VPN PPTP

RouterOS Beginner Basics
1

Hi,

I did successfully set up VPN server on RB951, I can connect from other network but can not access to internet because DNS problem. I can ping 8.8.8.8 but not google.com

For reference I used this tutorial

https://www.bgocloud.com/knowledgebase/32/mikrotik-chr-how-to-setup-pptp-vpn-server.html

For DNS I try to set 8.8.8.8 and 8.8.4.4 and also 192.168.178.1

I also have own DNS server on RB951 and NAT rule to force users to use DNS 192.168.178.1 but it is not accessible form WAN.

If someone can help me, I will be more than thankful.

Here is FW output

/ip firewall filter
add action=drop chain=input comment=“dropping port scanners” src-address-list=“port scanners”
add chain=input comment=“PPTP VPN” dst-port=1723 protocol=tcp
add action=accept chain=input comment=“DNS udp Barbados” dst-port=53 protocol=udp src-address=192.168.25.0/24
add action=accept chain=input comment=“DNS tcp Barbados” dst-port=53 protocol=tcp src-address=192.168.25.0/24
add action=accept chain=input comment=“Allow DNS internal” dst-port=53 protocol=udp src-address=192.168.178.0/24
add action=drop chain=input comment=“Drop UDP DNS remote requests allow GUEST” dst-port=53 in-interface=!Bridge_vlan20 protocol=udp src-address-list=“!Internal network”
add action=drop chain=input comment=“Drop TCP DNS remote requests” dst-port=53 protocol=tcp src-address-list=“!Internal network”
add action=accept chain=input comment=“Allow SSH Internal Network” dst-port=22 protocol=tcp src-address=192.168.178.0/24
add action=drop chain=input comment=“DROP SSH” dst-port=22 protocol=tcp
add action=accept chain=input comment=“Allow WinBox Internal Network” dst-port=8291 protocol=tcp src-address=192.168.178.0/24
add action=drop chain=input comment=“DROP WinBox” dst-port=8291 protocol=tcp
add action=drop chain=input comment=“Drop PING” disabled=yes protocol=icmp src-address-list=“!Internal network”
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“NMAP FIN Stealth scan” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“SYN/FIN scan” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“SYN/RST scan” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“ALL/ALL scan” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“NMAP NULL scan” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add chain=forward comment=“Allow Established/Related Forward Chain” connection-state=established,related
add chain=input comment=“Allow Established/Related iNPUT Chain” connection-state=established,related
add action=drop chain=forward comment=“NO connection Barbados to Main” dst-address=192.168.178.0/24 src-address=192.168.25.0/24
add action=drop chain=input comment=“Router protect from Barbados” src-address=192.168.25.0/24

2

Hello,

Which network did you use for PPTP? In the tutorial, they used “192.168.99.10-192.168.99.200”. If you used the same, you must accept it in your firewall input chain.


add action=accept chain=input comment="DNS udp PPTP" dst-port=53 protocol=udp src-address=192.168.99.0/24

Thank you!

3

…just stopped at this thread to say that you should consider using other vpn than pptp…

4

Hi,

Thank you, I added new rule to FW but DNS is stll blocked for PPTP connections.

@marra, yeah I know PPTP is not secure, but all I need is IP from my local internet provider, so I can watch IP TV on vacation :slight_smile:

