Community discussions

MikroTik App
 
JJR70
just joined
Topic Author
Posts: 6
Joined: Tue Mar 03, 2015 3:27 am

No access to LAN over PPTP VPN (can only ping router)

Wed Aug 05, 2015 9:48 pm

Hello everyone. Using the MikroTik Wiki plus other online sources, I setup a PPTP VPN connection that includes a pool of VPN IPs. I am able to connect to the tunnel but can only access the MikroTik itself. I found an older thread with similar issues but don't quite understand the fix he posted.

I don't do much in the Terminal so I posted my personal notes then printed the output. Any help would be greatly appreciated.

MikroTik LAN IP: 192.168.25.1
LAN DHCP: 192.168.25.100-200

1. IP > Pool > Add New
Name: PPTP-pool
Addresses: 192.168.25.90-192.168.25.99

/ip pool print
# NAME RANGES
0 default-dhcp 192.168.25.100-192.168.25.200
1 PPTP-pool 192.168.25.90-192.168.25.99


2. PPP > Profiles > Add New
Name: PPTP-profile
Local Address: 192.168.25.1
Remote Address: PPTP-pool
Use IPv6: No
Use Encryption: Yes

/ppp profile print detail
0 * name="default" remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default
use-compression=default use-vj-compression=default use-encryption=default
only-one=default change-tcp-mss=yes address-list=""

1 name="PPTP-profile" local-address=192.168.25.1 remote-address=PPTP-pool
remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=default
use-compression=default use-vj-compression=default use-encryption=yes
only-one=default change-tcp-mss=default address-list=""

2 * name="default-encryption" remote-ipv6-prefix-pool=none use-ipv6=yes
use-mpls=default use-compression=default use-vj-compression=default
use-encryption=yes only-one=default change-tcp-mss=yes address-list=""


3. PPP > Secrets > Add New
Name: username
Password: password
Service: pptp
Profile: PPTP-profile

/ppp secret print detail
0 name="username" service=pptp caller-id="" password="password"
profile=PPTP-profile routes="" limit-bytes-in=0 limit-bytes-out=0


4. PPP > Interface > PPTP Server
Enabled: Yes
Max MTU: 1460
Max MRU: 1460
Default Profile: PPTP-profile
Only check mschap2

/interface pptp-server server print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: PPTP-profile


5. Firewall > Filter Rules > Add New
Chain: input
Protocol: 6 (tcp)
Dst. Port: 1723
Comment: PPTP configuration
Drag the new config to the top of the list (under the Protocol: 1 (icmp) rule)

6. Firewall > Filter Rules > Add New
Chain: input
Protocol: gre
Drag under the Port 1723 rule

/ip firewall filter print detail
0 ;;; default configuration
chain=input action=accept protocol=icmp in-interface=!ether1-gateway
log=no log-prefix=""

1 ;;; PPTP configuration
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""

2 chain=input action=accept protocol=gre log=no log-prefix=""

3 ;;; default configuration
chain=input action=accept connection-state=established log=no
log-prefix=""

4 ;;; default configuration
chain=input action=accept connection-state=related log=no log-prefix=""

5 ;;; default configuration
chain=input action=drop in-interface=sfp1-gateway log=no log-prefix=""

6 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway log=no log-prefix=""


7. Interfaces > ether2
ARP: proxy-arp

/interface ethernet print
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 R ether1-g... 1500 D4:CA:6D:1C:85:F8 enabled none switch1
1 RS ether2 1500 D4:CA:6D:1C:85:F9 proxy-arp none switch1
2 S ether3 1500 D4:CA:6D:1C:85:FA enabled none switch1
3 S ether4 1500 D4:CA:6D:1C:85:FB enabled none switch1
4 S ether5 1500 D4:CA:6D:1C:85:FC enabled none switch1
5 S ether6-m... 1500 D4:CA:6D:1C:85:FD enabled none switch2
6 S ether7-s... 1500 D4:CA:6D:1C:85:FE enabled ether6-master... switch2
7 S ether8-s... 1500 D4:CA:6D:1C:85:FF enabled ether6-master... switch2
8 S ether9-s... 1500 D4:CA:6D:1C:86:00 enabled ether6-master... switch2
9 S ether10-... 1500 D4:CA:6D:1C:86:01 enabled ether6-master... switch2
10 sfp1-gat... 1500 D4:CA:6D:1C:85:F7 enabled none switch1

8. The IP settings of my workstation after connecting:
IP: 192.168.25.98
SUB: 255.255.255.255
DNS1: 192.168.25.1
DNS2: 97.64.183.164 (My ISP)
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: No access to LAN over PPTP VPN (can only ping router)

Wed Aug 05, 2015 10:04 pm

Try to make masquarade rule like on the picture.
L2TP.PNG
You do not have the required permissions to view the files attached to this post.
 
JJR70
just joined
Topic Author
Posts: 6
Joined: Tue Mar 03, 2015 3:27 am

Re: No access to LAN over PPTP VPN (can only ping router)

Thu Aug 06, 2015 12:33 am

Thank you, BartoszP! That solved it. I can see everything in the network now. :D

Here are my updated, unorthodox notes plus printouts. Hopefully they help someone in the future:

Example:
MikroTik LAN IP: 192.168.25.1
LAN DHCP: 192.168.25.100-200

1. IP > Pool > Add New
Name: PPTP-pool
Addresses: 192.168.25.88/29 (192.168.25.88-95)

/ip pool print
# NAME RANGES
0 default-dhcp 192.168.25.100-192.168.25.200
1 PPTP-pool 192.168.25.88/29


2. PPP > Profiles > Add New
Name: PPTP-profile
Local Address: 192.168.25.1
Remote Address: PPTP-pool
Use IPv6: No
Use Encryption: Yes
DNS: 8.8.8.8

/ppp profile print detail
1 name="PPTP-profile" local-address=192.168.25.1 remote-address=PPTP-pool
remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=default
use-compression=default use-vj-compression=default use-encryption=yes
only-one=default change-tcp-mss=default address-list="" dns-server=8.8.8.8


3. PPP > Secrets > Add New
Name: username
Password: password
Service: pptp
Profile: PPTP-profile

/ppp secret print detail
0 name="username" service=pptp caller-id="" password="password"
profile=PPTP-profile routes="" limit-bytes-in=0 limit-bytes-out=0


4. PPP > Interface > PPTP Server
Enabled: Yes
Max MTU: 1460
Max MRU: 1460
Default Profile: PPTP-profile
Only check mschap2

/interface pptp-server server print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: PPTP-profile


5. Firewall > Filter Rules > Add New
Chain: input
Protocol: 6 (tcp)
Dst. Port: 1723
Comment: PPTP configuration
Drag the new rule to the top of the list (under the Protocol: 1 (icmp) rule)

6. Firewall > Filter Rules > Add New
Chain: input
Protocol: gre
Drag under the Port 1723 rule

/ip firewall filter print detail
0 ;;; default configuration
chain=input action=accept protocol=icmp in-interface=!ether1-gateway
log=no log-prefix=""
1 ;;; PPTP configuration
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""
2 chain=input action=accept protocol=gre log=no log-prefix=""


7. Set up proxy-arp on the local interface.
Interfaces > ether2
ARP: proxy-arp

/interface ethernet print
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 R ether1-g... 1500 D4:CA:6D:1C:85:F8 enabled none switch1
1 RS ether2 1500 D4:CA:6D:1C:85:F9 proxy-arp none switch1


8. IP > Firewall > NAT > Add rule
Chain: srcnat
Src. Address: 192.168.25.88/29
Dst. Address: !192.168.25.88/29
Action: masquerade
Comment: PPTP NAT Rule

/ip firewall nat print detail
34 ;;; PPTP NAT Rule
chain=srcnat action=masquerade src-address=192.168.25.88/29
dst-address=!192.168.25.88/29 log=no log-prefix=""
 
Hell0Kitty
just joined
Posts: 5
Joined: Fri Jun 05, 2015 3:29 pm

Re: No access to LAN over PPTP VPN (can only ping router)

Tue Sep 01, 2015 2:48 pm

I have some trouble, but with L2TP IPsec VPN.
My VPN devices(iPhone or MBA) don't see local network. But internet(web sites, etc) work fine.

1.> ip pool print
# NAME RANGES
0 dhcp 192.168.1.2-192.168.1.50
1 vpn_pool 192.168.1.88/29

2. > ppp profile print
Flags: * - default
1 ;;; VPN L2TP IPsec
name="L2TP" local-address=192.168.1.1 remote-address=vpn_pool
bridge=bridge-local use-mpls=default use-compression=default
use-encryption=default only-one=default change-tcp-mss=yes
address-list="" dns-server=192.168.1.1

3. > ppp secret print detail
Flags: X - disabled
0 ;;; VPN Account -
name="username" service=l2tp caller-id="" password="password"
profile=L2TP routes="" limit-bytes-in=0 limit-bytes-out=0

4. > interface l2tp-server server print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: L2TP
use-ipsec: yes
ipsec-secret: password

5. > ip firewall filter print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; =====VPN=====
chain=input action=accept connection-state=new protocol=udp dst-address=my IP (ISP) in-interface=WAN
dst-port=500,1701,4500 log=no log-prefix=""

1 chain=input action=accept connection-state=new protocol=ipsec-esp dst-address=my IP (ISP)
in-interface=WAN log=no log-prefix=""

6. > interface ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 RS ;;; =====Local Network=====
LAN1-PC 1500 MAC enabled none switch1
1 S LAN2-PS4 1500 MAC enabled LAN1-PC switch1
2 RS LAN3 1500 MAC enabled LAN1-PC switch1
3 RS LAN4 1500 MAC enabled LAN1-PC switch1
4 R ;;; =====Internet=====
WAN 1500 MAC enabled none switch1

7. > ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=WAN log=no log-pr

1 chain=srcnat action=masquerade src-address=192.168.1.88/29 dst-address=!192.168.1.88/29 l
log-prefix=""

8. > ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.1.1/24 network=192.168.1.0 interface=bridge-local actual-interface=bridge-local

1 D address=my IP ISP network=ISP interface=WAN actual-interface=WAN

2 D address=192.168.1.1/32 network=192.168.1.95 interface=<l2tp-vpn> actual-interface=<l2tp-vpn>

9. > ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=ISP gateway-status=ISP reachable via WAN distance=1 scope=30 target-scope=10 vrf-interface=WAN

1 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=bridge-local gateway-status=bridge-local reachable distance=0 scope=10

2 ADC dst-address=192.168.1.95/32 pref-src=192.168.1.1 gateway=<l2tp-vpn> gateway-status=<l2tp-vpn> reachable distance=0 scope=10

3 ADC dst-address=ISP pref-src=ISP gateway=WAN gateway-status=WAN reachable distance=0 scope=10

Internet from iPhone work fine, but no access to local network, can't ping 192.168.1.3 or http://192.168.1.3.
I use arp-proxy for bridge-local and LAN1-PC, but useless.

Please help me ;(
 
Adolf
just joined
Posts: 1
Joined: Mon Jul 04, 2016 7:22 pm

Re: No access to LAN over PPTP VPN (can only ping router)

Mon Jul 04, 2016 11:18 pm

Try to not use nat for local network

/ip firewall nat 
add chain=srcnat src-adress=LAN dst-address=!LAN out-interface=WAN action=masquarade (or src-nat to-address)
 
Kincaidc
just joined
Posts: 11
Joined: Fri Jul 22, 2016 10:28 pm

Re: No access to LAN over PPTP VPN (can only ping router)

Fri Oct 14, 2016 12:38 am

I read this thread and still have issues with being able to ping the local network. I cannot see anything beyond the MT ip address. I do not understand the Masquarade post or what i am supposed to do or why this thing worked fine 4 two years and all of a sudden it doesn't
 
overdriven
just joined
Posts: 1
Joined: Thu Oct 13, 2016 1:14 pm

Re: No access to LAN over PPTP VPN (can only ping router)

Fri Oct 14, 2016 3:16 pm

Hello!

I had same problems.
1. But also now I can't ping the vpn client. How to solve it?
(Solved by deactivating firewall on client workstation)
2. I can't "see" windows workstations by it's name (only using IP). Is it posible to solve it?
3. To see workstations of LAN I had to add the rule to firewall:
chain=forward action=accept in-interface=pptp-UserName out-interface=LANBridge
Each new client creates new interface.Do I have to add the rule for each Interface?
 
JJR70
just joined
Topic Author
Posts: 6
Joined: Tue Mar 03, 2015 3:27 am

Re: No access to LAN over PPTP VPN (can only ping router)

Fri Oct 14, 2016 5:58 pm

Kincaidc and overdriven: Since this post, I have moved on from PPTP to SSTP. I'm also a MikroTik amateur. However, if you will print out your config, I can take a look and try to troubleshoot.

Look through my final post from when I had it working (Post #3). For each step, I documented both using Winbox and Terminal.

Fill in the following information:
Your MikroTik LAN IP:
Your LAN DHCP Range:

Enter the following in terminal and post your results:
/ip pool print
/ppp profile print detail
/ppp secret print detail (change your username to 'username' and your password to 'password')
/interface pptp-server server print
/ip firewall filter print detail (This is for steps 5 & 6)
/interface ethernet print
/ip firewall nat print detail

Hopefully me (or someone more qualified) can help.
 
dadashari
just joined
Posts: 2
Joined: Sat Oct 14, 2017 5:59 pm

Re: No access to LAN over PPTP VPN (can only ping router)

Sat Oct 14, 2017 6:06 pm

Kincaidc and overdriven: Since this post, I have moved on from PPTP to SSTP. I'm also a MikroTik amateur. However, if you will print out your config, I can take a look and try to troubleshoot.

