Community discussions

MikroTik App
 
blackzero
newbie
Topic Author
Posts: 25
Joined: Tue Aug 09, 2011 3:40 pm

Problem with PPTP/L2TP clients pinging internal hosts.

Tue May 04, 2021 3:18 pm

Mikrotik's port 1 (WAN) is PPPoE to ISP. Internet works fine.

Port 2,3,4,5 under a bridge, DHCP enabled

DHCP Pool 192.168.14.0/24, Gateway's IP (Bridge) 192.168.14.20, Proxy-ARP enabled

There's a server with IP 192.168.14.11. All internal clients can access just fine.

I have one PPTP setup, it can connect with IP 192.168.13.21 (through Mikrotik's PPPoE interface just fine), but cannot ping 192.168.14.11. It's supposed to be able to ping directly, right?

I will post specific config if requested. Please help.

Here's the general config:
# may/04/2021 19:23:39 by RouterOS 6.48.2
# software id = XXX
#
# model = RB450Gx4
# serial number = XXX

/interface bridge
add admin-mac=XXXXX arp=proxy-arp auto-mac=no comment="Bridge for All LAN Interfaces" name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="Internet Port for PPPoE"
set [ find default-name=ether2 ] arp=proxy-arp comment="LAN ports under Bridge"
set [ find default-name=ether4 ] arp=proxy-arp comment="Ether 4 -- Fingerprint 192.168.14.11"
/interface pppoe-client
add add-default-route=yes comment=Internet disabled=no interface=ether1 name="PPPoE" user=AAA
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=CK-DHCP ranges=192.168.14.60-192.168.14.254
add name=CK-VPN ranges=192.168.13.21-192.168.13.254
/ip dhcp-server
add address-pool=CK-DHCP disabled=no interface=bridge lease-time=1d10m name=defconf
/ppp profile
set *0 local-address=CK-VPN remote-address=CK-VPN
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="PPPoE" list=WAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set enabled=yes
/ip address
add address=192.168.88.1/24 comment="Ethernet 2" disabled=yes interface=bridge network=192.168.88.0
add address=192.168.14.20/24 comment=defconf interface=bridge network=192.168.14.0
add address=192.168.13.20/24 comment=defconf interface=bridge network=192.168.13.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.14.0/24 comment=defconf gateway=192.168.14.20
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=203.142.82.222
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow PPTP" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="Allow SSTP" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="Allow Winbox from Internet" dst-port=8291 protocol=tcp
add chain=input comment="Accept Established / Related Input" connection-state=established,related
add action=accept chain=input comment="Allow Management Input" src-address=192.168.14.0/24
add chain=forward comment="Accept Established / Related Forward" connection-state=established,related
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=\
    ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="Drop Input" log-prefix="Input Drop"
add action=fasttrack-connection chain=forward comment="Fast Track Established / Related Forward" connection-state=established,related disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=192.168.14.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=192.168.13.0/24
Last edited by blackzero on Tue May 04, 2021 3:29 pm, edited 2 times in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Problem with PPTP/L2TP clients pinging internal hosts.

Tue May 04, 2021 3:25 pm

A config would be more than welcome, you can create it with: /export hide-sensitive file=anynameyoulike
 
blackzero
newbie
Topic Author
Posts: 25
Joined: Tue Aug 09, 2011 3:40 pm

Re: Problem with PPTP/L2TP clients pinging internal hosts.

Tue May 04, 2021 3:28 pm

A config would be more than welcome, you can create it with: /export hide-sensitive file=anynameyoulike
Just did. Please kindly check.
 
quackyo
Member Candidate
Member Candidate
Posts: 176
Joined: Mon Nov 16, 2015 10:14 am

Re: Problem with PPTP/L2TP clients pinging internal hosts.

Tue May 04, 2021 3:38 pm

Do the server have the mikrotik as default route? If not it need to have a specific route for 192.168.13.0/24 -> mikrotik. Without this it wouldn't where to speak back to the client i the .13.0/24-net.
 
blackzero
newbie
Topic Author
Posts: 25
Joined: Tue Aug 09, 2011 3:40 pm

Re: Problem with PPTP/L2TP clients pinging internal hosts.

Tue May 04, 2021 3:42 pm

Do the server have the mikrotik as default route? If not it need to have a specific route for 192.168.13.0/24 -> mikrotik. Without this it wouldn't where to speak back to the client i the .13.0/24-net.
The server's setup is

192.168.14.11/24, gateway 192.168.14.20 (mikrotik's IP), it's wired to Mikrotik's port directly (port 4).

It's a pretty old server, I'm not sure what else I need to configure in there. Clients inside the network all can access normally (maybe because they're in the same physical switch). What else do I need to aware?

What is this "need to have a specific route for 192.168.13.0/24 -> mikrotik" I am not quite understand.

Who is online

Users browsing this forum: mtkvvv and 44 guests