Down are my new FW rules, if someone can help me

/ip firewall filter
add action=drop chain=input comment=“dropping port scanners” disabled=yes
src-address-list=“port scanners”
add action=accept chain=input comment=“DNS PPTP” dst-port=53 protocol=udp
src-address=192.168.99.0/24
add action=accept chain=input comment=“PPTP VPN” dst-port=1723 protocol=tcp
add action=accept chain=input comment=“DNS udp Barbados” dst-port=53
protocol=udp src-address=192.168.25.0/24
add action=accept chain=input comment=“DNS tcp Barbados” dst-port=53
protocol=tcp src-address=192.168.25.0/24
add action=accept chain=input comment=“Allow DNS internal” dst-port=53
protocol=udp src-address=192.168.178.0/24
add action=drop chain=input comment=
“Drop UDP DNS remote requests allow GUEST” dst-port=53 in-interface=
!Bridge_vlan20 protocol=udp src-address-list=“!Internal network”
add action=drop chain=input comment=“Drop TCP DNS remote requests” dst-port=
53 protocol=tcp src-address-list=“!Internal network”
add action=accept chain=input comment=“Allow SSH Internal Network” dst-port=
22 protocol=tcp src-address=192.168.178.0/24
add action=drop chain=input comment=“DROP SSH” dst-port=22 protocol=tcp
add action=accept chain=input comment=“Allow WinBox Internal Network”
dst-port=8291 protocol=tcp src-address=192.168.178.0/24
add action=drop chain=input comment=“DROP WinBox” dst-port=8291 protocol=tcp
add action=drop chain=input comment=“Drop PING” disabled=yes protocol=icmp
src-address-list=“!Internal network”
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment="Port scanners to list "
disabled=yes protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP FIN Stealth scan”
disabled=yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/FIN scan” protocol=tcp
tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/RST scan” disabled=yes
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” disabled=
yes protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“ALL/ALL scan” disabled=yes
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP NULL scan” disabled=yes
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add chain=forward comment=“Allow Established/Related Forward Chain”
connection-state=established,related
add chain=input comment=“Allow Established/Related iNPUT Chain”
connection-state=established,related
add action=drop chain=forward comment=“NO connection Barbados to Main”
dst-address=192.168.178.0/24 src-address=192.168.25.0/24
add action=drop chain=input comment=“Router protect from Barbados”
src-address=192.168.25.0/24

5

Hi,

Can maybe someone advice me what rule to FW should I add if I want to successfully connect to IKEv2 VPN server on Mikrotik?

I did all steps on this tutorial but after I press connect on iPhone it immediately say “Disconnected”

I also try to scan ports 500 and 4500 and they are not responding.

This is tutorial I used


https://jcutrer.com/howto/networking/mikrotik/ios-ikev2-vpn-mikrotik


Thanks and have a nice day

6

Hi,

I added new rule in FW for IKEv2 but I still can not reach IKEv2 VPN.

Any ideas what should I try to solve this?


/ip firewall filter
add action=drop chain=input comment=“dropping port scanners” disabled=yes
src-address-list=“port scanners”
add action=accept chain=input comment=“IKEv2 VPN” dst-port=4500,500 protocol=
udp
add action=accept chain=input comment=“DNS PPTP” dst-port=53 protocol=udp
src-address=192.168.99.0/24
add action=accept chain=input comment=“PPTP VPN” dst-port=1723 protocol=tcp
add action=accept chain=input comment=“DNS udp Barbados” dst-port=53
protocol=udp src-address=192.168.25.0/24
add action=accept chain=input comment=“DNS tcp Barbados” dst-port=53
protocol=tcp src-address=192.168.25.0/24
add action=accept chain=input comment=“Allow DNS internal” dst-port=53
protocol=udp src-address=192.168.178.0/24
add action=drop chain=input comment=
“Drop UDP DNS remote requests allow GUEST” dst-port=53 in-interface=
!Bridge_vlan20 protocol=udp src-address-list=“!Internal network”
add action=drop chain=input comment=“Drop TCP DNS remote requests” dst-port=
53 protocol=tcp src-address-list=“!Internal network”
add action=accept chain=input comment=“Allow SSH Internal Network” dst-port=
22 protocol=tcp src-address=192.168.178.0/24
add action=drop chain=input comment=“DROP SSH” dst-port=22 protocol=tcp
add action=accept chain=input comment=“Allow WinBox Internal Network”
dst-port=8291 protocol=tcp src-address=192.168.178.0/24
add action=drop chain=input comment=“DROP WinBox” dst-port=8291 protocol=tcp
add action=drop chain=input comment=“Drop PING” disabled=yes protocol=icmp
src-address-list=“!Internal network”
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment="Port scanners to list "
disabled=yes protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP FIN Stealth scan”
disabled=yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/FIN scan” protocol=tcp
tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/RST scan” disabled=yes
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” disabled=
yes protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“ALL/ALL scan” disabled=yes
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP NULL scan” disabled=yes
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add chain=forward comment=“Allow Established/Related Forward Chain”
connection-state=established,related
add chain=input comment=“Allow Established/Related iNPUT Chain”
connection-state=established,related
add action=drop chain=forward comment=“NO connection Barbados to Main”
dst-address=192.168.178.0/24 src-address=192.168.25.0/24
add action=drop chain=input comment=“Router protect from Barbados”
src-address=192.168.25.0/24