Windows VPN Server behind RouterOS

iam8up · November 19, 2007, 10:38pm

I have a customer that has a Windows VPN server using RRAS behind our Mikrotik 2.9.39 and I can’t seem to get it to allow him to connect.

It working at one point but last night I changed the WAN IP address. To my knowledge it should not have effected anything firewall wise for his connectivity, but what do I know =)

The firewall looks like this (bare bones, for now!)

/ ip firewall filter 
add chain=input protocol=gre action=accept comment="" disabled=no 
add chain=forward src-address=0.0.0.0 dst-address=192.168.10.250 \
    action=accept comment="" disabled=yes 
add chain=forward dst-address=!192.168.11.0/24 \
    src-address-list=frontdesk-drop action=drop comment="" disabled=no

/ ip firewall nat 
add chain=srcnat src-address=192.168.10.0/24 dst-address=!192.168.11.0/24 \
    action=masquerade comment="" disabled=no 
add chain=dstnat dst-address=W.A.N.IP src-address-list="" action=dst-nat \
    to-addresses=192.168.10.250 to-ports=0-65535 comment="" disabled=yes 
add chain=dstnat in-interface=mr0005-bt-wan protocol=tcp dst-port=23400 \
    action=dst-nat to-addresses=192.168.10.81 to-ports=23400 comment="BILL \
    STAUDT REQUEST - FOR REMOTE VIEWING CAMERAS" disabled=no 
add chain=dstnat in-interface=mr0005-bt-wan protocol=tcp dst-port=1723 \
    action=dst-nat to-addresses=192.168.10.250 to-ports=1723 comment="" \
    disabled=no

changeip · November 19, 2007, 10:53pm

dont forget the PPTP helper as well as protocol GRE (47)…

iam8up · November 19, 2007, 11:16pm

What is it that you mean by the PPTP helper?

I do have this for GRE…

/ ip firewall filter
add chain=input protocol=gre action=accept comment="" disabled=no

changeip · November 19, 2007, 11:29pm

forward chain - not input chain… since you are forwarding GRE (not accepting it locally).

winbox → ip → firewall → service ports → enable pptp (and GRE if visible).

Sam

iam8up · November 19, 2007, 11:33pm

This might help troubleshoot the problem...

On the NAT tab I see the 1723 port forward rule gets 1 packet every attempt I try to connect while the accept GRE rule gets 9 or 10 packets.

The error on my box is error 721 - the remote computer did not respond.

My capture reveals that every attempt I get an ICMP packet that says Destination unreachable (Protocol unreachable).

The above information was what I saw before changeip’s last post!

After making your suggested changes, changeip, I was able to connect and get a (what I believe to be) bad user/password error. Thanks a whole bunch!