Hello,
I would like to ask, If there is way to have forwarding PPTP port on Windows VPN server and have management VPN on mikrotik in case Windows server goes down to be able to get to LAN?
Re: forward and management VPN
Can you explain your question a little more, please?
Re: forward and management VPN
Sure. No problem. In LAN network, we have Windows server configured as VPN server. It's virtual server on vmware. On mikrotik there is set forward for PPTP protokol on this Windows server. Few days ago, Windows server crushed. I had to ride there to check what's the problem is, logon to vmware and restart server. My goal is to avoid riding on the location. So I need to be able to get to LAN, so I can at least logon on vmware.Can you explain your question a little more, please?
I know, if I set mikrotik as PPTP server I can reach LAN network, but we use AD to set permissions for people who can or can't use VPN and other stuff.
Good example is sonicwall. It has set forward for PPTP, but you can use sonicwall client to just login to sonicwall and reach LAN network.
I hope that I explained it better. If not, ask. Thank you.
Re: forward and management VPN
If I understand you correctly, you want to create a VPN to your router, but there are complications using PPtP... Why don't you use SSTP or OVPN? They are on different ports. BTW, even if you are using RADIUS/ AD, the router looks to its own list of secrets first. If your account is listed locally, you won't have to worry about AD.
Re: forward and management VPN
That's the information that I love to hear. Thank you!If your account is listed locally, you won't have to worry about AD.
Re: forward and management VPN
No problem, glad I could help 
Re: forward and management VPN
After setting it up it actually don't work like you said. When I set NAT rule to VPN server I can't connect to it, but I can connect to mikrotik and the other way around. 
Re: forward and management VPN
It would be helpful if you would post your export.
Re: forward and management VPN
Sure,no problem.
Code: Select all
# mar/06/2014 13:28:39 by RouterOS 6.10
# software id = GJKC-BMCB
#
/interface bridge
add arp=proxy-arp comment="Bridge LAN and WIFI" l2mtu=1598 name=bridge1
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp comment=.::WAN::.
set [ find default-name=ether2 ] comment=.::LAN::.
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2set [ find default-name=ether5 ] master-port=ether2
/interface pptp-server
add name=pptp-in1 user=adminvpn
/ip neighbor discovery
set ether1 comment=.::WAN::.
set ether2 comment=.::LAN::.
set bridge1 comment="Bridge LAN and WIFI"
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
mode=dynamic-keys name=WPA2Profile supplicant-identity="" \
wpa2-pre-shared-key=inteligence
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyg comment=.::WIFI::. country=\
"czech republic" disabled=no hide-ssid=yes ht-rxchains=0 ht-txchains=0 \
l2mtu=2290 mode=ap-bridge name=Jarvis security-profile=WPA2Profile ssid=\
Jarvis
/ip neighbor discovery
set Jarvis comment=.::WIFI::.
/interface wireless manual-tx-power-table
set Jarvis comment=.::WIFI::.
/interface wireless nstreme
set Jarvis comment=.::WIFI::.
/interface wireless
add disabled=no l2mtu=2290 mac-address=D6:CA:6D:93:03:01 master-interface=\
Jarvis name=GuestWifi security-profile=WPA2Profile ssid=GuestWifi \
wds-cost-range=0 wds-default-cost=0
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=GuestWifiPool ranges=192.168.100.100-192.168.100.110
add name=adminVPNPool ranges=192.168.99.250-192.168.99.254
/ip dhcp-server
add address-pool=GuestWifiPool disabled=no interface=GuestWifi name=\
GuestWifiDHCP
add address-pool=adminVPNPool interface=ether1 name=adminVPN
/ppp profile
add dns-server=192.168.99.3,192.168.99.4,8.8.8.8 local-address=192.169.99.1 \
name=VPNprofil only-one=no remote-address=adminVPNPool use-encryption=yes \
wins-server=0.0.0.0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=Jarvis
add bridge=bridge1 interface=ether2
/interface pptp-server server
set authentication=mschap2 default-profile=default enabled=yes
/ip address
add address=192.168.99.1/24 interface=ether2 network=192.168.99.0
add address=192.168.100.1/24 interface=GuestWifi network=192.168.100.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=ether1 use-peer-dns=no
/ip dhcp-relay
add dhcp-server=192.168.99.3,192.168.99.4 interface=ether2 local-address=\
192.168.99.1 name=relay1
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.100.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.99.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.100.0/24
add action=passthrough chain=dstnat disabled=yes dst-port=1723 in-interface=\
ether1 protocol=tcp to-addresses=192.168.99.1
add action=dst-nat chain=dstnat disabled=yes dst-port=1723 in-interface=ether
protocol=tcp to-addresses=192.168.99.3
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8888
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=no
/ppp secret
add name=adminvpn password=inteligence profile=VPNprofil service=pptp
/system clock
set time-zone-name=Europe/Prague
/system leds
set 0 interface=Jarvis
Re: forward and management VPN
Hi Apostol,
I'm not sure that there is enough information to hear say what is going on definitively. There are some educated guesses that we could make though. I noticed that you have proxy-arp enabled on your WAN interface, but not on your LAN interface. Generally speaking, when I use PPtP with MikroTik, I will turn proxy-arp on with the LAN interface. That could be your whole problem right there. The other thing to keep in mind is that the easiest way to put yourself on the same network is for your VPN address to reside in the same subnet as the nodes that you are trying to reach. You didn't say if that was the case here or not so I am bringing it up just because a Windows to Mikrtik PPtP VPN will have... routing challenges. The easiest way to overcome that is just to be on the same subnet. My last suggestion for you will depend more on your situation than anything else, but I like to keep a MikroTik router with me that I can use to create a Layer 2 tunnel with. MikroTik has the fantastic ability of creating Layer 2 tunnels in various ways (MikroTik to MikroTik) and then bridging those tunnels to the Ethernet ports. Sometimes when you are troubleshooting, this can be a lifesaver. That is something that you may want to explore also.
I'm not sure that there is enough information to hear say what is going on definitively. There are some educated guesses that we could make though. I noticed that you have proxy-arp enabled on your WAN interface, but not on your LAN interface. Generally speaking, when I use PPtP with MikroTik, I will turn proxy-arp on with the LAN interface. That could be your whole problem right there. The other thing to keep in mind is that the easiest way to put yourself on the same network is for your VPN address to reside in the same subnet as the nodes that you are trying to reach. You didn't say if that was the case here or not so I am bringing it up just because a Windows to Mikrtik PPtP VPN will have... routing challenges. The easiest way to overcome that is just to be on the same subnet. My last suggestion for you will depend more on your situation than anything else, but I like to keep a MikroTik router with me that I can use to create a Layer 2 tunnel with. MikroTik has the fantastic ability of creating Layer 2 tunnels in various ways (MikroTik to MikroTik) and then bridging those tunnels to the Ethernet ports. Sometimes when you are troubleshooting, this can be a lifesaver. That is something that you may want to explore also.
Re: forward and management VPN
Hello,
I set apr-proxy for lan. It was accidentally set on WAN, but It was also set on bridge, so It worked correctly. But unfornetully still doesn't work. I guess I will have to have forward to windows server but in case of problem I would have to disable this forward rule and log in to mikrotik directly. That not ideal but at least it is working. Thank you.
I set apr-proxy for lan. It was accidentally set on WAN, but It was also set on bridge, so It worked correctly. But unfornetully still doesn't work. I guess I will have to have forward to windows server but in case of problem I would have to disable this forward rule and log in to mikrotik directly. That not ideal but at least it is working. Thank you.