Community discussions

 
MateuszG
just joined
Topic Author
Posts: 2
Joined: Thu Dec 08, 2016 1:18 pm

VPN client to side

Thu Dec 08, 2016 1:41 pm

Hi!
I have problem with configuration VPN using PPTP. I'll explain what I want to do:
  • one client had access only to host e.g. 192.168.15.10
  • other client had access only to hosts e.g 192.168.18.26 and 192.168.21.18
For now, both client have access to all my network.
My configuration:
[admin@MikroTik Router] /interface> pptp-server server print 
            enabled: yes
            max-mtu: 1450
            max-mru: 1450
               mrru: disabled
     authentication: mschap2
  keepalive-timeout: 30
    default-profile: VPN_profile
    
[admin@MikroTik Router] /interface> /ppp secret print detail
Flags: X - disabled 
 0   name="user1" service=pptp caller-id="" password="12345" profile=VPN_profile local-address=192.168.51.1 remote-address=192.168.51.150 limit-bytes-in=0 limit-bytes-out=0 last-logged-out=oct/18/2016 11:31:28 
 1   name="user2" service=pptp caller-id="" password="54321" profile=VPN_profile local-address=192.168.51.1 remote-address=192.168.51.160 limit-bytes-in=0 limit-bytes-out=0 last-logged-out=dec/08/2016 11:20:55 
 
[admin@MikroTik Router] /interface> /ppp profile print 
Flags: * - default 
 0 * name="default" use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down="" 
 1   name="VPN_profile" use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=default use-upnp=default address-list="" dns-server=8.8.8.8 on-up="" on-down="" 
 2 * name="default-encryption" use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""
I have Mikrotik CCR1009-8G-1S-1S+ (v6.36).
 
erlinden
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Jun 12, 2013 1:59 pm

Re: VPN client to side

Thu Dec 08, 2016 2:20 pm

Still not clear to me what you are trying to accomplish...

Would you like to set different privileges per user?
What does your firewall look like?
Why are you (still) using PPTP?
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 927
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: VPN client to side

Thu Dec 08, 2016 5:00 pm

Simply use firewall filter rules and address lists.
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
MateuszG
just joined
Topic Author
Posts: 2
Joined: Thu Dec 08, 2016 1:18 pm

Re: VPN client to side

Tue Dec 13, 2016 3:03 pm

@erlinden,
yes, I want set up different privileges per user.

What I should use instead of PPTP?

This is my firewall rules:
[admin@MikroTik Router] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Drop Invalid connections
      chain=input action=drop connection-state=invalid log=no log-prefix="" 
 1    ;;; Allow Established connections
      chain=input action=accept connection-state=established log=no log-prefix="" 
 2    ;;; Allow ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 
 3    ;;; Block "bogon" addresses
      chain=forward action=drop src-address=0.0.0.0/8 log=no log-prefix="" 
 4    chain=forward action=drop dst-address=0.0.0.0/8 log=no log-prefix="" 
 5    chain=forward action=drop src-address=127.0.0.0/8 log=no log-prefix="" 
 6    chain=forward action=drop dst-address=127.0.0.0/8 log=no log-prefix="" 
 7    chain=forward action=drop src-address=224.0.0.0/3 log=no log-prefix="" 
 8    chain=forward action=drop dst-address=224.0.0.0/3 log=no log-prefix="" 
 9    ;;; VPN
      chain=input action=accept protocol=tcp dst-address=X.X.X.X dst-port=1723 log=no log-prefix="" 
10    chain=input action=accept protocol=gre dst-address=X.X.X.X log=no log-prefix="" 

11    chain=input action=accept src-address=192.168.0.0/16 dst-address=192.168.0.0/16 log=no log-prefix="" 

12    ;;; Drop everything else
      chain=input action=drop log=no log-prefix="" 
 
gotsprings
Forum Veteran
Forum Veteran
Posts: 778
Joined: Mon May 14, 2012 9:30 pm

Re: VPN client to side

Tue Dec 13, 2016 9:33 pm

Sometimes you have to use pptp because of the way that Tik does ipSEC.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain

Who is online

Users browsing this forum: Google [Bot] and 20 guests