PPTP - Cannot access device in LAN

tjippi · Fri May 11, 2018 10:39 pm

Hi guys,

After a lot reading and changing settings, I need a bit of help please, as I'm still a bit of a beginner in networking.

I have PPTP setup and running on my router and I am able to connect and ping devices in my network. I also set it up to give me a IP in the same range as my LAN.
I'm running openHAB on a machine and using the Android app on my phone to connect to the server.
When on the LAN (WiFi) all works 100%, but when I connect via PPTP the app cannot connect to the server, however I can use the browser to connect to it (the app and the browser uses the same address: http://192.168.88.213:8080).

I also have some IP cams that I can access fine when on the local LAN with it's app, but when I try via PPTP it does not work. Here I have to mention I added a firewall rule to block the cameras connecting outside the local LAN since I saw the IP cam was connecting to servers in China. (The rule is below).
If I disable the rule, I can connect to the camera via PPTP.

add action=drop chain=forward dst-address=!192.168.88.0/24 src-address=192.168.88.208

What am I missing to allow the apps to work over the PPTP connection?
Please let me know what config prints you need?
Many thanks

MangleRule · Fri May 11, 2018 10:44 pm

Run the following command so we can see what you have setup.

/export hide-sensitive

tjippi · Fri May 11, 2018 11:12 pm

Here is the output

# may/11/2018 22:10:15 by RouterOS 6.42.1
# software id = U6TR-IB4V
#
# model = RouterBOARD 750G r3
/interface ethernet
set [ find default-name=ether3 ] arp=proxy-arp
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2 name=pppoe-out1 use-peer-dns=yes user=xxxxxxx
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_home ranges=192.168.88.10-192.168.88.220
add name=pptp_pool ranges=192.168.88.230-192.168.88.235
/ip dhcp-server
add address-pool=dhcp_home disabled=no interface=ether3 name=dhcp-home
/ppp profile
add local-address=192.168.88.1 name=pptp_profile only-one=no remote-address=pptp_pool use-encryption=yes use-mpls=yes
/interface list member
add interface=pppoe-out1 list=WAN
add list=LAN
/interface pptp-server server
set default-profile=pptp_profile enabled=yes
/ip address
add address=192.168.88.1/24 interface=ether3 network=192.168.88.0
/ip dhcp-server lease
add address=192.168.88.213 client-id=1:b8:27:eb:83:a9:7f mac-address=B8:27:EB:83:A9:7F server=dhcp-home
add address=192.168.88.208 client-id=1:28:ad:3e:c:ea:48 mac-address=28:AD:3E:0C:EA:48 server=dhcp-home
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="accept estalished connections" connection-state=established
add action=accept chain=input comment="accept related connections" connection-state=related
add action=drop chain=forward dst-address=!192.168.88.1-192.168.88.255 src-address=192.168.88.208
add action=drop chain=input comment="drop possible port scans" protocol=tcp psd=10,3s,3,1
add action=drop chain=input comment="deny NETBIOS services" dst-port=137-139 protocol=udp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp
add action=drop chain=input comment="Drop WinBox brute forcers" dst-port=8291 protocol=tcp src-address-list=wb_blacklist
add action=add-src-to-address-list address-list=wb_blacklist address-list-timeout=1w3d chain=input comment="WinBox brute forcers blacklisting" connection-state=new dst-port=8291 protocol=tcp src-address-list=wb_stage3
add action=add-src-to-address-list address-list=wb_stage3 address-list-timeout=1m chain=input comment="WinBox brute forcers the third stage" connection-state=new dst-port=8291 protocol=tcp src-address-list=wb_stage2
add action=add-src-to-address-list address-list=wb_stage2 address-list-timeout=1m chain=input comment="WinBox brute forcers the second stage" connection-state=new dst-port=8291 protocol=tcp src-address-list=wb_stage1
add action=add-src-to-address-list address-list=wb_stage1 address-list-timeout=1m chain=input comment="WinBox brute forcers the first stage" connection-state=new dst-port=8291 protocol=tcp
add action=accept chain=input comment="allow SNMP connections" dst-port=161 protocol=udp
add action=accept chain=input comment="allow bandwidth test TCP connections" dst-port=2000 protocol=tcp
add action=accept chain=input comment="allow UDP protocol" protocol=udp
add action=accept chain=input comment="allow FTP access" dst-port=21 protocol=tcp
add action=accept chain=input comment="allow SSH access" dst-port=22 protocol=tcp
add action=accept chain=input comment="allow HTTP access" dst-port=80 protocol=tcp
add action=accept chain=input comment="allow Winbox access" dst-port=8291 protocol=tcp
add action=accept chain=input comment="allow PPTP access" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="allow ICMP echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=input comment="allow ICMP Fragmentation Needed" icmp-options=3:4 protocol=icmp
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade out-interface=pppoe-out1
/ppp secret
add name=xxxx profile=pptp_profile
/system clock
set time-zone-name=Africa/Johannesburg
/system leds
add leds=user-led type=interface-status
/system ntp client
set enabled=yes primary-ntp=196.21.187.2
/system routerboard settings
set silent-boot=no

