PPTP for the Network

FutureDigits · November 1, 2009, 2:27am

Hi i am running RouterOS 4.2 on RB493AH

I have a VPN account with on of the thousands of companies out there. i use it to get to blocked webpages contents on the net. on my computer i have setup a a vpn connection which dials out when i need it..

The question is: i want to make all computers on the Network go thru that same VPN without having to dial out each computer alone to that account.

i have set up a PPTP client which connects OK to the remote Tunnel, but then the internet traffic won’t go through it…

i have looked for documentations alot and most of them only talking about connecting two RB’s together through a VPN tunnel, which doesn’t help me…

any help would be appreciated
Thanks

FutureDigits · November 1, 2009, 7:04am

any help would be appreciated really

FutureDigits · November 1, 2009, 4:17pm

come on, it shouldn’t be that hard, i have searched and searched but no luck…

i only want to make all connections go through the VPN i already established.

Thank you

fewi · November 1, 2009, 4:37pm

The manual contains all the steps to set up a client, and also examples of how to enter routes that go through the tunnel.
http://www.mikrotik.com/testdocs/ros/2.9/interface/pptp.php

FutureDigits · November 2, 2009, 7:51am

this is not what i am looking for… i have looked through it before..

I am not looking for Router to Router tunnel connection!

what i am looking for is to make all the computers on my private network exit to the internet through a VPN connection which i subscribed to so i can access blocked content on this side of the world…

thank you

fewi · November 2, 2009, 4:01pm

Uhm, that’s pretty much the definition of a router to router tunnel connection, the server endpoint is just out of your control and most likely not the same operating system - but that doesn’t matter.

You simply configure your router as a client and connect it to the VPN server you’ve subscribed to, and then define routing on your router so that traffic from the LAN flows through the VPN connection. Here the relevant sections from the manual I posted:

[admin@RemoteOffice] interface pptp-client> add connect-to=192.168.80.1 user=ex password=lkjrht disabled=no
[admin@RemoteOffice] interface pptp-client> print
Flags: X - disabled, R - running
  0  R name="pptp-out1" mtu=1460 mru=1460 connect-to=192.168.80.1 user="ex"
       password="lkjrht" profile=default add-default-route=no

[admin@RemoteOffice] interface pptp-client>
[admin@RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1

Where 192.168.80.1 represents the publicly reachable IP of the VPN server you’re connecting to, ‘ex/lkjrht’ are the user credentials, 10.0.103.1 is the VPN IP of the server you’re connecting to, and 10.150.2.0/24 is the traffic you want to flow over the VPN tunnel. Adjust the parameters as required. Nothing in the client example requires the other end to be RouterOS.

As far as the routing goes, since you have the special case of wanting all traffic from clients behind the router to go via the tunnel it it would be best to set up route marking for traffic from the LAN like below, make sure to substitute the gateway IP for the VPN server tunnel IP and the name of your LAN facing interface:

/ip firewall mangle add chain=prerouting action=mark-connection in-interface=LAN new-connection-mark=to_VPN passthrough=yes
/ip firewall mangle add chain=prerouting action=mark-routing connection-mark=to_VPN in-interface=LAN new-routing-mark=to_VPN
/ip route dst-address=0.0.0.0/0 gateway=10.0.103.1 routing-mark=to_VPN check-gateway=pring

FutureDigits · November 11, 2009, 4:35am

thanks for the answer, but here is the thing:

i connect to the VPN server no problem as shown :

[admin@MikroTik] /interface pptp-client print
 Flags: X - disabled, R - running 
 0  R name="StrongVPN" max-mtu=1460 max-mru=1460 mrru=disabled connect-to=74.217.58.3 
      user="XXXXXX" password="XXXXXXXX" profile=default-encryption add-default-route=no 
      dial-on-demand=no allow=pap,chap,mschap1,mschap2

the problem is routing a single computer to go through that VPN connection… or making the whole network go through the VPN tunnel??

here is my routing table:

[admin@MikroTik] /ip route> print                       
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.1.1        1       
 1 ADC  172.16.26.1/32     74.201.179.213  StrongVPN      0       
 2 ADC  192.168.0.0/24     192.168.0.1        AP WLAN        0       
 3 ADC  192.168.1.0/24     192.168.1.100    WAN               0       
 4 ADC  192.168.3.0/24     192.168.3.1        LAN                0       
 5 ADC  192.168.5.0/24     192.168.5.1        FD5                0       
 6 ADC  192.168.6.0/24     192.168.6.1        Office             0

connection number 1 is made by the VPN interface as soon as it connect, the rest is my network configuration…
i want all computer connected through 192.168.3.0/24 to go through the VPN tunnel… or at least to assign a single or couple ip’s to go through the vpn tunnel??

i have tried the previous post and no luck, any input would be appreciated.

FutureDigits · November 11, 2009, 4:11pm

i am sure some1 has an answer, i have been trying this for more than a month…

is it supported by Mikrotik or is it not?

the VPN connect with no problem, is just having a specific IP or a range of IP’s to go through the VPN tunnel is what giving me hell…

any input is appreciated

FutureDigits · November 17, 2009, 9:08pm

i read somewhere that mikrotik routeros only support tunneling from ROS to ROS is that true??

changeip · November 18, 2009, 7:27am

just setup some routes for those users thru the tunnel. and use src-nat or masq if necessary. its not different than having a second ISP, just route what you want where you want.

you may need to use policy routing if you dont want everything to leave that vpn tunnel. it can be done…

kaz911 · November 18, 2009, 7:57am

The problem I had was:

StongVPN gives you a public IP. That means you need to setup a SRC based NAT/masquerade on the VPN for the traffic to flow in and out.

Then I use mangle rules to send the traffic out.

Sending all the traffic out through the VPN would slow down your internet line.

So now I have:

Hulu streaming working. (“Blocked” for Non US ips)
Pandora Netradio (Blocked for non us ip’s)
Access to blocked websites (put them in as they appear)
SIP/Voip working

where are you located?

best

Kasper

akouris · September 3, 2010, 8:34pm

Kasper hi,

I am also trying to setup some rules for Hulu and Pandora to go through a VPN (Strong VPN).

I am having some trouble as I cannot find specific ips for these services, they seem to be working with Akamai.

Could you give me some help?

kaz911 · October 1, 2010, 4:15pm

sorry for the long delay..

just wireshark port 80 access from hulu. You will see some IP’s that are used only for location check.

I dont remember them on top of my head - but from the many… IPs you only need to route a couple of them via VPN. Then you are telling hulu you are in the states…

Then all you need to do is route the “datastream” via vpn as well. It uses port 1935 or some other fun port..

best regards

Kasper

semihgeek · October 24, 2010, 9:37pm

you must be in United Arab Emirates cause they use proxy service for internet connection.There is only one way to unblock Ethisalat that’s VPN

I am from Turkey.I was there 2 months ago.I couldn’t call my family via VOIP.