Community discussions

 
agehall
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Fri Aug 15, 2014 8:47 pm

Routing part of network via PPTP VPN

Wed Oct 21, 2015 10:11 am

I wish to route part of my network via a PPTP VPN. I've been playing with it for a while now but I just can't get it to work and I figure I'm missing something obvious.

The basic idea I have for solving this sort of thing is to put a routing mark on all traffic that should be routed via the PPTP VPN and then have a set of separate routes for that mark and this is what I've tried to set up. Right now, I see two problems; 1) if I ping the remote side of the PPTP tunnel, packets go out the right interface and come back (according to the graphs and sniffer logs) but still times out and 2) I can't get the "alternate" default route to work.

Here is (relevant parts of) my configuration:
# oct/21/2015 08:58:15 by RouterOS 6.32.3
# software id = I725-FB2L
#
/interface ethernet
set [ find default-name=ether2 ] l2mtu=1588
set [ find default-name=ether3 ] l2mtu=1588
set [ find default-name=ether4 ] l2mtu=1588
set [ find default-name=ether5 ] l2mtu=1590
set [ find default-name=ether6 ] l2mtu=1590
set [ find default-name=ether8 ] l2mtu=1590
set [ find default-name=ether1 ] arp=proxy-arp l2mtu=1588 name=lan
set [ find default-name=sfp-sfpplus1 ] disabled=yes l2mtu=1590
set [ find default-name=sfp1 ] disabled=yes l2mtu=1590
set [ find default-name=ether7 ] l2mtu=1590 name=wan
/ip neighbor discovery
/ip pool
add name="Local clients" ranges=192.168.0.100-192.168.0.190
/ip dhcp-server
add address-pool="Local clients" disabled=no interface=lan lease-time=1w name="LAN DHCP"
/ppp profile
add address-list=azire-endpoint change-tcp-mss=yes name="AzireVPN profile" only-one=yes use-encryption=yes use-ipv6=default
/interface pptp-client
add connect-to=se.pptp.azirevpn.net disabled=no keepalive-timeout=disabled name=azirevpn password=xxxxxxx profile="AzireVPN profile" user=user
/ip settings
set rp-filter=strict
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=lan network=192.168.88.0
add address=192.168.0.1/24 interface=lan network=192.168.0.0
add address=192.168.2.1/24 interface=ether6 network=192.168.2.0
add address=192.168.77.1/24 interface=vlan2 network=192.168.77.0
add address=193.180.164.218 interface=azirevpn network=193.180.164.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=wan
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 domain=mynet.com gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.0.0/24 list=local
add address=192.168.88.0/24 list=local
add address=192.168.0.20 comment="Hosts that should go into the VPN tunnel" list=VPN-hosts
/ip firewall filter
add action=log chain=forward disabled=yes log=yes log-prefix=VPNDEBUG protocol=icmp
add chain=input disabled=yes protocol=gre
add chain=forward routing-mark=vpn
add chain=forward comment="Allow forwarding of all established connections" connection-state=established
add chain=input comment=PPTP dst-port=1723 protocol=tcp
add chain=forward comment="Allow forwarding to VPN tunnel" routing-mark=vpn
add chain=forward comment="Allow anything from inside the LAN to go out" in-interface=lan out-interface=wan src-address-list=local
add chain=forward comment="Allow forwarding of all related connections" connection-state=related
add chain=input comment="Allow local clients to talk to router" in-interface=lan src-address-list=local
add chain=input comment="Always allow SSH to router" dst-port=22 in-interface=lan protocol=tcp
add chain=input comment="Allow DHCP responses on WAN uplink" dst-port=67,68 in-interface=wan protocol=udp src-port=67,68
add chain=output comment="Allow outgoing traffic initiated by CCR as well as responses to anything we have accepted"
add chain=input comment="Allow responses to traffic initated by router. (A bit liberal though)" connection-state=established
add action=drop chain=forward comment="Drop forward outside->inside by default" in-interface=wan out-interface=lan
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 log=yes protocol=tcp
add action=drop chain=input comment="Drop incoming TCP by default" protocol=tcp
add action=drop chain=input comment="Drop incoming UDP by default" protocol=udp
add action=reject chain=forward comment="Make sure we reset invalid connections ASAP" connection-state=invalid in-interface=lan protocol=tcp reject-with=tcp-reset
/ip firewall mangle
add action=mark-routing chain=prerouting log=yes log-prefix="VPN MARK OUT" new-routing-mark=vpn src-address-list=VPN-hosts
add action=mark-routing chain=prerouting in-interface=azirevpn log-prefix="VPN MARK IN" new-routing-mark=vpn
/ip firewall nat
add action=log chain=srcnat disabled=yes log=yes log-prefix="VPN BEGIN NAT" protocol=icmp
add action=masquerade chain=srcnat comment="Masquerade rule for outgoing VPN connections" log=yes log-prefix="VPN MASQ" routing-mark=vpn src-address-list=VPN-hosts to-addresses=193.180.164.226
add action=masquerade chain=srcnat comment="Masquerade rule for general traffic" log-prefix=MAIN out-interface=wan
/ip route
add distance=1 gateway=azirevpn routing-mark=vpn
add distance=1 dst-address=192.168.0.0/24 gateway=lan pref-src=192.168.0.1 routing-mark=vpn
Any suggestions or pointers are greatly appreciated!
Last edited by agehall on Fri Oct 23, 2015 1:49 pm, edited 2 times in total.
 