MangleRule · Fri May 11, 2018 11:23 pm

The first thing I would try is connecting to the router with Winbox and running the torch tool and see what happens if you try to use the app on your phone while it connects to the PPTP tunnel.

tjippi · Sat May 12, 2018 12:06 am

Thanks, here it is.

MangleRule · Sat May 12, 2018 12:21 am

That doesn't really help much, that is just a plain torch. You just need to set the Dst. Address to the openHAB server, if you know the port that it uses for the app to communicate to the server add that under the Protocol and Port as well so you can see if the traffic is even reaching the openHAB server and what the source IP address is.

tjippi · Sat May 12, 2018 12:57 am

Ah ok, 100%. I will do it a bit later, thanks.

tjippi · Sat May 12, 2018 11:28 am

I got the openHAB app working now, thanks.
It turned out that the app will not use the LTE connection out of the phone as it thinks it is not local. I just added the local IP of the server to the remote server address in the app and it started working.

On the IP cam issue I'm still a bit stuck. If I disable the rule in my 1st post, it works.
I've done a torch on it as the source only because I could not see a direct connection between the camera and the phone running the app. The traffic is when the app connects to the IP cam using the local network.
The IP cam address is: 192.168.88.208

MangleRule · Sun May 13, 2018 5:03 am

That is odd that your camera is phoning out like that. You should just adjust the rule so instead of dst-address=!192.168.88.0/24 just use out-interface=<wan.interface> (Change <wan.interface> to whatever the port going to the internet is).

scampbell · Sun May 13, 2018 6:11 am

If you are logging into your LAN via PPTP and assigning your remote connection an IP address from the local LAN range then you will not be able to see devices in the local LAN like you report.

The reason is due to your subnet and ARP.

Your remote device gets an ip address like 192.168.88.77 with a network address of, say, 192.168.88.1 - This is a /32 IP address. All traffic from this host will happily go to the gateway router and be routed to the host on the lan at 192.168.88.0/24.......but, the device on 192.168.88.204(say) has a subnet of /24 and rather than reply to the gateway on 192.168.88.1 it will issue an ARP request to see who in it's LOCAL network has the address 192.168.88.77 and no response will be received. Communication stops at this point.

To fix this there are two methods:

1. Set the local Bridge on the Router to do Proxy-ARP. This is easy but not my preferred way.
2. Assign a unique range of addresses for VPN users such as 192.168.89-1-192.168.89-100

Method two also allows you to firewall remote users to restrict their access if needed. This is my preferred way of solving this.

Method one works by having the router respond to any ARP requests for hosts it knows about (e.g VPN clients). https://wiki.mikrotik.com/wiki/Manual:I ... _Proxy_Arp

Hope this helps

PPTP - Cannot access device in LAN

PPTP - Cannot access device in LAN

Re: PPTP - Cannot access device in LAN

Re: PPTP - Cannot access device in LAN

Re: PPTP - Cannot access device in LAN

Re: PPTP - Cannot access device in LAN

Re: PPTP - Cannot access device in LAN

Re: PPTP - Cannot access device in LAN

Re: PPTP - Cannot access device in LAN

Re: PPTP - Cannot access device in LAN

Re: PPTP - Cannot access device in LAN

Who is online