Setup VPN with Mikrotik

red7genius · September 19, 2019, 6:11pm

Hi all,
I am new to Mikrotik’s world so I would like your help for my topic. I am trying to set a VPN network that can be accessible from outside.
I have followed some instructions and tutorials, and from my PC (in the network) I am able to connect to my VPN, but it seems that is not accessible from outside.
Please check my configuration below and let me know if i have done something wrong.

My network topology is the following:
I use a Netfaster IAD 2 modem/router to serve as a modem and a Mikrotik hAP lite as the main router.
Netfaster IAD 2 ip: 192.168.2.1
Mikrotik ip : 192.168.88.1
My PC 192.168.88.13

# sep/19/2019 20:59:13 by RouterOS 6.45.5
# software id = JRKF-PBIQ
#
# model = RouterBOARD 941-2nD
/interface bridge
add admin-mac=B8:69:F4:0E:74:D0 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=disabled name=pppoe-out1 use-peer-dns=yes user=guest@adsl.gr
/interface pptp-server
add name=pptp-in1 user=ppp1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=profile1 supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=profile1 ssid=HomeWifi wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.100
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
add name=VPNpool ranges=192.168.88.101-192.168.88.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=bridge change-tcp-mss=yes dns-server=8.8.8.8,8.8.8.4 local-address=192.168.88.1 name=VPMprofile remote-address=VPNpool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set internet-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set default-profile=VPMprofile enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward dst-port=1723 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-address=5.54.215.246 dst-port=1723 protocol=tcp to-addresses=192.168.88.13 to-ports=1723
/ip route
add distance=1 dst-address=192.168.2.10/32 gateway=ether1
/ppp secret
add name=ppp1 profile=VPMprofile service=pptp
/system clock
set time-zone-name=Europe/Athens
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

PS. I tried to enable forwarding for port 1723 as I read that is necessary for PPTP to work, but it didnt.

2frogs · September 20, 2019, 5:36am

add action=accept chain=input dst-port=1723 comment="accept PPTP" protocol=tcp

This needs to go either above or below the “defcon: accept ICMP” because the order matters. Also, chain=input is for any thing going to the router itself. And chain=forward is anything being forwarded by the router (WAN to LAN, LAN to WAN, etc..)

red7genius · September 24, 2019, 4:19pm

add action=accept chain=input dst-port=1723 comment="accept PPTP" protocol=tcp
This needs to go either above or below the “defcon: accept ICMP” because the order matters. Also, chain=input is for any thing going to the router itself. And chain=forward is anything being forwarded by the router (WAN to LAN, LAN to WAN, etc..)

I changed the action to input, I moved the rule above/below the “defcon: accept ICMP”, I tried to ping the port from online port checker but it didnt work.

Zacharias · September 24, 2019, 4:44pm

You must also allow gre (47) protocol for PPTP. Your chain is input Not Forward…

red7genius · October 9, 2019, 4:56pm

It seems that now my port 1723 is reachable from the online port checker.
But still cannot connect from another pc outside the network to my vpn.
I get the following error:
“A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond”

Zacharias · October 9, 2019, 5:40pm

Did you allow gre 47? Can you export you firewall configuration ?

red7genius · October 10, 2019, 9:33am

Thanks everyone for your help.
Issue is solved and I managed to connect to VPN from outside.

The problem seemed to be that I had to open port 1723 ALSO on the other side that was trying to connect.

Thanks again.