Look through my final post from when I had it working (Post #3). For each step, I documented both using Winbox and Terminal.

Fill in the following information:
Your MikroTik LAN IP:
Your LAN DHCP Range:

Enter the following in terminal and post your results:
/ip pool print
/ppp profile print detail
/ppp secret print detail (change your username to 'username' and your password to 'password')
/interface pptp-server server print
/ip firewall filter print detail (This is for steps 5 & 6)
/interface ethernet print
/ip firewall nat print detail

Hopefully me (or someone more qualified) can help.
hello
i have the same problem too
as you told attach the information
here is the log of my mikrotik
please help to solve my problem too
thanks

Your MikroTik LAN IP:
192.168.0.102

Your LAN DHCP Range:

Lan DHCP Is Set In Windows Server


/ip pool print

# NAME RANGES
0 pool1 172.25.20.1-172.25.20.30
1 pool195 172.26.1.1-172.26.1.100
2 poolremote 197.168.0.150-197.168.0.200
3 dhcp_pool1-wifi 192.168.90.100/30
4 hs-pool-3 192.168.0.1-192.168.0.101
192.168.0.103-192.168.0.254
5 TEST-Pool 192.168.0.0-192.168.0.254


/ppp profile print detail

Flags: * - default
0 * name="default" local-address=172.26.1.200 remote-address=pool195 use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=default use-upnp=default address-list="" dns-server=8.8.8.8 on-up="" on-down=""

1 name="profileremote" local-address=94.74.146.178 remote-address=poolremote use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=default use-upnp=default address-list="" on-up="" on-down=""

2 * name="default-encryption" local-address=2.2.2.2 remote-address=pool1 use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" dns-server=217.218.155.155,8.8.8.8 on-up=""
on-down=""


/ppp secret print detail (change your username to 'username' and your password to 'password')

[admin@Mikrotik] > /ppp secret print detail
Flags: X - disabled
0 X name="username " service=any caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00

1 X name="username" service=pptp caller-id="" password="password" profile=profileremote routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=aug/01/2017 10:42:18

2 name="username" service=pptp caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=oct/14/2017 18:12:24

3 name="username" service=any caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=oct/14/2017 15:19:20

4 name="username" service=any caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=aug/13/2017 11:46:08

5 name="username" service=any caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=oct/14/2017 17:16:10

6 name="username" service=any caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=aug/18/2017 09:35:54

/interface pptp-server server print

enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: disabled
default-profile: default


/ip firewall filter print detail (This is for steps 5 & 6)

Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

/interface ethernet print

# NAME MTU ARP MASTER-PORT SWITCH
0 R ether1-MSP 1500 enabled none switch1
1 R ether2 1500 proxy-arp none switch1
2 ether3 1500 enabled none switch1
3 R ether4 1500 enabled none switch1
4 ether5 1500 enabled none switch1
5 ether6 1500 enabled none switch2
6 ether7 1500 enabled none switch2
7 ether8 1500 enabled none switch2
8 ether9 1500 enabled none switch2
9 ether10 1500 enabled none switch2
10 sfp1 1500 enabled none switch1

/ip firewall nat print detail

Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 ;;; Internet Access Trough VPN
chain=srcnat action=masquerade src-address=172.26.1.0/24 dst-address=!172.26.1.0/24 log=no log-prefix=""
 
flavio
just joined
Posts: 7
Joined: Thu Dec 27, 2007 11:56 pm

Re: No access to LAN over PPTP VPN (can only ping router)

Thu Oct 19, 2017 6:16 pm

Try to change to proxy-arp the LAN interface on the VPN server side.
 
myg4ever
just joined
Posts: 1
Joined: Fri Dec 22, 2017 10:57 am

Re: No access to LAN over PPTP VPN (can only ping router)

Fri Dec 22, 2017 11:01 am

Thanks I've the same problem and I will try it out
 
zhenissimo
just joined
Posts: 4
Joined: Wed Dec 12, 2012 10:10 am

Re: No access to LAN over PPTP VPN (can only ping router)

Tue Jan 02, 2018 2:39 am

Hello,
i have very similar problem. Maybe someone can help me find out what is wrong.
i am able to connect to VPN, but cant access Internet and LAN devices on it. Only Mikrotik local IP is pinging.

