Page 1 of 1

VPN client to side

Posted: Thu Dec 08, 2016 1:41 pm
by MateuszG
Hi!
I have problem with configuration VPN using PPTP. I'll explain what I want to do:
  • one client had access only to host e.g. 192.168.15.10
  • other client had access only to hosts e.g 192.168.18.26 and 192.168.21.18
For now, both client have access to all my network.
My configuration:
[admin@MikroTik Router] /interface> pptp-server server print 
            enabled: yes
            max-mtu: 1450
            max-mru: 1450
               mrru: disabled
     authentication: mschap2
  keepalive-timeout: 30
    default-profile: VPN_profile
    
[admin@MikroTik Router] /interface> /ppp secret print detail
Flags: X - disabled 
 0   name="user1" service=pptp caller-id="" password="12345" profile=VPN_profile local-address=192.168.51.1 remote-address=192.168.51.150 limit-bytes-in=0 limit-bytes-out=0 last-logged-out=oct/18/2016 11:31:28 
 1   name="user2" service=pptp caller-id="" password="54321" profile=VPN_profile local-address=192.168.51.1 remote-address=192.168.51.160 limit-bytes-in=0 limit-bytes-out=0 last-logged-out=dec/08/2016 11:20:55 
 
[admin@MikroTik Router] /interface> /ppp profile print 
Flags: * - default 
 0 * name="default" use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down="" 
 1   name="VPN_profile" use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=default use-upnp=default address-list="" dns-server=8.8.8.8 on-up="" on-down="" 
 2 * name="default-encryption" use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""
I have Mikrotik CCR1009-8G-1S-1S+ (v6.36).

Re: VPN client to side

Posted: Thu Dec 08, 2016 2:20 pm
by erlinden
Still not clear to me what you are trying to accomplish...

Would you like to set different privileges per user?
What does your firewall look like?
Why are you (still) using PPTP?

Re: VPN client to side

Posted: Thu Dec 08, 2016 5:00 pm
by cdiedrich
Simply use firewall filter rules and address lists.
-Chris

Re: VPN client to side

Posted: Tue Dec 13, 2016 3:03 pm
by MateuszG
@erlinden,
yes, I want set up different privileges per user.

What I should use instead of PPTP?

This is my firewall rules:
[admin@MikroTik Router] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Drop Invalid connections
      chain=input action=drop connection-state=invalid log=no log-prefix="" 
 1    ;;; Allow Established connections
      chain=input action=accept connection-state=established log=no log-prefix="" 
 2    ;;; Allow ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 
 3    ;;; Block "bogon" addresses
      chain=forward action=drop src-address=0.0.0.0/8 log=no log-prefix="" 
 4    chain=forward action=drop dst-address=0.0.0.0/8 log=no log-prefix="" 
 5    chain=forward action=drop src-address=127.0.0.0/8 log=no log-prefix="" 
 6    chain=forward action=drop dst-address=127.0.0.0/8 log=no log-prefix="" 
 7    chain=forward action=drop src-address=224.0.0.0/3 log=no log-prefix="" 
 8    chain=forward action=drop dst-address=224.0.0.0/3 log=no log-prefix="" 
 9    ;;; VPN
      chain=input action=accept protocol=tcp dst-address=X.X.X.X dst-port=1723 log=no log-prefix="" 
10    chain=input action=accept protocol=gre dst-address=X.X.X.X log=no log-prefix="" 

11    chain=input action=accept src-address=192.168.0.0/16 dst-address=192.168.0.0/16 log=no log-prefix="" 

12    ;;; Drop everything else
      chain=input action=drop log=no log-prefix="" 

Re: VPN client to side

Posted: Tue Dec 13, 2016 9:33 pm
by gotsprings
Sometimes you have to use pptp because of the way that Tik does ipSEC.