i don’t know how to solve the problem
we have 2 mikrotik RB1100 dan RB450G both are set PPTP for VPN akses
i’m accessing both from home via VPN standard widows VPN PPTP to access office servers
for RB450 works fine, after VPN established I can connect to office servers via VPN normally and my internet connection work normal
but RB1100 with same configurations behave abnomal, only VPN works, remote desktop to offcie servers works fine but the internet connection stopped, can’t access google, facebook, etc somehow VPN connection not allowed other internet connectiom
when VPN connection via RB 1100 disconnected/ended, internet then back to normal
both RB use same config, I don’t konw whats going on, does anybody have same problem ?
have exaclty the same issue,
my RB1200 is setup with PPC and std firewall rules to act as a NAT.
Sounds like you’re not applying source NAT to the PPTP IP range. Fix your NAT rules to unconditionally NAT out the WAN interface.
Hi fewi,
here is my config
/ip address
add address=10.10.0.1/24 disabled=no interface=LAN network=10.10.0.0
add address=41.x.x.114/29 disabled=no interface=WAN1 network=41.x.x.112
add address=41.x.x.2/29 disabled=no interface=WAN2 network=41.x.x.0
add address=41.x.x.100/29 disabled=no interface=WAN3 network=41.x.x.96
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-mark=to_WAN1 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.2.2.2 routing-mark=to_WAN1 scope=30 target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=10.3.3.3 routing-mark=to_WAN1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.2.2.2 routing-mark=to_WAN2 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.3.3.3 routing-mark=to_WAN2 scope=30 target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-mark=to_WAN2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.3.3.3 routing-mark=to_WAN3 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-mark=to_WAN3 scope=30 target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=10.2.2.2 routing-mark=to_WAN3 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.1.1.1 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.2.2.2 scope=30 target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=10.3.3.3 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.1.1.1/32 gateway=196.2.63.110 scope=10 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.1.1.1/32 gateway=67.195.160.76 scope=10 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.2.2.2/32 gateway=74.125.230.146 scope=10 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.2.2.2/32 gateway=41.1.224.101 scope=10 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.3.3.3/32 gateway=41.203.21.137 scope=10 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.3.3.3/32 gateway=152.111.193.28 scope=10 target-scope=10
add comment=VodaCom disabled=no distance=1 dst-address=41.1.224.101/32 gateway=41.x.x.1 scope=10 target-scope=10
add comment=MyADSL disabled=no distance=1 dst-address=41.203.21.137/32 gateway=41.x.x.97 scope=10 target-scope=10
add comment=Yahoo disabled=no distance=1 dst-address=67.195.160.76/32 gateway=41.x.x.113 scope=10 target-scope=10
add comment=Google disabled=no distance=1 dst-address=74.125.230.146/32 gateway=41.x.x.1 scope=10 target-scope=10
add comment=News24 disabled=no distance=1 dst-address=152.111.193.28/32 gateway=41.x.x.97 scope=10 target-scope=10
add comment=MWeb disabled=no distance=1 dst-address=196.2.63.110/32 gateway=41.x.x.113 scope=10 target-scope=10
/interface ethernet
set 0 arp=proxy-arp auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 mac-address=00:0C:42:CF:5B:3A mtu=1500 name=LAN speed=100Mbps
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled port=443 verify-client-certificate=no
/ip firewall filter
add action=accept chain=input comment="Std established" connection-state=established disabled=no
add action=accept chain=input comment="Std related" connection-state=related disabled=no
add action=drop chain=input comment="Std invalid" connection-state=invalid disabled=no
add action=accept chain=input comment="Allow DNS & NTP" disabled=no dst-port=53,123 in-interface=LAN protocol=udp
add action=accept chain=input comment="Allow DNS" disabled=no dst-port=53 in-interface=LAN protocol=tcp
add action=accept chain=input comment="Allow Admin_Hosts on LAN" disabled=no in-interface=LAN src-address-list=admin_hosts
add action=accept chain=input comment="Allow Admin_Hosts on LAN" disabled=no in-interface=WAN3 src-address-list=admin_hosts
add action=accept chain=prerouting comment="Allow Internal Routing" disabled=no in-interface=LAN src-address-list=internal
add action=accept chain=input comment="Allow Internal ICMP" disabled=no in-interface=LAN protocol=icmp
add action=log chain=input comment="Drop Traffic to Router Log" disabled=no log-prefix=drop_traffic
add action=drop chain=input comment="Drop Traffic to Router" disabled=no
add action=log chain=forward comment="Log all non Mail Server STMP" disabled=yes dst-port=25 log-prefix=smtp_ out-interface=!LAN protocol=tcp src-address-list="!SMTP Log"
add action=drop chain=forward comment="Drop all non Mail Server STMP" disabled=no dst-port=25 out-interface=!LAN protocol=tcp src-address=!10.10.0.250
add action=accept chain=forward comment="Std established" connection-state=established disabled=no
add action=accept chain=forward comment="Std related" connection-state=related disabled=no
add action=drop chain=forward comment="Std invalid" connection-state=invalid disabled=no
add action=accept chain=forward comment="Allow WAN Traffic" disabled=no in-interface=LAN
