RDP and PPTP protocol won't passthrough firewall

dc2110984 · October 11, 2013, 8:51am

Hi Guys,
I’m new here, and this is my first topic.
I have a serious problem.
Let me to explain. I have two WAN’s before MikroTik router.
IPS1 CABLE 192.168.10.1 - MikroTik 192.168.10.2/24
IPS2 ADSL 192.168.1.1 - MikroTik 192.168.1.2/24

Also, local network is in range 192.168.0.0/24
MikroTik local IP is 192.168.0.1

On MikroTik, I got firewall that someone else configured before me.
Now, I need to configure VPN network, and RDP port forwarding to local IP address.
IPS1 has static IP.
I read every single instruction on how to configure VPN anf forward RDP, but when I want to reach from outside, I get refused.
I check that maybe something on IPS1 router (Cisco EPC3925) block traffic or that ISP block port from some reason, but everything is fine.
And still, when I do nmap from outside to check ports 1723 and 3389, or every other port, I get STATE filtered. That’s is, when port’s are managed by firewall, and nmap doesn’t know if it’s open ore closed.
So, I’m confused…
I really tray everything on Firewall and NAT rules, but maybe I’m missing something, and I can’t see that SOMETHING.
I have attached print screen of my firewall and NAT rules.
And just to say, that I’m beginner in configuring MikroTik, but I learn so much in past three months.
I will also attach print screen of my Cisco EPC3925.

Thank you for help.

Cheers

dc2110984 · October 11, 2013, 9:56am

NAT Configuration.

dwz63 · October 11, 2013, 11:23am

Hi,
I’m not a pro, I’m amateur but this is what I think:
1)First, backup!

2)VPN(PPTP)
On the firewall you need to allow all connections for PPTP(tcp/1723 and GRE):
use WinBox: IP-Firewall tab Filter Rules
or
use Terminal

/ip firewall filter add chain=input protocol=tcp dst-port=1723 action=accept comment="Allow IN PPTP/TCP1723" disabled=no 
/ip firewall filter add chain=output protocol=tcp dst-port=1723 action=accept comment="Allow OUT PPTP/TCP1723" disabled=no
/ip firewall filter add chain=input protocol=gre action=accept comment="Allow IN PPTP/GRE" disabled=no 
/ip firewall filter add chain=output protocol=gre action=accept comment="Allow OUT PPTP/GRE" disabled=no

These rules need to move on up. They should be first.
!!!The Cisco must be set up port forwarding (TCP-1723/GRE)on the Mikrotik.

3)RDP.
You should use a dst-nat:
use WinBox: IP-Firewall tab NAT
or
use Terminal
Example forwarding RDP on IP 192.168.0.15

/ip firewall nat add chain=dstnat protocol=tcp dst-port=3389 action=dst-nat to-addresses=192.168.0.15 to-ports=3389

These rules need to move on up. They should be first.
!!!The Cisco must be set up port forwarding (TCP-3389)on the Mikrotik.

4)Please copy here the results of the following commands:
use Terminal
/ip firewall nat print
/interface print

dc2110984 · October 11, 2013, 1:51pm

Thank you man a lot!!!
See, you just look my firewall, and you know what to do Great job!
Everything works just great!

Than you once more!!!