[RouterBoard 450G] Firewall's rules for PPTP

RouterOS Beginner Basics
1

Hello,

I need your help :smiley:

I have the same network topology than in this following post: http://forum.mikrotik.com/t/mikrotik-as-pptp-server-wont-work/40434/1

In local network, my pptp server works very well.
but when i want to connect from WAN port, it doesn’t work.
i know that the firewall is the problem but i don’t know how to fix it.

here is below my configuration:

RouterOS 4.12

[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST INTERFACE 
                                                                                                             
 0   ;;; LAN
     192.168.111.1/24   192.168.111.0   192.168.111.255 ether2  
                                                                                                                  
 1   ;;; WAN
     192.168.0.200/24   192.168.0.0     192.168.0.255   ether1




/ip route print

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0   S  0.0.0.0/0                                   192.168.0.1        1       
 1 X S  ;;; Default route  0.0.0.0/0                          ether1             1    
 2 ADC  192.168.0.0/24     192.168.0.200   ether1             0       
 3 ADC  192.168.111.0/24   192.168.111.1   ether2             0




 0   ;;; Local access to RB for Winbox
     chain=input action=accept protocol=tcp src-address-list=local dst-port=8291 

 1   ;;; eLAN
     chain=input action=accept in-interface=ether2 

 2   ;;; Treat all traffic equally
     chain=input action=jump jump-target=inbound 

 3   ;;; Treat all traffic equally
     chain=forward action=jump jump-target=inbound 

 4   ;;; Drop invalid
     chain=inbound action=drop connection-state=invalid 

 5   ;;; Allow limited icmp
     chain=inbound action=accept protocol=icmp limit=50/5s,2 

 6   ;;; Drop excess icmp
     chain=inbound action=drop protocol=icmp 

 7   ;;; Accept established
     chain=inbound action=accept connection-state=established 

 8   ;;; Accept related
     chain=inbound action=accept connection-state=related 

 9   ;;; Internal traffic can do what it wants.
     chain=inbound action=accept src-address-list=local 

10 X ;;; And drop everything else
     chain=inbound action=drop 

11   ;;; Allow everything out
     chain=output action=accept 

12   ;;; PPTP
     chain=input action=accept connection-state=new protocol=tcp in-interface=ether1 dst-port=1723 

13   chain=input action=accept protocol=gre in-interface=ether1 

14   chain=input action=accept protocol=udp in-interface=ether1 dst-port=1723

when i disable this rule :

10 X ;;; And drop everything else
     chain=inbound action=drop

it’s working very well.

i have add rule with port 1723 + protocol gre to port ether1 but it doesn’t work

and now i don’t know what i can do yet… :frowning:

does anybody have an idea please ??

thx for your replies

2

Hi,

try to move the last 3 rules to the top of rules (drag n drop).

If not, this rule that you disable drop the 3 last input rules before firewall can read them..

3

ok.. easy lol when we know

it’s working!! Gracias :smiley:

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; PPTP
     chain=input action=accept connection-state=new protocol=tcp dst-port=1723 

 1   chain=input action=accept protocol=gre 

 2   chain=input action=accept protocol=udp dst-port=1723 

 3   ;;; Local access to RB for Winbox
     chain=input action=accept protocol=tcp src-address-list=local dst-port=8291 

 4   ;;; eLAN
     chain=input action=accept in-interface=ether2 

 5   ;;; Treat all traffic equally
     chain=input action=jump jump-target=inbound 

 6   ;;; Treat all traffic equally
     chain=forward action=jump jump-target=inbound 

 7   ;;; Drop invalid
     chain=inbound action=drop connection-state=invalid 

 8   ;;; Allow limited icmp
     chain=inbound action=accept protocol=icmp limit=50/5s,2 

 9   ;;; Drop excess icmp
     chain=inbound action=drop protocol=icmp 

10   ;;; Accept established
     chain=inbound action=accept connection-state=established 

11   ;;; Accept related
     chain=inbound action=accept connection-state=related 

12   ;;; Internal traffic can do what it wants.
     chain=inbound action=accept src-address-list=local 

13   ;;; And drop everything else
     chain=inbound action=drop 

14   ;;; Allow everything out
     chain=output action=accept

thx very much i give you karma if i find how i can do it :laughing:

4

You need to post 3 times in the forum and later click on + under my name ; )

Thanks!

5

ok,

thx very much :sunglasses: