Community discussions

 
katit
newbie
Topic Author
Posts: 32
Joined: Wed May 13, 2015 6:01 am

Connecting to PPTP server, not sure how to route

Wed Jun 03, 2015 6:55 pm

I use PPTP VPN to connect to "worklplace". From my windows PC.
Now since I got Mikrotik I figured why do that if I can use MT built-in VPN client, right? But I have problem configuring it. I don't need VPN to browse internet. I need VPN ONLY to access other network. So, what I have now:

Created PPTP Client interface under PPP. Added credentials info and remote IP. Client connected OK!

Remote network: 192.168.1.0/24, Local network 192.168.33.0/24

Connection established and I see: Local address: 192.168.33.211 and remote address: 192.168.1.180

But I can't ping or access any network resources on remote network. What should I do?
 
wcsnet
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Mon Apr 29, 2013 12:43 pm
Location: South Africa

Connecting to PPTP server, not sure how to route

Wed Jun 03, 2015 8:09 pm

You have to add a route to your companies subnet

add check-gateway=ping distance=1 dst-address=192.168.1.0/24 gateway=vpn client interface


Sent from my iPhone using Tapatalk
 
katit
newbie
Topic Author
Posts: 32
Joined: Wed May 13, 2015 6:01 am

Re: Connecting to PPTP server, not sure how to route

Wed Jun 03, 2015 8:41 pm

Added gateway as specified but still no luck. Nothing changed, link up but I can't ping anything on that subnet. And I can't RD to computers, etc.
 
wcsnet
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Mon Apr 29, 2013 12:43 pm
Location: South Africa

Connecting to PPTP server, not sure how to route

Thu Jun 04, 2015 10:38 am

Did you check if the firewall is not blocking the traffic


Sent from my iPhone using Tapatalk
 
TomosRider
Member Candidate
Member Candidate
Posts: 202
Joined: Thu Nov 20, 2014 1:51 pm

Re: Connecting to PPTP server, not sure how to route

Thu Jun 04, 2015 1:01 pm

Check/create appropriate firewall/nat rules.
 
User avatar
pukkita
Trainer
Trainer
Posts: 2982
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Connecting to PPTP server, not sure how to route

Thu Jun 04, 2015 3:00 pm

You have to add a route to your companies subnet

add check-gateway=ping distance=1 dst-address=192.168.1.0/24 gateway=vpn client interface


Sent from my iPhone using Tapatalk
Make sure the reverse route is set as well, i.e., can you ping from any host to 192.168.33.x? A route on the VPN server should be set that specifies to reach 192.168.33.x/24 gw is 192.168.1.180...
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
katit
newbie
Topic Author
Posts: 32
Joined: Wed May 13, 2015 6:01 am

Re: Connecting to PPTP server, not sure how to route

Thu Jun 04, 2015 7:36 pm

Did you check if the firewall is not blocking the traffic
How can I check that? Also, if Link UP, it means all is well? It's just a routing issue that I need to figure out.
Check/create appropriate firewall/nat rules
Sorry, but I put it in beginner forum because I'm not quite sure what is "appropriate firewall/nat rules" in this case. As I said, connection established and up.
Make sure the reverse route is set as well, i.e., can you ping from any host to 192.168.33.x? A route on the VPN server should be set that specifies to reach 192.168.33.x/24 gw is 192.168.1.180
Not sure I understand. I don't have access to VPN server.


Here is 1 more time:
My partner gave me VPN access to their system. They set it on their Windows Server. This is VPN for clients. So, I just go in my windows computer, create new "work connection", etc. The only thing I do on my side (in windows) - I disconnect "Use remote gateway" check box so I access internet from directly, not via partner's network.

Now I figured why can't I setup this connection on Mikrotik so I don't have to connect every time from my PC? 192.168.1.180 is address THEY give me when connecting via Mikrotik. So, I think all is well as far as connecting. I just need something so all members of my local network can access far network..
 
User avatar
pukkita
Trainer
Trainer
Posts: 2982
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Connecting to PPTP server, not sure how to route

Thu Jun 04, 2015 9:17 pm

do you want all computers in your network to be able to access the VPN?

paste the output of this command in a Terminal
/export
editing out sensitive info.