agehall
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Fri Aug 15, 2014 8:47 pm

Re: Routing part of network via PPTP VPN

Wed Oct 21, 2015 1:58 pm

Ok, I've gotten a bit further. I installed a Cloud Hosted Router image so I could play with things without screwing anything up in my live setup.

Turns out it was trivial to get everything working there. Made me realize I had screwed up the routing in my live setup and that prevented things from working at all. Now, let's focus on the new setup below in the virtual router.
# oct/21/2015 10:49:29 by RouterOS 6.32
# software id = 
#
/interface pptp-client
add connect-to=se.pptp.azirevpn.net disabled=no keepalive-timeout=disabled name=AzireVPN password=XXX user=username
/ip address
add address=193.180.164.225 interface=AzireVPN network=193.180.164.225
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall address-list
add address=192.168.0.20 list=VPN
/ip firewall filter
add chain=forward out-interface=AzireVPN
add chain=forward out-interface=ether1
add chain=forward connection-state=established,related
add action=drop chain=forward
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=54.164.36.190 new-routing-mark=vpn src-address-list=VPN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=AzireVPN src-address-list=VPN
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=10.112.112.117 routing-mark=vpn
/system logging
add topics=firewall
/system package update
set channel=current
/tool romon port
add
It works fine and whenever I ping something thru the virtual router, I see log messages that indicates that packets are coming back to the router and are being forwarded to the client. This is also confirmed by the ping on the client. So basically, everything works.

I took the settings from the CHR and applied them to my CCR and guess what, it doesn't work. :/

I can still see packets arriving back at the PPTP interface using the sniffer, but they are never forwarded to my LAN. I'm starting to suspect that the problem is due to the hardware difference (CHR being an x86 system and CCR being Tile with very different hardware).

The only thing I can think of is that some rule in my real firewall would be blocking the return path for packets, but I can't really see how that would happen and also, when I run a ping, I see no counter in the deny/reject/drop categories that increases along with the pings I send out, which makes me think that packets are lost somewhere else.

Any ideas what I should try next?
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: Routing part of network via PPTP VPN

Thu Oct 22, 2015 1:51 am

Try adding a forward rule to allow any traffic coming in on your pptp interface.
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
agehall
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Fri Aug 15, 2014 8:47 pm

Re: Routing part of network via PPTP VPN

Thu Oct 22, 2015 8:32 am

Well, any returning packets should be allowed as I have rules for allowing established and related connections to be forwarded without restrictions on interfaces.

However, in the interest of finding the problem, I added a forwarding rule allowing any traffic from the VPN interface to be forwarded as rule #1 and it caught 0 packets while pinging a host thru the router.
 
agehall
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Fri Aug 15, 2014 8:47 pm

Re: Routing part of network via PPTP VPN

Fri Oct 23, 2015 10:18 am

This is extremely frustrating - I've copied the config from my CCR to a CHR instance I spun up in an ESXi environment and it works just fine there.

Can anyone confirm that they have working policy based routing over PPTP tunnels on a CCR using RouterOS 6.32.3? The only relevant difference atm is that the CHR is running 6.32.

Edit:

I should add that on the CCR, I see packets returning into the router. Using log entries in the firewall rules, I can see them all the way up to the pre-routing chain as they come back, but after that, they are just lost.
 
agehall
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Fri Aug 15, 2014 8:47 pm

Re: Routing part of network via PPTP VPN

Fri Oct 23, 2015 5:41 pm

*sigh* Several hours later of pulling my hair and I've come to the conclusion that my original CHS setup wasn't exactly matching the live CCR setup. The good news is that it works equally bad on the CHS.

