Is it possible that the RouterOS sets up a PPTP client connection to a remote site (PPTP server), and that it routes all the LAN traffic (in a specific subnet) via this single PPTP connection ?
E.g. a group of developers on a local LAN need to access all a customer’s LAN (remotely), but they cannot use simultaneous all their pptp vpn clients…; So only ONE outgoing concurrent pptp vpn connection is allowed from their WAN IP.
(solution would be that the Router is creating a PPTP client connection to the customer server, and that all internal LAN traffic is routed through this “shared” vpn connection)
Can anyone confirm that RouterOS and mikrotik routers can do this or not ?
Is there somewhere a guide to do this ? Or is it only for “advanced users” that know their way around the RouterOS ?
Or would you be so kind to post the necessarry steps here ?
Just create a PPTP-client interface to your customer’s server, but don’t include a default route. The most straightforward option is to then create a static route to the specific subnet of your customer with the remote address of the VPN connection found on the status tab/monitor command as the gateway.
Alternatively if you don’t want to route based on destination, you could add a mangle rule based on src-address and use policy based routing by specifying the connection mark on the static route.
Just remember that if you don’t have control over your customer’s routing tables you want to masquerade your traffic so that traffic can find its way back.
I ordered a Mikrotik device, with latest stable version of RouterOS on it.
I tried steps, as they can be found online (see resource links), but still I cannot access the LAN of the other side…
Situation:
Local LAN (192.168.88.x) → RouterOS → VPN-client —> / Internet / —> customer VPN server (pptp) → remote LAN (192.168.1.x)
Steps that I did:
create a PPTP Client connection
create firewall NAT masq rule for pptp connection
create firewall Mangle preroute rule
added a route to the remote LAN network (using routing mark)
added DNS address
Result:
1- CANNOT ping from router to any ip on remote lan
2- CAN ping from local lan to any ip on the remote lan (!!)
3- CANNOT do any other protocol (FTP, HTTP, HTTPS, TELNET, RDP, SSH…) to any other ip on remote lan
→ when connecting to http,telnet,rdp … it always times out : it seems to do the initial connect + ack, and then it “stops” ?
→ ftp is even more strange: it can connect, auth, and then CD to a dir, but doing an LS, it stops somewhere in the middle of the LS output… (timing out after some time)
From which interface are you trying to ping? Are you explicitly selecting the PPTP interface when doing this ping?
So the ping reply is finding it’s way back suggesting the route setup is basically working.
Here I would look to your filter rules. I see fasttrack rules. That has a history of not playing nice in VPN scenarios. While I know this is certainly true for IPsec and as from v6.35 it is listed as supported for L2TP, I’m not sure how this currently stands for PPTP (maybe someone else could chime in here). To be sure, disable fasttrack for now until you get the basics working, then start optimising for performance. The behaviour you’re describing certainly sounds like things going wrong in the established/related department (which is usually where you will also find the fasttrack rules).
Secondly, I see you have used the quickset (defconf rules). I personally always setup the routing manually from scratch to prevent any ‘automagic’ settings setting me off on a wild-goose chase while trying to get things working. Are your forward rules correctly allowing a free flow of traffic to that remote subnet?
These are just some ideas. Use the torch on the PPTP and local interfaces to get more info on what is actually happening. Please provide an /ip firewall export to have a look at potential configuration errors. Alternatively you could just turn off all the filter rules if your situation permits for a limited testing period without firewall.
I was encountering the same issue, masquerade my traffic made it possible from any host to ping the remote network. I don’t know if this is a clean way to do it?
I have access to the routing table of the remote network, what should I change in the remote routing table to be able to connect not using the masquerade line?
Here you can find the firewall rule + routing table of local network:
