PPTP L2TP

taylordude · June 26, 2017, 1:39pm

Hello, new to Router OS, been a sophos and ClearOS guy most of my IT Days.. I have just installed a routerOS mikrotik router and had a couple of questions..

I need to foward PPTP to my VPN server on my network, as well as L2TP..

PPTP first, in firewall I have input rules allow tcp port 1723 for PPTP and Input allow GRE Protocol ID 47.. what else do I need or is this even correct. My VPN server on my LAN is 192.168.110.250

thanks KEvin

mrz · June 26, 2017, 1:46pm

You need to set up destination nat rules to forward GRE and PPTP to your server.

taylordude · June 26, 2017, 2:00pm

Ok, can you give me a little more info on that.. Does this look correct? Sorry to sound dumb but first time setting one up..

https://drive.google.com/file/d/0B56BjCIFfwWEUWEwMXpLSDBBb0E/view?usp=sharing
https://drive.google.com/file/d/0B56BjCIFfwWETGtIMnZNbDVoQUE/view?usp=sharing

mrz · June 26, 2017, 2:08pm

no dst-address must be routers public IP.
192.168.110.250 is redirect-to address in action tab.

taylordude · June 26, 2017, 2:42pm

So in action set to redirect, where do you put the redirect address 192.168.110.50?

pe1chl · June 26, 2017, 3:16pm

Action should be dst-nat, not redirect.

taylordude · June 26, 2017, 3:25pm

Ok appreciate the help but this isn’t getting me anywhere, if you are interested in giving me a detailed answer I would appreciate it otherwise I’ll just look elsewhere.. Thanks again

idlemind · June 26, 2017, 7:29pm

… sigh. I wasn’t sure if I should let you look elsewhere or not.

When using NAT you have to do things all IPv4 firewall rules have to do:

Identify traffic the rule will apply to.

This includes setting a chain for the rule to live in.

Set an action that will apply to the.

Define any details that the action requires.

In your case, you want to perform NAT to alter the destination of a packet. This means you’ll be operating in the dstnat chain. You want to alter the destination IP of the packets from your external IP, let’s say 1.1.1.1 to 198.168.110.250. You only want to perform this translation when the layer 4 protocol is TCP and the layer 4 port is 1723.

/ip firewall nat add chain=dstnat action=dst-nat dst-address=1.1.1.1 protocol=tcp dst-port=1723 to-addresses=192.168.110.250 to-ports=1723 log=no

^^ Alternatively, you can use in-interface and specify your WAN interface instead of dst-address. This is useful if you have a dynamic IP from your ISP.

taylordude · June 27, 2017, 12:41pm

Thank you I understand all of that, things are just in different spots and the procedures are different.. In respect to GRE Protocol. I have a firewall rule to accept allow GRE Protocol ID 47, is anything else necessary?

pe1chl · June 27, 2017, 1:29pm

You need firewall filter rules in the forward chain, not the input chain.
GRE is protocol 47. It does not have port numbers.
PPTP also uses protocol TCP port 1723.
Note that PPTP is notoriously difficult to forward/nat due to this combination of protocols, and
the lack of port numbers in GRE. It will probably fail when you try to setup 2 sessions from the same
external address (i.e. 2 people behind the same NAT).

Of course you can also handle PPTP and L2TP on the MikroTik router.

taylordude · June 27, 2017, 1:43pm

Yea its looking like I will need to use my ClearOS router or just let the Mikrotik handle it itsself..