So I created a VM switch and did the following setup to minimize a testcase:
[ Virtual PC ] - 10.0.0.0/24 - [ CHS instance with PPTP VPN and Policy Based Routing ] - 192.168.0.0/24 - [ My main CCR router ] --- internet
Using the following config in the CHS:
# oct/23/2015 14:11:22 by RouterOS 6.32
# software id = 
#
/interface pptp-client
add connect-to=se.pptp.azirevpn.net disabled=no keepalive-timeout=disabled name=azirevpn password=XXXX user=username
/ip settings
set rp-filter=strict
/ip address
add address=10.0.0.1/24 interface=ether2 network=10.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!216.58.209.132 new-routing-mark=VPN passthrough=no src-address=10.0.0.2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=azirevpn
/ip route
add distance=1 gateway=azirevpn routing-mark=VPN
add distance=1 dst-address=10.0.0.0/24 gateway=ether2 pref-src=10.0.0.1 routing-mark=VPN
add distance=1 gateway=192.168.0.1
/system package update
set channel=current
/tool romon port
add
The config is designed to route everything but one of google's IPs thru the VPN. I use masquerading for both the VPN and packets heading off to my regular LAN just to simplify a bit. (Guess I could add a route to 10.0.0.0/24 on my CCR, but oh well)

The result is that I can ping the google IP (216.58.209.132) but nothing else on the internet. When I run a ping that goes thru the VPN, I see packets going out and coming back on the VPN interface, but none are forwarded to the 10.0.0.0/24 LAN.

I can't really see any mistakes in my setup here, but yet it refuses to forward the returning packets and it is driving me insane right now. I'm really beginning to think there is a bug in RouterOS that prevents this from working right now, so it would be interesting to hear if anyone has gotten this to work lately?

In my debugging attempts, I also managed to find this guide in the wiki http://wiki.mikrotik.com/wiki/Policy_Base_Routing which pretty much suggest that my config should work from what I can tell.
 
manuelm
newbie
Posts: 36
Joined: Sat Feb 15, 2014 10:37 pm

Re: Routing part of network via PPTP VPN

Fri Nov 25, 2016 6:56 pm

*sigh* Several hours later of pulling my hair and I've come to the conclusion that my original CHS setup wasn't exactly matching the live CCR setup. The good news is that it works equally bad on the CHS.

So I created a VM switch and did the following setup to minimize a testcase:
[ Virtual PC ] - 10.0.0.0/24 - [ CHS instance with PPTP VPN and Policy Based Routing ] - 192.168.0.0/24 - [ My main CCR router ] --- internet
Using the following config in the CHS:
# oct/23/2015 14:11:22 by RouterOS 6.32
# software id = 
#
/interface pptp-client
add connect-to=se.pptp.azirevpn.net disabled=no keepalive-timeout=disabled name=azirevpn password=XXXX user=username
/ip settings
set rp-filter=strict
/ip address
add address=10.0.0.1/24 interface=ether2 network=10.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!216.58.209.132 new-routing-mark=VPN passthrough=no src-address=10.0.0.2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=azirevpn
/ip route
add distance=1 gateway=azirevpn routing-mark=VPN
add distance=1 dst-address=10.0.0.0/24 gateway=ether2 pref-src=10.0.0.1 routing-mark=VPN
add distance=1 gateway=192.168.0.1
/system package update
set channel=current
/tool romon port
add
The config is designed to route everything but one of google's IPs thru the VPN. I use masquerading for both the VPN and packets heading off to my regular LAN just to simplify a bit. (Guess I could add a route to 10.0.0.0/24 on my CCR, but oh well)

The result is that I can ping the google IP (216.58.209.132) but nothing else on the internet. When I run a ping that goes thru the VPN, I see packets going out and coming back on the VPN interface, but none are forwarded to the 10.0.0.0/24 LAN.

I can't really see any mistakes in my setup here, but yet it refuses to forward the returning packets and it is driving me insane right now. I'm really beginning to think there is a bug in RouterOS that prevents this from working right now, so it would be interesting to hear if anyone has gotten this to work lately?

In my debugging attempts, I also managed to find this guide in the wiki http://wiki.mikrotik.com/wiki/Policy_Base_Routing which pretty much suggest that my config should work from what I can tell.

Did you ever find the solution to your problem?
Could you try changing the RP Filter to loose or no.
/ip settings
set rp-filter=loose
 
agehall
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Fri Aug 15, 2014 8:47 pm

Re: Routing part of network via PPTP VPN

Mon Nov 28, 2016 7:51 pm

Nope, never figured it out and eventually gave up and created another solution so I no longer have the setup.

Next time I go at this, I'll try that suggestion.

Who is online

Users browsing this forum: Majestic-12 [Bot] and 36 guests