Hi
I was very pleased with myself following the PPTP site to site example, until i realised it didn’t work.
The router (RB450G) can ping both end of the tunnel, plus the remote IP i also assigned, so the link is working. However, pcs connected to my network cannot.
Local ROS is 192.168.254.1
IP Tunnel is 172.16.3.1 (local), 172.16.3.2 (remote)
Remote IP is 192.168.250.1
can ping them all from 192.168.254.1 router, and can see routes. Where would the problem be?
many thanks
Post your configuration. It’s much easier to see what exactly you did and try to spot what’s wrong than it is to just generally guess at what you might have been doing.
Thanks Fewi
Im not that hot on the CLI yet, which specific section would be relevant?
A good start would be all IP addressing, firewalling, routing, and the PPTP config. So that’s the output of “/interface print detail”, “/ip address print detail”, “/ip route print detail”, and “/ip firewall export” from both routers, and “/interface pptp-server export” and “/interface pptp-client export” from the relevant routers. Please wrap everything in
tags and clearly mark which router is which.
This is likely to just be routing related where the routers don't have routes to the subnets behind the other one - when pinging router to router it would pick the IP address of the closest interface, which is directly connected for both.
This is from the RB450 (main office)
[admin@MikroTik] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="ether1-gateway" type="ether" mtu=1500 l2mtu=1524
1 R name="ether2-master-local" type="ether" mtu=1500 l2mtu=1524
2 R name="ether3-slave-local" type="ether" mtu=1500 l2mtu=1524
3 name="ether4-slave-local" type="ether" mtu=1500 l2mtu=1524
4 name="ether5-slave-local" type="ether" mtu=1500 l2mtu=1524
5 name="pptp-in1" type="pptp-in"
6 DR name="<pptp-yarmouth>" type="pptp-in" mtu=1460
7 DR name="<pptp-ohg>" type="pptp-in" mtu=1460
This is /IP ADDRESS PRINT DETAIL
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.254.1/24 network=192.168.254.0 interface=ether2-master-local
actual-interface=ether2-master-local
1 D address=213.123.115.166/24 network=213.123.115.0 interface=ether1-gateway
actual-interface=ether1-gateway
2 D address=172.16.3.1/32 network=172.16.3.2 interface=<pptp-yarmouth>
actual-interface=<pptp-yarmouth>
3 D address=172.168.1.1/32 network=172.168.1.2 interface=<pptp-ohg>
actual-interface=<pptp-ohg>
Route Detail
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 pref-src=213.123.115.166 gateway=ether1-gateway
gateway-status=ether1-gateway reachable distance=1 scope=30
target-scope=10
1 ADC dst-address=172.16.3.2/32 pref-src=172.16.3.1 gateway=<pptp-yarmouth>
gateway-status=<pptp-yarmouth> reachable distance=0 scope=10
2 ADC dst-address=172.168.1.2/32 pref-src=172.168.1.1 gateway=<pptp-ohg>
gateway-status=<pptp-ohg> reachable distance=0 scope=10
3 ADS dst-address=192.168.250.0/24 gateway=172.16.3.2
gateway-status=172.16.3.2 reachable <pptp-yarmouth> distance=1 scope=30
target-scope=10
4 S dst-address=192.168.250.0/24 gateway=172.16.3.2
gateway-status=172.16.3.2 reachable <pptp-yarmouth> distance=1 scope=30
target-scope=10
5 DS dst-address=192.168.252.0/24 gateway=172.16.1.2
gateway-status=172.16.1.2 unreachable distance=1 scope=30
target-scope=10
6 ADC dst-address=192.168.254.0/24 pref-src=192.168.254.1
gateway=ether2-master-local gateway-status=ether2-master-local reachable
distance=0 scope=10
7 ADC dst-address=213.123.115.0/24 pref-src=213.123.115.166
gateway=ether1-gateway gateway-status=ether1-gateway reachable
distance=0 scope=10
IP FIREWALL EXPORT
[admin@MikroTik] > /ip firewall export
# aug/25/2011 07:45:23 by RouterOS 5.5
# software id = 0N2S-Y19T
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="From our LAN" disabled=no in-interface=ether2-master-local \
src-address=192.168.254.0/24
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input disabled=no protocol=gre
add action=drop chain=input disabled=no in-interface=ether1-gateway src-address=89.207.130.17
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway \
src-address=192.168.254.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
INTERFACE PPTP-SERVER
[admin@MikroTik] > interface pptp-server export
# aug/25/2011 07:47:09 by RouterOS 5.5
# software id = 0N2S-Y19T
#
/interface pptp-server
add disabled=no name=pptp-in1 user=""
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=yes \
keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
[admin@MikroTik] >
No pptp-client data on the office router.
All above are from Main office router.
What follows below is the remote router:
[admin@00:0C:42:9C:7D:AB] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 name="wlan1" type="wlan" mtu=1500 l2mtu=2290
1 name="wlan2" type="wlan" mtu=1500 l2mtu=2290
2 R name="ether1" type="ether" mtu=1500 l2mtu=1526
3 name="ether2" type="ether" mtu=1500 l2mtu=1522
4 name="ether3" type="ether" mtu=1500 l2mtu=1522
5 R name="office" type="pptp-out" mtu=1460
6 R name="wifi" type="bridge" mtu=1500 l2mtu=65535
IP ADDRESS PRINT DETAIL
[admin@00:0C:42:9C:7D:AB] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=ether1
actual-interface=ether1
1 ;;; hotspot network
address=10.10.10.1/24 network=10.10.10.0 interface=wifi
actual-interface=wifi
2 address=192.168.250.1/24 network=192.168.250.0 interface=ether1
actual-interface=ether1
3 D address=192.168.1.66/24 network=192.168.1.0 interface=ether1
actual-interface=ether1
4 D address=172.16.3.2/32 network=172.16.3.1 interface=office
actual-interface=office
IP ROUTE PRINT DETAIL
[admin@00:0C:42:9C:7D:AB] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=192.168.1.254
gateway-status=192.168.1.254 reachable ether1 distance=0 scope=30
target-scope=10 vrf-interface=ether1
1 ADC dst-address=10.10.10.0/24 pref-src=10.10.10.1 gateway=wifi
gateway-status=wifi reachable distance=0 scope=10
2 ADC dst-address=172.16.3.1/32 pref-src=172.16.3.2 gateway=office
gateway-status=office reachable distance=0 scope=10
3 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.66 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10
4 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10
5 ADC dst-address=192.168.250.0/24 pref-src=192.168.250.1 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10
IP FIREWALL EXPORT
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=10.10.10.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
INTERFACE PPTP-SERVER
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no \
keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
PPTP-CLIENT
/interface pptp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=\
213.123.115.166 dial-on-demand=no disabled=no max-mru=1460 max-mtu=1460 \
mrru=disabled name=office password=******** profile=default-encryption user=\
********
Thats the lot - any insights greatly appreciated.
You have routes on the PPTP server, but no routes back on the PPTP client. One simple static route on the remote router should fix that:
/ip route add dst-address=192.168.254.0/24 gateway=172.16.3.1
Pinging from the PPTP server works because it will pick 172.16.3.1 as a source address (closest to the destination) and has routes to 192.168.250.0/24, and the remote router has a route to 172.16.3.1 in its routing table. You can’t ping from clients behind the PPTP server because they’d use 192.168.254.0/24 as a source address, and the PPTP client router doesn’t have a specific route to that network and would use its default route rather than the tunnel.
So simple - worked straight away.
I was using the Route option in the PPTP client which i assume assigned a route on the remote device. Thank you.