PPTP no access to LAN - Mikrotik 6.34.2 RB 2011UAS

RouterOS General
1

Hello,

i’m going crazy already. After searching everywhere still cannot find solution. Everything was ok until I added my other router settings after this one was destroyed by thunder. I can connect but cannot access LAN behind. Here is my export.

/ip address
add address=xxx.37.123.214/30 interface=ether2-master-local network=
xxx.37.123.212
add address=xxx.237.123.210/30 interface=ether1-gateway network=xxx.37.123.208
add address=192.168.157.254/24 interface=bridge-local network=192.168.157.0
add address=11.12.13.1/24 interface=br-vlan999 network=11.12.13.0
add address=11.12.14.1/24 interface=br-vlan200 network=11.12.14.0
add address=11.12.20.1/24 interface=br-vlan998 network=11.12.20.0

/ip firewall filter
add action=drop chain=input connection-state=invalid disabled=yes
add chain=input protocol=icmp
add chain=input dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input connection-state=related in-interface=ether1-gateway
add chain=input connection-state=related in-interface=ether2-master-local
add chain=input connection-state=established in-interface=ether1-gateway
add chain=input connection-state=established in-interface=ether2-master-local
add chain=forward dst-port=3389 protocol=tcp
add action=drop chain=input disabled=yes dst-port=22,80,23,21 protocol=tcp
add action=drop chain=forward disabled=yes
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vlan200 src-address=
11.12.14.0/24
/ip firewall nat
add chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.157.0/24
add action=dst-nat chain=dstnat dst-address=xxx.37.123.214 dst-port=3389
protocol=tcp to-addresses=192.168.157.101 to-ports=3389
add action=dst-nat chain=dstnat dst-address=xxx.37.123.214 dst-port=33899
protocol=tcp to-addresses=192.168.157.102 to-ports=33899
add action=masquerade chain=srcnat out-interface=ether1-gateway routing-mark=
vlan200
add action=masquerade chain=srcnat out-interface=ether2-master-local
/ip firewall service-port
set ftp disabled=yes

/ppp profile
add bridge=bridge-local dns-server=192.168.157.254 local-address=192.168.157.99 name=xxxx remote-address=192.168.157.98
/ppp secret
add name=xxxx password=xxxx profile=xxxx routes=192.168.157.1 service=pptp

/ip route
add distance=2 gateway=xxx.37.123.209 routing-mark=vlan200
add distance=1 gateway=xxx.37.123.213
add distance=1 dst-address=192.168.100.0/24 gateway=xxx.37.123.209

If anybody can take look it would be very helpful! Ivan

2 
/ip firewall nat
add chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.157.0/24

What’s the purpose of that natting?

/ppp profile
add bridge=bridge-local dns-server=192.168.157.254 local-address=192.168.157.99 name=xxxx remote-address=192.168.157.98

/ppp secret
add name=xxxx password=xxxx profile=xxxx routes=192.168.157.1 service=pptp

Why the routes=192.168.157.1 for the pptp client?

What’s the ARP setting for bridge-local?

3

Hello,

/ip firewall nat
add chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.157.0/24


What’s the purpose of that natting?

It is for IPSec VPN tunnel to remote office in another town.

/ppp profile
add bridge=bridge-local dns-server=192.168.157.254 local-address=192.168.157.99 name=xxxx remote-address=192.168.157.98

/ppp secret
add name=xxxx password=xxxx profile=xxxx routes=192.168.157.1 service=pptp

Why the routes=192.168.157.1 for the pptp client?

What’s the ARP setting for bridge-local?

I was experimenting. I actually need to give access only to one host from outside client. So I tried this… I don’t know anymore…

/interface bridge
add name=br-trunk
add name=br-vlan200
add name=br-vlan202
add name=br-vlan998
add name=br-vlan999
add arp=proxy-arp name=bridge-local

4

Without knowing your specific network routing it’s impossible to provide proper directions to fix routing…

You could accomplish this by using NAT, I’d try:

1.- removing the pptp device from the bridge
2.- remove the routes parameter from the ppp secret
3.- Use a private address as local-address on the ppp secret, should be an IP not used anywhere (e.g. 10.0.0.1)
4.- Add an src-nat masquerading out-interface pptp-device

BTW, you’re using 11.x.x.x addresses which aren’t RFC1918 compliant AFAIK.

5

Works! Thank you very much!

Ivan