I am running a couple of 2.8 firewalls, and I have a client PPTP VPN set up. I am able to connect from the outside via a Windows or OS/X PPTP client and get on the network, as well as inside via my WiFi interface.
However, it does not work when I am connecting from behind my MT firewall nor any of my customers’ other home firewalls. It does work from behind the cheap Netgear box at my local coffee shop.
Any ideas? Should I switch to L2TP or IPSEC? Is there a firewall setting that makes NAT traversal more reliable?
Properly configured MT router should work. At home you dont say if you are NATing or no but either way it should work. You dont say what kind of PPTP server you are using. Do you have PPTP enabled in Firewall->Ports ?
On to topic. PPTP is generally easier to get through firewalls than IPSec. L2TP however should go straight through (the easiest), unless it’s been specifically firewall’ed out. However Microsoft’s L2TP implementation wants to run with IPSec. I guess you could modify it to not use IPSec encryption on the L2TP tunnel using registry or something. (Try googling it).
When I connect from outside my firewall, everything works and I get authenticated almost immediately. From inside my FW or my customer's home WiFi LAN, it hangs on "verifying username and password" and ends up with Microsoft error 619, if connecting from Windows XP.
Here are my configurations on the PPTP server:
[admin@MikroTik] interface pptp-server> pri det
Flags: X - disabled, D - dynamic, R - running
0 name="pptp-in1" user=""
NAME PORTS
0 ftp 21
1 pptp
2 gre
3 X h323
4 mms
5 irc 6667
6 quake3
7 X tftp 69
admin@MikroTik] ip firewall rule input> pri
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Allow all incoming traffic on local LAN.
src-address=192.168.1.0/24 in-interface=!public action=accept
1 ;;; Allow PPTP to firewall.
dst-address=4.3.211.111/32 protocol=gre action=accept
0 ;;; Allow firewall services out to LAN.
src-address=192.168.1.254/32 dst-address=192.168.1.0/24
out-interface=!public action=accept
i have the same issue on this. it works from most other routers to our MT router. but we have a couple of satelite connections that for the life of me wont connect . they do 1 out of 50 times maybe . tryied changing mtu . no luck . i am also getting the same 619 error.
Could be that one end does not set the correct GRE session id. This was the case for the longest time with poptop which apparently many have based their code on.
i am going to change out the linsys router that i am having an issue with and see if this fixes the issue. but is there a work around for this or not ?
I am having the same issue here. In fact I have serveral MT and from the house I am able to get into one (pptp) and not the other. I looked at pptp server settings at both and ensured all settings are the same. For some reason it hangs at authentication attempt when I try to get in. I do not beleive it is a NAT issue as it works for one MT and not for an other. I would love it if someone here can figure this out.
I can’t tell you exactly how to do it, as I paid to have help seting it up,
and I would not feel right in not refering potential clients to him.
but I can refer you to the person who helped me set it up…
His rates are EXREAMLY reasonable and it will save you a tone of time and greaf…
What we did:
create a IPSEC 3DES tunnel between the routers. 10.0.X.X to 10.3.X.X
etc.
Set up each router to use its own gateway for internet traffic.
The result, two networks using their own gateways for internet traffic, but interconnected via a IPSEC tunnel with out L2TP etc.