I’ve been playing with this for a while with no luck
I have a good firewall following a drop all logic with some tweaks to drop known baddies.
Firewall is basically:
Accept established and Related for both input and forwarding chains.
Then drop all.
Works great for all users except for PPTP through the MT to their work or schools.
I enabled the PPTP service in the firewall and also made rules at the top of the firewall to accept protocal 47 + TCP port 1723 on the forward chain and it still didn’t work although there were many packets being counted when attempting to dial the VPN through the router.
Any tips? Please be thorough as I have searched a lot and most of what I found was rules related to the MT acting as VPN server.
“Acting as a VPN server” and “forwarding VPN traffic” are two completely different things.
It is not useful to apply solutions you find for acting as a VPN server to the forwarding of VPN traffic problem.
I’m not even sure that the MikroTik is capable of forwarding PPTP (that is not a trivial thing!!), but I have no specific knowledge about that.
So, i did not mean to say i was running a VPN server on the MT. I said that when i was searching most of what i found was related to setting up the MT as a VPN server or Client.
I am looking for help to allow the Mikrotik to route PPTP traffic through it. I am not able to forward PPTP/GRE to an IP as i need to make sure lots of users can use any pptp server they want while on our LAN.
Help!
My users are saying “hey, We can use our VPN while at a cafe, but not when on your network. Why are you blocking our VPN?” Its a PPTP vpn that seems to be the issue and setting up something on the MT to manage the traffic and let it pass through the router. I hope im being clear here.
Yes it is clear, but it should be noted that PPTP forwarding is a difficult problem, and other routers I have seen have implemented special tricks for it that include limitations (like: it is not possible for two different users on the local net to connect to the same remote PPTP server).
The router has to inspect the traffic on TCP port 1723 and insert dynamic rules for GRE (protocol 47) forwarding depending on that traffic.
I don’t know if the MikroTik can do that.
Users that use OpenVPN, IPsec with Nat-T or SSL VPN will not have any problem, it is only the PPTP that is a problem.
Maybe it is in wide use in your region, here it isn’t.
Has anyone implemented any special tricks for PPTP on mikrotik?
It is still a widely used protocol. Although i dont really like PPTP through NAT, it is something i need to try to support.
Any guides on making it work would be great. My guess is it involved mangling..... But that is a bit beyond me to think of, but is something i can try if i have a draft script.
odd i havent been able to find it in the forums.
Here is an idea, is there any sort of "cloud VPN relay", where you can enter your PPTP credentials, then use SSL or IPSEC to dial into that portal and it will connect your PPTP session to your IPSEC session?
its a cool idea, prob something that could be deployed via AWS+Mikrotik, but if its already been done, it is a cool idea.