Community discussions

MikroTik App
 
gnovasco
just joined
Topic Author
Posts: 1
Joined: Mon Sep 13, 2021 4:16 pm

VPN PPTP - No access to LAN (using segmentation PBR)

Mon Sep 13, 2021 5:14 pm

*** Update: If I disable the Mangle setting, the VPN works correctly. It is likely that the solution is to incorporate new rules in Mangle, but I do not understand them. ***

Hi, how are you?

I am newbie to the world of RouterOs.
I have configured a PBR segmentation with three ISPs (working ok).

Now I am trying to set up VPN with PPTP, I managed to establish it, but despite having followed their recommendations in different threads, I only managed to access the gateway of my router, but not the lan network.

Could you help me?

I copy my current configuration.
Thank you!

------------------------------------------------------------------------------
/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ISP1
set [ find default-name=ether2 ] name=ISP2
set [ find default-name=ether3 ] name=ISP3
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add disabled=no interface=ISP3 name=pppoe-wan user=antel@adsl
/interface pptp-server
add name=VPN user=""
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid="Office - System"
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=invitados supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=02:00:00:AA:00:01 master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-profile=invitados ssid="Office - Invitados" wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add comment="RED LAN" name=dhcp_pool0 ranges=192.168.1.100-192.168.1.199
add comment="RED LAN - INVITADOS" name=dhcp_pool_invitados ranges=192.168.88.100-192.168.88.199
add comment="RED VPN" name=dhcp_pool_vpn ranges=192.168.1.200-192.168.1.250
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=3d name=dhcp1
add address-pool=dhcp_pool_invitados disabled=no interface=wlan2 lease-time=3d name=dhcp2_invitados
/ppp profile
add bridge=bridge1 change-tcp-mss=yes local-address=192.168.1.1 name=profileVPN remote-address=dhcp_pool_vpn session-timeout=2h use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan1
/interface list member
add interface=ISP1 list=WAN
add interface=ISP2 list=WAN
add interface=pppoe-wan list=WAN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=profileVPN enabled=yes
/ip address
add address=190.xx.xx.67/29 comment=WAN-ANTEL_2/5 interface=ISP1 network=190.xx.xx.64
add address=200.xx.xx.46/30 comment=WAN-TELMEX interface=ISP2 network=200.xx.xx.44
add address=192.168.1.1/24 comment=LAN interface=bridge1 network=192.168.1.0
add address=192.168.88.1/24 comment="LAN - INVITADOS" interface=wlan2 network=192.168.88.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=200.40.30.245,200.40.220.245,200.71.0.61
/ip dns static
add address=192.168.1.100 comment=lan name=office.tv
add address=192.168.1.1 name=office.lan
/ip firewall address-list
add address=192.168.1.5 comment="" list=to_ISP1
add address=192.168.1.41 comment="" list=to_ISP1
add address=192.168.1.42 comment="" list=to_ISP2
add address=192.168.1.61-192.168.1.69 comment="" list=to_ISP2
add address=192.168.1.81-192.168.1.89 comment="" list=to_ISP1
add address=192.168.1.100-192.168.1.199 comment="" list=to_ISP3
add address=192.168.1.6 comment="" list=to_ISP1
add address=192.168.1.43 comment="" list=to_ISP3
add address=192.168.88.100-192.168.88.199 comment="WIFI INVITADOS" list=to_INVITADOS
/ip firewall filter
add action=accept chain=input in-interface=all-ppp log=yes log-prefix=VPN-ping protocol=icmp
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment=In-Establecidas&Relacionadas connection-state=established,related
add action=drop chain=input comment=In-Invalidas connection-state=invalid connection-type=""
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Envio de trafico a ISP1" new-routing-mark=to-ISP1 passthrough=no src-address-list=to_ISP1
add action=mark-routing chain=prerouting comment="Envio de trafico a ISP2" new-routing-mark=to-ISP2 passthrough=no src-address-list=to_ISP2
add action=mark-routing chain=prerouting comment="Envio de trafico a ISP3" new-routing-mark=to-ISP3 passthrough=no src-address-list=to_ISP3
add action=mark-routing chain=prerouting comment="Envio de trafico a INVITADOS" new-routing-mark=to-ISP3 passthrough=no src-address-list=to_INVITADOS
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add check-gateway=ping distance=1 gateway=190.xx.xx.65 routing-mark=to-ISP1
add check-gateway=ping comment="Backup ANTEL c/TELMEX" distance=2 gateway=200.xx.xx.45 routing-mark=to-ISP1
add check-gateway=ping distance=1 gateway=200.xx.xx.45 routing-mark=to-ISP2
add check-gateway=ping comment="Backup TELMEX c/ANTEL" distance=2 gateway=190.xx.xx.65 routing-mark=to-ISP2
add check-gateway=ping distance=1 gateway=pppoe-wan routing-mark=to-ISP3
add check-gateway=ping comment="Backup BASICO c/TELMEX" distance=2 gateway=200.xx.xx.45 routing-mark=to-ISP3
add distance=1 gateway=ISP1
add disabled=yes distance=1 gateway=ISP2
/lcd
set color-scheme=light default-screen=log
/lcd interface pages
set 0 interfaces=sfp1,ISP1,ISP2,ISP3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
/ppp secret
add name=user profile=profileVPN service=pptp
/system clock
set time-zone-name=America/Montevideo
[admin@MikroTik] >

Who is online

Users browsing this forum: diasdm, GoogleOther [Bot], NimbuS and 32 guests