My conf:

/ppp profile print detail
name="default" remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""
name="pptp-profile" local-address=10.0.10.254 remote-address=pptp-pool remote-ipv6-prefix-pool=*0 use-ipv6=yes use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=default use-upnp=default
address-list="" dns-server=10.0.10.254 on-up="" on-down=""
name="default-encryption" remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" dns-server=8.8.8.8,8.8.4.4 on-up="" on-down=""

/ppp secret print detail
name="username" service=any caller-id="" password="password" profile=pptp-profile routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=feb/02/2017 02:24:56

/interface pptp-server server print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: default-encryption

/ip firewall filter print detail
chain=forward action=accept connection-state="" in-interface=ether5 log=no log-prefix=""
chain=forward action=accept in-interface=ether1 log=no log-prefix=""
chain=forward action=accept in-interface=ether3 log=no log-prefix=""
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""
chain=input action=accept protocol=gre log=no log-prefix=""
chain=forward action=drop log=no log-prefix=""
chain=input action=drop protocol=icmp in-interface=ether5 icmp-options=8:0-255 log=no log-prefix=""


/interface ethernet print
0 ;;; LAN
ether1 1500 00: proxy-arp none
1 RS ether2 1500 00: proxy-arp ether3 switch1
2 R ether3 1500 00: proxy-arp none switch1
3 ether4 1500 00: proxy-arp none switch1
4 R ;;; WAN
ether5 1500 00:0C:42:8A:71:17 enabled none switch1

/ip firewall nat print detail
chain=srcnat action=masquerade src-address=10.0.10.88/29 dst-address=!10.0.10.88/29 out-interface=ether5 log=no log-prefix=""
chain=srcnat action=masquerade src-address=10.0.10.0/24 log=no log-prefix=""
 
Mantic0re
just joined
Posts: 3
Joined: Tue Oct 25, 2016 7:27 pm

Re: No access to LAN over PPTP VPN (can only ping router)

Tue Jan 02, 2018 11:39 am

well try to use proxy then
 
zhenissimo
just joined
Posts: 4
Joined: Wed Dec 12, 2012 10:10 am

Re: No access to LAN over PPTP VPN (can only ping router)

Tue Jan 02, 2018 12:53 pm

well try to use proxy then
what do you mean?
 
zhenissimo
just joined
Posts: 4
Joined: Wed Dec 12, 2012 10:10 am

Re: No access to LAN over PPTP VPN (can only ping router)

Sun Jan 07, 2018 12:47 am

any ideas?
 
gpto
just joined
Posts: 1
Joined: Sun Jan 07, 2018 8:01 pm

Re: No access to LAN over PPTP VPN (can only ping router)

Wed Jan 31, 2018 5:15 pm

I had the same problem, but for me it was quite simple to resolve :

I'm at home and want to connect to office.

The problem is that I have the same IP range in both side, 192.168.1.0/24 at home and the same at office.

So, while connected though VPN, if I try to reach, by exemple, one of our office switch my mac try to reach it on my home office, even if VPN is set to send ALL TRAFFIC to VPN....

for me it's just a range conflict, my mac can't understand on which 192.168.1.0/24 network i ask him to go......

If I connect my mac using a 4G dongle (in 172.0.0.0/24) I'm able to reach all devices in my office network

cheers
 
eltimmo
just joined
Posts: 2
Joined: Sat May 19, 2018 5:29 pm

Re: No access to LAN over PPTP VPN (can only ping router)

Sat Jul 07, 2018 4:14 pm

Hi,

I had the same problem. I got this to work by putting the VPN on it's own network like below. I'm not that experienced with RouterOs, so this may not be the best way. Hope this helps,

Add IP Pool for L2TP - (called l2tp)
ip/ipool 192.168.99.190-192.168.99.199

Add IP Address
192.168.99.1/24 network 192.168.89.0 on the bridge

On L2TP Profile
configure this to use 192.168.99.2 as its local address, remote is l2tp.
 
tecnicanet
just joined
Posts: 1
Joined: Mon Mar 25, 2019 5:49 pm

Re: No access to LAN over PPTP VPN (can only ping router)

Mon Mar 25, 2019 5:54 pm

Try to make masquarade rule like on the picture.
L2TP.PNG
Hi, i can't see the image, can you repost the picture again or write the command to create the rule?

Thank u so much!!
 
hamedta
just joined
Posts: 7
Joined: Fri Aug 30, 2019 9:46 pm

No access to LAN over VPN

Fri Aug 30, 2019 10:12 pm

Hello

I have a problem, I need to access to a network device web config which is in another city remotely, so I connected a USB 3G modem to my Mikrotik router for internet and then I have connected my network device to the Lan2 of Mikrotik router by setting a nat my network device is connected to the Internet but as 3G modem doesn't support DMZ or port forwarding I can't access to my network device web config page, for solution I have set up a OpenVpn client interface on the router and it connected to the server public server then from office I also connect to the OpenVpn server so now I can have my router and my pc in a same network from office and also I can ping my router through the IP address of OpenVpn interface and even can connect to it with WinBox but the problem is I don't have access to the device which is connected to the Lan2, what could be a solution or a better approach ?