BTW what happens if you tick the "set default route" on your VPN client, which gateway gets assigned?
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
katit
newbie
Topic Author
Posts: 32
Joined: Wed May 13, 2015 6:01 am

Re: Connecting to PPTP server, not sure how to route

Thu Jun 04, 2015 9:36 pm

Here we go. Hopefully you can decipher all this :)
# jun/04/2015 13:27:03 by RouterOS 6.29.1
# software id = HDBW-JD4V
#
/interface bridge
add admin-mac=4C:5E:0C:D0:82:10 arp=proxy-arp auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
    ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
    ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
    ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
    ether10-slave-local
set [ find default-name=sfp1 ] disabled=yes
/interface pptp-client
add add-default-route=yes connect-to=AA.BB.CC.164 disabled=no mrru=1600 \
    name=pptp-aexp password="6" user=i
/interface gre
add !keepalive local-address=A.B.C.129 name=gre-home remote-address=\
    H.O.M.63
/ip neighbor discovery
set ether1-gateway discover=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.33.101-192.168.33.200
add name=vpn-pool ranges=192.168.33.201-192.168.33.210
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/port
set 0 name=serial0
/ppp profile
set [ find name=default ] name=default
set [ find name=default-encryption ] bridge=bridge-local local-address=\
    192.168.33.211 name=default-encryption remote-address=vpn-pool
/queue simple
add burst-limit=3M/3M burst-threshold=3M/3M burst-time=5s/5s disabled=yes \
    limit-at=512k/512k max-limit=3M/3M name=queue-hyper-v-1-host \
    packet-marks=pkt-3M priority=7/7 target=192.168.33.0/24
add burst-limit=3M/3M burst-threshold=2M/3M burst-time=5s/5s disabled=yes \
    limit-at=2M/2M max-limit=3M/3M name=queue-aster packet-marks=pkt-aster \
    priority=4/4 target=192.168.33.0/24
add burst-time=5s/5s disabled=yes limit-at=2M/2M max-limit=5M/20M name=other \
    packet-marks=no-mark target=192.168.33.0/24
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret=# use-ipsec=yes
/interface pptp-server server
set authentication=mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.33.1/24 comment="default configuration" interface=\
    ether2-master-local network=192.168.33.0
add address=A.B.C.130/29 interface=ether1-gateway network=A.B.C.128
add address=A.B.C.131/29 interface=ether1-gateway network=A.B.C.128
add address=A.B.C.129/29 comment="DNS from office.abc.net" interface=\
    ether1-gateway network=A.B.C.128
add address=A.B.C.132/29 interface=ether1-gateway network=A.B.C.128
add address=A.B.C.133/29 interface=ether1-gateway network=A.B.C.128
add address=172.16.1.2/30 comment=gre-home interface=gre-home network=\
    172.16.1.0
/ip dhcp-server lease
add address=192.168.33.5 mac-address=10:BF:48:7B:3B:65
add address=192.168.33.30 mac-address=00:00:00:00:00:30
add address=192.168.33.31 mac-address=00:00:00:00:00:31
add address=192.168.33.32 mac-address=00:00:00:00:00:32
add address=192.168.33.33 mac-address=00:00:00:00:00:33
add address=192.168.33.51 mac-address=00:04:F2:3E:6D:D3
/ip dhcp-server network
add address=192.168.33.0/24 comment="default configuration" dns-server=\
    192.168.33.1 gateway=192.168.33.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.33.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" protocol=ipsec-ah
add chain=input comment="default configuration" connection-state=\
    established,related
add chain=input comment=" - allow L2TP" dst-port=1701,500,4500 protocol=\
    udp
add chain=input comment=" ipsec-esp for L2TP" protocol=ipsec-esp
add chain=input comment=" Winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway log-prefix=DROP1
add chain=forward comment="default configuration" connection-state=\
    established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
/ip firewall nat
add action=dst-nat chain=dstnat comment="WWW XP" dst-address-type=local \
    dst-port=8080 protocol=tcp to-addresses=192.168.33.30
add action=masquerade chain=srcnat dst-address=192.168.33.30 dst-port=8080 \
    out-interface=bridge-local protocol=tcp src-address=192.168.33.0/24
add action=dst-nat chain=dstnat comment="WWW JIRA" dst-address-type=local \
    dst-port=8081 protocol=tcp to-addresses=192.168.33.33 to-ports=8080
add action=masquerade chain=srcnat dst-address=192.168.33.33 dst-port=8080 \
    out-interface=bridge-local protocol=tcp src-address=192.168.33.0/24
add action=dst-nat chain=dstnat comment=SVN dst-address-type=local dst-port=\
    443 protocol=tcp to-addresses=192.168.33.32
add action=masquerade chain=srcnat dst-address=192.168.33.32 dst-port=443 \
    out-interface=bridge-local protocol=tcp src-address=192.168.33.0/24
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
/ip firewall service-port
set sip disabled=yes
/ip route
add distance=1 gateway=A.B.C.134
add check-gateway=ping comment=pptp-aexp disabled=yes distance=1 dst-address=\
    192.168.1.0/24 gateway=pptp-aexp
add distance=1 dst-address=192.168.99.0/24 gateway=172.16.1.1
/lcd
set backlight-timeout=never default-screen=stats
/lcd interface
set sfp1 disabled=yes
set ether2-master-local disabled=yes
set ether3-slave-local disabled=yes
set ether4-slave-local disabled=yes
set ether5-slave-local disabled=yes
set ether6-master-local disabled=yes
set ether7-slave-local disabled=yes
set ether8-slave-local disabled=yes
set ether9-slave-local disabled=yes
set ether10-slave-local disabled=yes
/ppp secret
add name=i password=1 profile=default-encryption
add name=a password=1 profile=default-encryption
add name=s password=1 profile=default-encryption
/system clock
set time-zone-name=America/Chicago
/system logging
add topics=ipsec,l2tp
add topics=firewall
/system ntp client
set enabled=yes primary-ntp=208.68.36.196
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=bridge-local
/tool romon port
add disabled=no
/tool traffic-monitor
add interface=ether1-gateway name=tmon1 threshold=0
add interface=ether1-gateway name=tmon2 threshold=0 traffic=received
 
