I’m trying to run a PPTP client tunnel to a remote location via an existing PPPoE ADSL connection and later use that PPTP tunnel as my default route (sounds simple enough, right? ) but I’m having trouble getting the tunnel up.
(edit: using a routerboard 750GL, v5.15)
Here’s what happens:
Routes without the tunnel running:
0.0.0.0/0 distance 1 -> pppoe
[dynamic] 192.168.0.0/24 distance 0 -> ether2 (the usual LAN routes)
*router connects to pptp host on 1.2.3.4 (public internet address)*
Routes after the tunnel goes up:
0.0.0.0/0 distance 1 -> pppoe
[dynamic] 192.168.0.0/24 distance 0 -> ether2
[dynamic] 1.2.3.4/32 distance 0 -> pptp-client1
At this point the router tries to route the PPTP packets, that should go out through the PPPoE connection, through the tunnel interface itself (since the route for it has a lower distance than the pppoe default gateway) which then after a minute or two dies due to no packets being received by the remote end.
The easiest thing to do would be to just increase the distance setting on the pptp-client1 host route to something > 1 or disable it all together but that’s impossible since it’s a dynamic route.
I think the misconfiguration is from the PPTP server end. Make sure you have not specified “Local Address” as 1.2.3.4 in the PPP secret. Do not use the IP of the interface your are dialing into as Local Address in PPP Secret. You can always use any wild IP Address.
It works fine using a windows machine so I don’t think the VPN provider uses a broken configuration and I don’t believe they would change their whole networking setup just because one guy’s router can’t handle changing the metric on a host route.
I may have found a thread by someone who dealt with the same problem: http://forum.mikrotik.com/t/pptp-client-routing-issue/37689/1
I’ve tried fiddling with the routing filters but didn’t come very far and the wiki page about that feature is rather nonexplanatory; Is this the feature I am looking for and if yes: How do I use it properly?
Thanks to everyone who participated thus far and I hope you can bear with my newbie questions for a bit longer.
No, the PPPoE tunnel is my connection to the internet using a VDSL line to my ISP.
And yet it is not working.
Like I said in my first post, I (and also the VPN provider) believe this a problem with the default distance/metric setting of 0 of the dynamic PPTP host route once the tunnel is up.
From observation it seems that once the tunnel is up, all the PPTP control packets and payload packets that should reach the PPTP server on the internet via pppoe-out1 get instead routed through the new pptp-client1 host route.
The VPN provider was able to confirm that after the tunnel is finalized and is in an up-and-running state, no more packets are received by my client.
Ok now its clear. pptp connects over pppoe, but pptp server sets its locall address the same as public interface, so RouterOS adds connected rotue with 93.182.152.2/32. So all control packets tries to go through tunnel itself.
Service provieder should not set its local address the same as public server’s address.
To fix thiss you can try to add routing filter in dynamic-in chain, which will disable that connected route.
And add static route to route specific network over the pptp tunnel
/ip route add dst-address=x.x.x.x gateway=pptp-out1
Now to add a default route to route all traffic headed for the internet through the PPTP tunnel.
I managed to get it to behave as a default gateway with some mangling rules and route rules but I’m wondering if I can simplify them:
> /ip route print detail
0 A S dst-address=0.0.0.0/0 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=1 scope=30
target-scope=10 routing-mark=force-isp
1 A S dst-address=0.0.0.0/0 gateway=pptp-iPredator gateway-status=pptp-iPredator reachable check-gateway=ping
distance=1 scope=30 target-scope=10 routing-mark=ipredator-route
2 A S dst-address=0.0.0.0/0 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable check-gateway=ping
distance=3 scope=10 target-scope=10
TL;DR: It works and and I’m happy. Thanks to all the participants.
Edit: actually, with this configuration the services behind NAT/Port-forwarding become unreachable. I’m thinking because the TCP ACK packages get forcibly routed through the tunnel. Any ideas?
That way the packets get routed through the tunnel if it exists and packets to 93.182.152.2 always get routed through pppoe.
But I still can’t connect to NAT’ed services from outside.
Here is a quote of my reply to the IPredator guys that asked me how I made their VPN service to work on my MikroTik router.
…
Here are the commands:
/ip route add comment="Route for IPredator VPN to work" disabled=no distance=1 dst-address=93.182.188.2/32 gateway=ADSL-Gateway routing-mark=ipredator-vpn scope=30 target scope=10
>
>
> ```text
/ip route rule add action=lookup-only-in-table comment="Route rule for IPredator VPN to work" disabled=no dst-address=93.182.188.2/32 table=ipredator-vpn
93.182.188.2/32 is the IP address of the IPredator VPN Server. Notice the /32 bitmask. This is needed.
Normally on windows for example vpn.ipredator.se resolves to multiple A records and on each connect it chooses a different one.
On Mikrotik the pptp interface resolves the domain to 1 IP and saves that IP permanetly so the DNS round robin solution you have implemented does not work out of the box with it.
Maybe with some scripting this could be more random. But for it to work just picking one IP from the stack will do.
ADSL-Gateway is the name of the internet gateway interface (the one that has the public IP).
Then the standard masquerade rule is needed to SNAT the outgoing packets.
…
The rest is a standard PPTP client interface setup with ‘add default gateway’ enabled.
) but I’m having trouble getting the tunnel up.