I need to open the web config of my network device which is http on port 80.

Your MikroTik LAN IP: 192.168.20.20 (LAN2)
Your LAN DHCP Range:192.168.20.21 - 192.168.20.22 (LAN2)

/ip pool print
# NAME RANGES
0 dhcp_pool 192.168.20.21-192.168.20.22

/ppp profile print detail
1 name="OVPN-client" use-mpls=no use-compression=no use-encryption=required only-one=default change-tcp-mss=yes use-upnp=default
address-list="" on-up="" on-down=""

/interface ovpn-client print
Flags: X - disabled, R - running
0 R name="OPENVPN" mac-address=FE:14:B2:5E:B4:33 max-mtu=1500 connect-to=x.x.xx port=434 mode=ip user="user"
password="pass" profile=OVPN-client certificate=client.crt_0 verify-server-certificate=no auth=sha1 cipher=blowfish128
add-default-route=yes

/ip firewall filter print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; allow established connections
chain=forward connection-state=established

1 ;;; allow related connections
chain=forward connection-state=related

2 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid

/interface ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP SWITCH
0 R LAN1 1500 D4:CA:6D:29:6F:B7 enabled switch1
1 LAN2 1500 D4:CA:6D:29:6F:B8 enabled switch1
2 LAN3 1500 D4:CA:6D:29:6F:B9 enabled switch1
3 LAN4 1500 D4:CA:6D:29:6F:BA enabled switch1
4 WAN 1500 D4:CA:6D:29:6F:B6 enabled switch1

/ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.20.0/24
out-interface=OPENVPN log=no log-prefix=""

OPENVPN ip is 10.8.0.26

my pc ip address is 10.8.0.30
 
hamedta
just joined
Posts: 7
Joined: Fri Aug 30, 2019 9:46 pm

Re: No access to LAN over PPTP VPN (can only ping router)

Mon Sep 02, 2019 2:30 pm

any idea ?
 
afuente26
just joined
Posts: 20
Joined: Mon Jan 28, 2019 12:24 pm

Re: No access to LAN over PPTP VPN (can only ping router)

Mon Oct 14, 2019 5:24 pm

hello,

"Try to make masquarade rule like on the picture."

could you please reupload the picture

thanks
angel
 
ashpri
Member Candidate
Member Candidate
Posts: 154
Joined: Sun Oct 14, 2018 3:11 am

Re: No access to LAN over PPTP VPN (can only ping router)

Sat Oct 19, 2019 7:13 pm

Try to change to proxy-arp the LAN interface on the VPN server side.
This worked for me.
 
User avatar
flaviolopes
just joined
Posts: 2
Joined: Thu Oct 24, 2019 3:35 pm
Contact:

Re: No access to LAN over PPTP VPN (can only ping router)

Mon Oct 28, 2019 8:42 pm

Kincaidc and overdriven: Since this post, I have moved on from PPTP to SSTP. I'm also a MikroTik amateur. However, if you will print out your config, I can take a look and try to troubleshoot.

Look through my final post from when I had it working (Post #3). For each step, I documented both using Winbox and Terminal.

Fill in the following information:
Your MikroTik LAN IP:
Your LAN DHCP Range:

Enter the following in terminal and post your results:
/ip pool print
/ppp profile print detail
/ppp secret print detail (change your username to 'username' and your password to 'password')
/interface pptp-server server print
/ip firewall filter print detail (This is for steps 5 & 6)
/interface ethernet print
/ip firewall nat print detail

Hopefully me (or someone more qualified) can help.

