I’ve configured a PPTP server and I’m trying to understand it, specially regarded to IPs. Connected clients get’s assigned IPs by PPTP, not DHCP, right?
is there a way to use DHCP instead? If not, why?
is there a way to configure anything about this assignment? The only thing I’ve found I can do is to create a pool and assign it to the profile.
also other values assigned to the client are somewhat strange. For example DNS. I have set up DHCP Client for my WAN. If DHCP Client/Use Peer DNS is selected, then those IPs are passed to clients. If not, client gets DNS Settings/Servers IP (manually entered). Why? Can I change this behaviour?
if I use the same pool for DHCP and PPTP (I don’t know if this is OK, recommended, or not), won’t they conflict at some point? The only curious thing I found is that DHCP assigns from high to low IP, and PPTP from low to high.
what are those IPs that also appear on some places? For example, I’ve created a pool 192.168.2.1-254 (pool is shared with DHCP). On IP Pool/Used Addresses I see two IPs owned by PPTP: 192.168.2.1 (the client) and 192.168.2.xxx where xxx varies and goes up as I disconnect/connect the client. On ARP List I get IPs used by older connections (those xxx mentioned earlier). If I remove them, they are automatically added again
Point-to-Point Tunneling Protocol. The server gives out /32 to clients as its a ptp. You are imagining that they are like EoIP and once they are tunneled they can get DHCP from the other side.
ip pool add name=vpn-pool ranges =10.0.0.2-10.0.0.254
Server: Either in secret or profile
local address 10.0.0.1
remote address vpn-pool
You can look in ip pool used address to see what addresses are currently in use.
Use the search function and lookup PPTP and ip-pool etc. You will find lots of topics / posts regarding this and you should be able to gain an understanding to how it works.
Hi, thanks for your response!
It’s ok about the /32. But what IP do I get when I use a pool in the remote address? Who assigns this IP?
Currently I have installed SoftEther in one internal PC and created a NAT for one port, and when I connect the softether adapter, the DHCP (the one from my Mikrotik) gives me an IP for the VPN adapter. Everything works as expected. But I’m trying to get rid of the extra software needed and trying to use the Mikrotik.
Let me give you more details. I have a RB2011UiAS. I have 2 WAN, 50mbps and 20mbps, so I’m using eth8 & 9 for WAN (100mbps). I’ve configured PCC with failover. I have a switch in eth1 for the PCs and some APs in eth2,3 & 4. I have a bridge with all of them with 192.168.0.1/21 and a DHCP with 192.168.2.1-254 and plan to use 192.168.4.x for the VPN (the bridge has the proxy-arp.
I’ve created filter rules for tcp port 1723 and gre and the ip pool
I’ve created a secret with local address 192.168.0.1, remote address 192.168.4.1
Right now, I can connect, ping 192.168.0.1, but can’t ping anything else… I can’t figure it out. What’s wrong?
The remote side connects to the Mikrotik VPN server and during the connection process the server assigns it an available IP from the specified pool.
To customize the assignment you can set the IP in ppp “secrets” for that specific user / device.
If you do not with to use peer-dns:
Set the DNS for the Mikrotik router.
/ip dns
set servers=8.8.8.8,8.8.4.4
To specify what DNS your DHCP clients get:
/ip dhcp-server network add address=10.15.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.15.1.1
As far as routing between networks that will be a ip firewall filter forward rule.
Generally questions like these are better answered when you include the current firewall, dhcp settings so we can visually look for the issue vs guessing at possibilities.
Ok, this is the only level of customization. Got it.
I’ve already done that, because I use an internal DNS (Windows Server) and I serve that IP as DNS for the rest of the PCs
That’s not what I meant! The ones getting the DNS where the VPN Clients!
I thought that because we are working on 192.168.0.0/21 all the 2.x and 4.x are connected, so I thought that I have only one network. But as you said earlier, my VPN client gets /32. Does that mean that they’re unconnected?
What route should I add?
Regarding Firewall Filter rules, I only have those regarding VPN that I’ve wrote: “filter rules for tcp port 1723 and gre”. NAT and Mangle is a bit more complicated because they’re used for the PCC. It’s adapted from: http://forum.mikrotik.com/t/howto-dual-wan-pcc-with-dynamic-ip/101969/1
And there’s a NAT tcp, dst-nat with a custom port for the actual VPN (SoftEther). There’s nothing more on Firewall.
Regarding DHCP, it’s an almost standard config. On Networks I’ve changed the DNS to reflect that I have an internal DNS server and a domain.
You can get IP from dhcp server through pptp tunnel, but not from ROS. Install Ubuntu server behind the MikroTik router, manage strongSwan server dhcpd and pptpd and here you go. What I achieved is I connected with IKEv2 client and one more time connected with pptp client inside IKEv2 tunnel. And got IP from dhcpd pool. Also I could redistibute any static routes to windows pptp client:)
P.S.: it works only with selfsigned certificate, but it works.