VPN not accepting connections

zsero · January 17, 2012, 10:41am

I would like to set up a VPN server on my RouterBoard, and I would like to connect to it from outside using a standard Windows 7 PC.

I have been following this guide:
http://www.mikrotik.com/testdocs/ros/3.0/vpn/pptp.php

The PPTP setup seems pretty straight forward:
Add a user:

[admin@PPTP-Server] ppp secret> add name=user password=passwd \
\... local-address=10.0.0.1 remote-address=10.0.0.2

Enable the PPTP server:

[admin@PPTP-Server] interface pptp-server server> set enabled=yes

I think I have setup up the PPTP server properly but it still doesn’t accept connections from the outside.

Is there anything else I need to set up to let my router accept connections from the outside? My network is very basic: internet - routerboard - internal lan

ghinu · January 17, 2012, 11:32am

Hi, Post here please

/ip address print

and

/ip firewall service-port print

zsero · January 17, 2012, 12:09pm

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   ;;; default configuration
     192.168.0.254/24   192.168.0.0     ether2-local-master
 1 D 80.99.10.xxx/21    80.99.8.0       ether1-gateway
[admin@MikroTik] > /ip firewall service-port print
Flags: X - disabled, I - invalid
 #   NAME                                                                 PORTS
 0   ftp                                                                  21
 1 X tftp                                                                 69
 2 X irc                                                                  6667
 3 X h323
 4 X sip                                                                  5060
                                                                          5061
 5 X pptp

Note: enabling pptp in this menu doesn’t make a difference.

Girith · January 18, 2012, 12:08pm

enable it anyway

please post

/ip firewall export

zsero · January 18, 2012, 2:07pm

Here is it:

# jan/18/2012 15:06:46 by RouterOS 5.9
# software id = ZRZ7-X4SW
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    no out-interface=ether1-gateway
add action=dst-nat chain=dstnat disabled=no dst-port=9876 in-interface=\
    ether1-gateway protocol=tcp to-addresses=192.168.0.1 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-port=21 in-interface=\
    ether1-gateway protocol=tcp to-addresses=192.168.0.1
add action=dst-nat chain=dstnat disabled=no dst-port=5000-5100 in-interface=\
    ether1-gateway protocol=tcp to-addresses=192.168.0.1
add action=dst-nat chain=dstnat disabled=no dst-port=9999 in-interface=\
    ether1-gateway protocol=tcp to-addresses=192.168.0.1 to-ports=80
add action=dst-nat chain=dstnat disabled=no dst-port=6662 in-interface=\
    ether1-gateway protocol=tcp to-addresses=192.168.0.1
add action=dst-nat chain=dstnat disabled=no dst-port=6662 in-interface=\
    ether1-gateway protocol=udp to-addresses=192.168.0.1
add action=dst-nat chain=dstnat disabled=no dst-port=22 in-interface=\
    ether1-gateway protocol=tcp to-addresses=192.168.0.1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

dineck · January 18, 2012, 5:46pm

After enabling pptp service in IP->Firewall->Service Port you still no luck with connection to your PPTP server or you just cannot reach 192.168.0.0/24 network?
If you cannot reach 192.168.0.0/24 you just need to add a new route to 10.0.0.0/24 with ether2-local-master as gateway.

zsero · January 18, 2012, 7:10pm

My problem is that it seems that the ports on the router itself doesn’t open up for the outside world. Port forwarded ports work perfectly.

Before, all the ports I used were forwarded to a server behind the router, for FTP, remote desktop, etc. Those ports work perfectly and show up as open ports.

However, whatever ports I choose to open on the router doesn’t seem to open up. For example I enabled the SSTP server on port 443. I would think that it would open up port 443 for the outside, but it doesn’t. It does open up 443 for the inside, however. I used some online open port check tool to test for the open ports and it reports 443 as closed.

That Firewall \ Service port actually doesn’t seem to do anything. No matter if I disable or enable FTP, I can FTP to the router from the inside network.

Update: I even tried adding a NAT rule to direct 443 to the router, but the port is still closed.

Update2: I found a guide for SSTP and it says the following line: “Don’t forget to open this port on the firewall (on the INPUT chain) if you are blocking ports by default.”

Can you tell me if I need to do it and if yes, how can I do it? I still have the same /ip firewall filter configuration as above.

Update3: Is this what I need?
http://blog.phipps.at/2011/04/25/howto-configure-a-pptp-server-on-routeros/

[root@Router] > ip firewall filter add chain=input protocol=tcp dst-port=1723 \
                in-interface=eth1-WAN src-address-list=VPN-Users action=accept
[root@Router] > ip firewall filter add chain=input protocol=gre \
                in-interface=eth1-WAN src-address-list=VPN-Users action=accept

ditonet · January 19, 2012, 12:03am

These rules are OK:

[root@Router] > ip firewall filter add chain=input protocol=tcp dst-port=1723 \
                in-interface=eth1-WAN src-address-list=VPN-Users action=accept
[root@Router] > ip firewall filter add chain=input protocol=gre \
                in-interface=eth1-WAN src-address-list=VPN-Users action=accept

For PPTP also set on LAN interface ‘arp=proxy-arp’.

HTH,

zsero · January 19, 2012, 11:34am

ditonet:

These rules are OK:

[root@Router] > ip firewall filter add chain=input protocol=tcp dst-port=1723 \
                in-interface=eth1-WAN src-address-list=VPN-Users action=accept
[root@Router] > ip firewall filter add chain=input protocol=gre \
                in-interface=eth1-WAN src-address-list=VPN-Users action=accept

For PPTP also set on LAN interface ‘arp=proxy-arp’.

HTH,

OK, connection success! I had to open up tcp 1723 and gre on the input chain!

My problem however is that even though I could connect, I have no real connection. In windows, my VPN adapter gets subnet mask: 255.255.255.255 and gateway 0.0.0.0. Is this normal?

How can I set up this arp proxy?