I have the same problem, the connection happens, I have access to equipment with external IP (modem) but not access to the host LAN, the internal network.
see:
  1. MK Lan IP = 192.168.0.3
  • LAN DHCP= 192.168.0.0/24
  • ppp profile = default (dns-server=192.168.0.3 - gateway of my Local LAN server)
  • 0 name="meuusuario" service=l2tp caller-id="" password="minhasenha"
    profile=default local-address=192.168.0.3 remote-address=192.168.0.5
    routes="" limit-bytes-in=0 limit-bytes-out=0
  • enabled: yes
    max-mtu: 1460
    max-mru: 1460
    mrru: disabled
    authentication: mschap1,mschap2
    keepalive-timeout: 30
    max-sessions: unlimited
    default-profile: default
    use-ipsec: no
    ipsec-secret:
    caller-id-type: ip-address
    one-session-per-host: yes
    allow-fast-path: no
  • 1 chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""
    2 chain=input action=accept protocol=gre log=no log-prefix=""
    3 chain=input action=accept connection-state="" protocol=udp
    dst-address=192.168.0.5 dst-port=500,1701,4500 log=no log-prefix=""
    4 chain=input action=accept connection-state="" protocol=ipsec-esp
    dst-address=192.168.0.5 log=no log-prefix=""
    (rules for PPTP and L2TP)
  • interface LAN with arp=proxy-arp
  • (all Out WAN here) 0 ;;; Marcared WAN
    chain=srcnat action=masquerade out-interface-list=Lista_wan log=no
    log-prefix=""
    1 ;;; Marcared VPN
    chain=srcnat action=masquerade src-address=192.168.0.5
    dst-address=!192.168.0.5 log=no log-prefix=""
Comments:
  • I turned off the hosts firewall
  • the modems are in bridge
  • In MK terminal, do not drop to client VPN, appears unreachable (192.168.0.5 - Time out)
 
orangez
just joined
Posts: 2
Joined: Tue Oct 25, 2016 7:00 pm
Location: Hungary

Re: No access to LAN over PPTP VPN (can only ping router)

Fri May 01, 2020 5:18 pm

my LAN speed on VPN is really slow, but internet is ok!
Can somebody help me?
# may/01/2020 16:05:42 by RouterOS 6.45.6
# software id = 865C-VA1Z
#
# model = RouterBOARD 750G r3
# serial number = xxx
/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=bE92Sn use-peer-dns=yes user=xxx@xxx.hu
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add local-address=192.168.89.1 name=vpn passive=yes send-initial-contact=no
/ip ipsec profile
set [ find default=yes ] name=vpn
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.199
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8,8.8.4.4 local-address=192.168.89.1 \
    remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set allow-fast-path=yes enabled=yes ipsec-secret=xxx \
    max-mru=1350 max-mtu=1350 use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
    192.168.1.0
add address=192.168.89.1/24 interface=ether3 network=192.168.89.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.1.10 client-id=1:b8:69:f4:85:9c:d3 mac-address=\
    B8:69:F4:85:9C:D3 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall address-list
add address=8b0009264bcf.sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add local-address=192.168.89.1 name=xxx password=\
    xxx remote-address=192.168.89.10
/system clock
set time-zone-name=Europe/xxx
/system scheduler
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
ifibra
just joined
Posts: 5
Joined: Wed Dec 20, 2017 7:42 pm
Location: Cyprus

Re: No access to LAN over PPTP VPN (can only ping router)

Thu Oct 15, 2020 1:08 pm

if firewall nat add chain=srcnat action=masquerade out-interface=bridge

that will help)
 
joni254
just joined
Posts: 1
Joined: Mon Feb 01, 2021 10:22 am

Re: No access to LAN over PPTP VPN (can only ping router)

Mon Feb 01, 2021 10:51 am

Thank you, BartoszP! That solved it. I can see everything in the network now. :D

Here are my updated, unorthodox notes plus printouts. Hopefully they help someone in the future:

Example:
MikroTik LAN IP: 192.168.25.1
LAN DHCP: 192.168.25.100-200

1. IP > Pool > Add New
Name: PPTP-pool
Addresses: 192.168.25.88/29 (192.168.25.88-95)

The steps above worked for me

/ip pool print
# NAME RANGES
0 default-dhcp 192.168.25.100-192.168.25.200
1 PPTP-pool 192.168.25.88/29


2. PPP > Profiles > Add New
Name: PPTP-profile
Local Address: 192.168.25.1
Remote Address: PPTP-pool
Use IPv6: No
Use Encryption: Yes
DNS: 8.8.8.8

/ppp profile print detail
1 name="PPTP-profile" local-address=192.168.25.1 remote-address=PPTP-pool
remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=default
use-compression=default use-vj-compression=default use-encryption=yes
only-one=default change-tcp-mss=default address-list="" dns-server=8.8.8.8


3. PPP > Secrets > Add New
Name: username
Password: password
Service: pptp
Profile: PPTP-profile

/ppp secret print detail
0 name="username" service=pptp caller-id="" password="password"
profile=PPTP-profile routes="" limit-bytes-in=0 limit-bytes-out=0


4. PPP > Interface > PPTP Server
Enabled: Yes
Max MTU: 1460
Max MRU: 1460
Default Profile: PPTP-profile
Only check mschap2

/interface pptp-server server print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: PPTP-profile