add action=accept chain=forward comment="MARS Traffic" disabled=no dst-address=10.10.0.250 dst-port=21,22,25,53,80,110,143,443,8080 protocol=tcp
add action=accept chain=forward comment="MARS Traffic" disabled=no dst-address=10.10.0.250 dst-port=53 protocol=udp
add action=drop chain=forward comment="Drop everything else" disabled=no
/ip firewall mangle
add action=accept chain=prerouting comment="Hairpair Hosts" disabled=no dst-address-list=public-ips in-interface=LAN src-address-list=Internal
add action=accept chain=prerouting comment="Internal Routing" disabled=no dst-address-list=internal in-interface=LAN
add action=mark-connection chain=prerouting comment=Viber connection-state=new disabled=no dst-port=5243 in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="WAN1 Web & Mail Traffic" connection-state=new disabled=no dst-address=41.x.x.114 dst-port=21,25,53,80,110,143,443,8080 in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="WAN1 Web & Mail Traffic" connection-state=new disabled=no dst-address=41.x.x.114 dst-port=53 in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="WAN2 Web & Mail Traffic" connection-state=new disabled=no dst-address=41.x.x.2 dst-port=21,25,53,80,110,143,443,8080 in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="WAN2 Web & Mail Traffic" connection-state=new disabled=no dst-address=41.x.x.2 dst-port=53 in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes pr
add action=mark-connection chain=prerouting comment="MWeb SMTP" connection-state=new disabled=no dst-address=196.2.16.216 dst-port=25 in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Vodacom SMTP" connection-state=new disabled=no dst-address=41.0.7.123 dst-port=25 in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="HTTPS WAN1 TCP" connection-state=new disabled=no dst-port=443 in-interface=LAN new-connection-mark=WAN3_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="HTTPS WAN1 UDP" connection-state=new disabled=no dst-port=443 in-interface=LAN new-connection-mark=WAN3_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="Wan1 NZB" connection-state=new disabled=no dst-port=80 in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes protocol=tcp src-address=10.10.0.247
add action=mark-connection chain=prerouting comment="Wan2 NZB" connection-state=new disabled=no dst-port=443 in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes protocol=tcp src-address=10.10.0.247
add action=mark-connection chain=prerouting comment="Wan3 NZB" connection-state=new disabled=no dst-port=81 in-interface=LAN new-connection-mark=WAN3_conn passthrough=yes protocol=tcp src-address=10.10.0.247
add action=mark-connection chain=input comment="WAN1 Connection Mark" disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input comment="WAN2 Connection Mark" disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=input comment="WAN3 Connection Mark" disabled=no in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes
add action=mark-routing chain=output comment="WAN1 Routing Mark" connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment="WAN2 Routing Mark" connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output comment="WAN3 Routing Mark" connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting comment="WAN1 PCC" connection-mark=no-mark disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting comment="WAN2 PCC" connection-mark=no-mark disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting comment="WAN3 PCC" connection-mark=no-mark disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting comment="LAN Routing Mark to WAN1" connection-mark=WAN1_conn disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting comment="LAN Routing Mark to WAN2" connection-mark=WAN2_conn disabled=no in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting comment="LAN Routing Mark to WAN3" connection-mark=WAN3_conn disabled=no in-interface=LAN new-routing-mark=to_WAN3 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin-NAT disabled=no dst-address-list=hairpin-hosts out-interface=LAN src-address-list=internal
add action=dst-nat chain=dstnat comment="WAN1 Web & Mail Traffic" disabled=no dst-address=41.x.x.114 dst-port=21,25,53,80,110,143,443,8080 protocol=tcp to-addresses=10.10.0.250
add action=dst-nat chain=dstnat comment="WAN1 Web & Mail Traffic" disabled=no dst-address=41.x.x.114 dst-port=53 protocol=udp to-addresses=10.10.0.250
add action=dst-nat chain=dstnat comment="WAN2 Web & Mail Traffic" disabled=no dst-address=41.x.x.2 dst-port=21,25,53,80,110,143,443,8080 protocol=tcp to-addresses=10.10.0.250
add action=dst-nat chain=dstnat comment="WAN2 Web & Mail Traffic" disabled=no dst-address=41.x.x.2 dst-port=53 protocol=udp to-addresses=10.10.0.250
add action=dst-nat chain=dstnat comment="WAN3 RDP XP" disabled=no dst-address=41.x.x.100 dst-port=80 protocol=tcp to-addresses=10.10.0.232 to-ports=3389
add action=dst-nat chain=dstnat comment="WAN3 RDP XP" disabled=no dst-address=41.x.x.100 dst-port=1723 protocol=tcp to-addresses=10.10.0.1 to-ports=1723
add action=masquerade chain=srcnat comment="Masquerade WAN1 Out" disabled=no out-interface=WAN1
add action=masquerade chain=srcnat comment="Masquerade WAN2 Out" disabled=no out-interface=WAN2
add action=masquerade chain=srcnat comment="Masquerade WAN3 Out" disabled=no out-interface=WAN3
/ppp profile
set default change-tcp-mss=yes dns-server=10.10.0.1 name=default only-one=default use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
set default-encryption change-tcp-mss=yes name=default-encryption only-one=default use-compression=default use-encryption=yes use-mpls=default use-vj-compression=default