User avatar
pukkita
Trainer
Trainer
Posts: 2982
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Connecting to PPTP server, not sure how to route

Thu Jun 04, 2015 9:46 pm

Can you paste an /ip route print with the VPN running?

Have you tried pinging the remote network disabling all masquerade rules (as a quick check)?
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
katit
newbie
Topic Author
Posts: 32
Joined: Wed May 13, 2015 6:01 am

Re: Connecting to PPTP server, not sure how to route

Thu Jun 04, 2015 9:56 pm

Here is routes:
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          my.pub.ip.134             1
 1  DS  0.0.0.0/0                          192.168.1.180             1
 2 ADC  my.pub.ip.128/29   my.pub.ip.129   ether1-gateway            0
 3 ADC  172.16.1.0/30      172.16.1.2      gre-home                  0
 4 X S  ;;; pptp-aexp
        192.168.1.0/24                     pptp-aexp                 1
 5 ADC  192.168.1.180/32   192.168.33.211  pptp-aexp                 0
 6 ADC  192.168.33.0/24    192.168.33.1    bridge-local              0
 7 ADC  192.168.33.201/32  192.168.33.211  <pptp-alxxxxxxx...        0
 8 ADC  192.168.33.202/32  192.168.33.211  <pptp-alxxxxxxx...        0
 9 ADC  192.168.33.208/32  192.168.33.211  <pptp-sexxxxxxx...        0
10 A S  192.168.99.0/24                    172.16.1.1                1
Route 1 & 5 (dynamic) shows connection to VPN I'm talking about
Route 4 (disabled) is the one I was trying to add per suggestion above (didn't help)

Route 3&10 is gre tunnel to my home network
Rotes 7-9 is people connected to this router's PPTP server

Right now I can't disable NAT rules - will affect other people on network.

Who is online

Users browsing this forum: No registered users and 29 guests