5. Firewall > Filter Rules > Add New
Chain: input
Protocol: 6 (tcp)
Dst. Port: 1723
Comment: PPTP configuration
Drag the new rule to the top of the list (under the Protocol: 1 (icmp) rule)

6. Firewall > Filter Rules > Add New
Chain: input
Protocol: gre
Drag under the Port 1723 rule

/ip firewall filter print detail
0 ;;; default configuration
chain=input action=accept protocol=icmp in-interface=!ether1-gateway
log=no log-prefix=""
1 ;;; PPTP configuration
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""
2 chain=input action=accept protocol=gre log=no log-prefix=""


7. Set up proxy-arp on the local interface.
Interfaces > ether2
ARP: proxy-arp

/interface ethernet print
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 R ether1-g... 1500 D4:CA:6D:1C:85:F8 enabled none switch1
1 RS ether2 1500 D4:CA:6D:1C:85:F9 proxy-arp none switch1


8. IP > Firewall > NAT > Add rule
Chain: srcnat
Src. Address: 192.168.25.88/29
Dst. Address: !192.168.25.88/29
Action: masquerade
Comment: PPTP NAT Rule

/ip firewall nat print detail
34 ;;; PPTP NAT Rule
chain=srcnat action=masquerade src-address=192.168.25.88/29
dst-address=!192.168.25.88/29 log=no log-prefix=""
 
rafmix
just joined
Posts: 1
Joined: Tue Mar 16, 2021 3:33 am

Re: No access to LAN over PPTP VPN (can only ping router)

Fri Apr 09, 2021 2:41 am

Hi everybody.
I'm totally new in Mikrotik.
Im using my HapAc2 as a PPTP CLIENT ,
Everything is working from the client side - i can reach the internet and i can ping all devices located in server's LAN.
But - I CANNOT ping the Mikrotik Router LAN from the server side .
The Srever is running on DD-WRT - i got also another PPTP client ( onDD-WRT) - eveything works here - pinging form slient to server LAN and from server to client LAN.
This means that the server settings are right.
What should i do in Mikrotik to solve this problem ?
Please help me beacause i think i have tried everything.
Here are my settings:

MikroTik LAN IP: 192.168.4.1
LAN DHCP Range: 192.168.4.2-192.168.4.254
--------------
/ip pool print
# NAME RANGES
0 dhcp 192.168.4.2-192.168.4.254
--------------
/ppp profile print detail
Flags: * - default
0 * name="default" use-mpls=default use-compression=default
use-encryption=default only-one=default change-tcp-mss=yes
use-upnp=default address-list="" on-up="" on-down=""

1 * name="default-encryption" use-mpls=default use-compression=default
use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default
address-list="" on-up="" on-down=""
--------------
/ppp secret print detail
Flags: X - disabled
-------------
/interface pptp-client print
Flags: X - disabled, R - running
0 R name="VPN-PPTP" max-mtu=1450 max-mru=1450 mrru=disabled
connect-to=192.168.1.31 user="USER" password="PASSWORD"
profile=default-encryption keepalive-timeout=60 add-default-route=no
dial-on-demand=no allow=pap,chap,mschap1,mschap2
--------------
/ip firewall filter print detail
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

2 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

3 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

4 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

5 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

6 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
----------------
/interface ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP SWITCH
0 R ether1 1500 08:55:31:83:4D:F1 proxy-arp switch1
1 S ether2 1500 08:55:31:83:4D:F2 proxy-arp switch1
2 S ether3 1500 08:55:31:83:4D:F3 proxy-arp switch1
3 S ether4 1500 08:55:31:83:4D:F4 proxy-arp switch1
4 S ether5 1500 08:55:31:83:4D:F5 proxy-arp switch1
-----------------
/ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

1 chain=srcnat action=masquerade src-address=192.168.4.2-192.168.4.254 out-interface=VPN-PPTP log=no
log-prefix=""
-------------------
/ip route> print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=192.168.1.1 gateway-status=192.168.1.1 reachable via ether1 distance=1
scope=30 target-scope=10 vrf-interface=ether1

1 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.27 gateway=ether1 gateway-status=ether1 reachable distance=0
scope=10

2 A S dst-address=192.168.2.0/24 gateway=VPN-PPTP gateway-status=VPN-PPTP reachable distance=1 scope=30
target-scope=10

3 ADC dst-address=192.168.2.253/32 pref-src=192.168.2.201 gateway=VPN-PPTP gateway-status=VPN-PPTP reachable
distance=0 scope=10

4 ADC dst-address=192.168.4.0/24 pref-src=192.168.4.1 gateway=bridge gateway-status=bridge reachable distance=0
scope=10
---------------------------------

Who is online

Users browsing this forum: No registered users and 42 guests