Site-to-Site PPTP problem

BenderLV · August 16, 2016, 9:50am

Hello, everyone here!

I’ve followed the Wiki tutorial to setup Site-to-Site PPTP, between two Mikrotik routers. The connection establishes but I’m not able to reach the remote LAN behind the remote router with pptp client, but I can reach the LAN in the “office”.
http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP#Site-to-Site_PPTP

Am I missing something? LAN behind VPN server has default DHCP range.

/ip route add dst-address=192.168.88.0/24 gateway=pptp-out1

Thank you for your advices.

pe1chl · August 16, 2016, 10:41am

There is probably other configuration in your router, like a firewall.

BenderLV · August 16, 2016, 10:56am

Everything is left at it’s defaults - automatic predefined config, except client LAN address is changed from 192.168.88.0/24 to 192.168.0.0/24. I can ping VPN client router local address, but nothing else.

PPTP server side

0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 2    ;;; default configuration
      chain=input action=accept connection-state=established,related 
      log=no log-prefix="" 

 3    ;;; allow l2tp
      chain=input action=accept protocol=udp dst-port=1701 

 4    ;;; allow pptp
      chain=input action=accept protocol=tcp dst-port=1723 

 5    ;;; allow sstp
      chain=input action=accept protocol=tcp dst-port=443 

 6    ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log=no 
      log-prefix="" 

 7    ;;; default configuration
      chain=forward action=fasttrack-connection 
      connection-state=established,related log=no log-prefix="" 

 8    ;;; default configuration
      chain=forward action=accept connection-state=established,related 
      log=no log-prefix="" 

 9    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no 
      log-prefix="" 

10    ;;; default configuration
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface=ether1-gateway log=no 
      log-prefix=""

PPTP client side

0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related 

 3    ;;; alllow pptp
      chain=input action=accept protocol=tcp dst-port=1723 log=no 
      log-prefix="" 

 4    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 

 5    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection 
      connection-state=established,related 

 6    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related 

 7    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

 8    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface=ether1

pe1chl · August 16, 2016, 4:57pm

Default rules are for the standard “we do only NAT” router.
You will need to add rules (both filter and nat) to allow your site-to-site traffic without NAT.

BenderLV · August 17, 2016, 6:52am

Like what?
As I said - I can access entire Office network from VPN client, but not vice versa. I can see, that ping from Office to client’s LAN PC is incoming, but doesn’t come through router. I assume, that routing works fine, the issue is with FW that blocks incoming requests.
What should I open on VPN client’s router to be able to get access to that network.

BenderLV · August 18, 2016, 8:35am

Some additional info.
Office

[admin@MikroTik TestGeneral] > /ppp secret print detail 
Flags: X - disabled 
 0   name="vpn" service=pptp caller-id="" password="dummypassw" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0 
     last-logged-out=aug/18/2016 10:57:24 

 1   name="Kandava" service=pptp caller-id="" password="dummypassw2" profile=default local-address=192.168.89.1 
     remote-address=192.168.89.2 routes="192.168.0.0/24 192.168.89.2 1" limit-bytes-in=0 limit-bytes-out=0 
     last-logged-out=aug/16/2016 12:35:57 
	 
[admin@MikroTik TestGeneral] > /interface pptp-server server print 
            enabled: yes
            max-mtu: 1450
            max-mru: 1450
               mrru: disabled
     authentication: mschap1,mschap2
  keepalive-timeout: 30
    default-profile: default-encryption
	
[admin@MikroTik TestGeneral] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          185.57.77.2               1
 1 ADC  185.57.77.0/24     185.57.77.12    ether1-gateway            0
 2 ADS  192.168.0.0/24                     192.168.89.2              1
 3 ADC  192.168.88.0/24    192.168.88.1    bridge-local              0
 4 ADC  192.168.89.2/32    192.168.89.1    <pptp-Kandava>            0
 5 ADC  192.168.89.255/32  192.168.89.1    <pptp-vpn>                0

Remote office

[admin@MikroTik Kandava] > /interface pptp-client print
Flags: X - disabled, R - running 
 0  R name="pptp-out1" max-mtu=1450 max-mru=1450 mrru=1600 connect-to=185.57.77.12 user="Kandava" passw
      profile=default-encryption keepalive-timeout=60 add-default-route=no dial-on-demand=no allow=pap,

[admin@MikroTik Kandava] > /ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.10.1              1
 1 ADC  192.168.0.0/24     192.168.0.254   ether2-master             0
 2 ADC  192.168.10.0/24    192.168.10.100  ether1                    0
 3 A S  192.168.88.0/24                    pptp-out1                 1
 4 ADC  192.168.89.1/32    192.168.89.2    pptp-out1                 0

What is wrong, why I’m not able to reach remote office’s network?

In fact it would be absolutely enough to access 192.168.0.1 on remote network from mains office’s 192.168.88.0/24 or any VPN client 192.168.89.0/24

BenderLV · August 29, 2016, 6:47am

Bump. Help, please

ali777 · November 18, 2017, 5:36am

I have also exactly the same issue. I cannot figure out yet why it really happens. I play some with proxy-arp and mtu. I also add extra rule in Source NAT to accept local site Ip range to remote site one.
but no success. I think there should be something small but critical and so sensitive to make the site to site ping able. I think we should take care about its details perfectly too.
I also found something that is strange. In fact it seems trace route to remote LAN site can’t pass the second hub (Show astrisk). I think if it pass here maybe problem can be solved too, so anyone knows how do it?

Anumrak · November 18, 2017, 8:23am

You don’t have back a route to 192.168.0.0/24 from main office 185.57.77.12. You need duplex connectivity, in order to routes works. From office needs 192.168.0.0/24 to pptp and from remote office 192.168.88.0/24 to pptp. But since you have it on your lan, you can better use EoIP tunnel.

blajah · November 18, 2017, 6:45pm

Please post export of ip fire nat

ali777 · November 20, 2017, 5:56am

Guys! I think I found a solution. All two days working on it. Too Crazy but actually it works perfect with just one simple rule.
The all you need is NAT Masquerade rule from your local IP range to final destination IP range.
No other thing is actually needed except one simple static route to pass your traffic.
Please rate it positive if you find it useful.

Thanks Anumark, Your talking is also not wrong as I think, it should works too. but It seems here we can also do some magic without that (configuration main office) too using mikrotik.