Hi everyone,
i have two routers, one RB2011iLS which is edge router, and another hAP ac2 which i use as a switch and WiFi access point. When i create PPTP Client on RB2011 and try to connect to PPTP server (plain connection, no encryption) it eventually times out. I turned on firewall logs and saw couple of these in logs for :
invalid input: in:ether1 out:(unknown 0), src-mac e0:2f:6d:6c:e5:d9, proto 47, xx.xxx.xx.xxx->xxx.xx.xxx.xx, len 61
So i added a new rule to accept input gre protocol but then it just started to get fast connected/disconnected and logs on server side (CentOS 7) were showing something like this:
pptpd[7489]: GRE: read(fd=7,buffer=56197f3063e0,len=8260) from network failed: status = -1 error = Protocol not available
Now i have NO clues as to what’s happening and other logs aren’t telling me nothing.
Now, i also tried to setup PPTP Client on hAP ac2 with IDENTICAL settings (pptp client related settings) and it works like a charm. Only difference is (that i can tell) is that hAP doesn’t have any FW filter rules.
These are the rules on RB2011iLS:
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related
add action=accept chain=input protocol=gre
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes log-prefix=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix=not_lan
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes log=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none
Any help on what the hell is happening ?