Community discussions

MikroTik App
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Fri Apr 19, 2013 9:28 am

vpn public ip cant ping

Sun Feb 14, 2021 5:09 pm

Hello everyone
my isp doesn't support public IP so I got VPN service with public IP and all ports are open
I use it directly on windows and everything work fine can access the open ports and everything
when I add the VPN client to Mikrotik for example PPTP-client
it gets to connect and I can browse the internet if I make mangle and firewall then the traffic go throw VPN normally
but when I want to access the router from outside using my static VPN IP
I can't get any access even can't ping to the static IP

any suggestion to try out

my network diagram

WAN---->pppoe---->mikrotik---->vpn-client---->new public ip
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Fri Apr 19, 2013 9:28 am

Re: vpn public ip cant ping

Sun Feb 21, 2021 4:05 am

please help i have public ip but i cant remote my mikrotik outside nor i cant ping my public ip
anyone can help me
You do not have the required permissions to view the files attached to this post.
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Fri Apr 19, 2013 9:28 am

Re: vpn public ip cant ping

Thu Feb 25, 2021 3:32 am

anyone can help
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Fri Jan 08, 2021 5:30 am

Re: vpn public ip cant ping

Thu Feb 25, 2021 4:52 am

What are your firewall rules?
Long time Member
Long time Member
Posts: 697
Joined: Wed Jun 12, 2013 1:59 pm

Re: vpn public ip cant ping

Thu Feb 25, 2021 8:39 am

Having a Windows machine publicly available is not really good practice security wise. You better only forward ports that are absolutely necessary. And...start running a VPN server on your router for management purposes and making resources available.

By the way, to show your config use /export hide-sensitive file=anynameyoulike and post it using code-tags.
First the problem, then the solution
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Fri Apr 19, 2013 9:28 am

Re: vpn public ip cant ping

Fri Feb 26, 2021 4:51 pm

/interface bridge
add fast-forward=no name=bridge-hotspot
add name=bridge-local
add name=userman
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1 name=ether1-WAN1
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether4 ] comment=BROADBAND
/interface pptp-client
add allow=chap,mschap2 comment=VPN connect-to=sg-ded-1.[REDACTED].net \
dial-on-demand=yes disabled=no name=VPN user=xxxxx4338
/interface ethernet switch port
set 5 default-vlan-id=0 vlan-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
add authentication-types=wpa-psk eap-methods="" group-ciphers=tkip \
management-protection=allowed mode=dynamic-keys name=station \
supplicant-identity="" unicast-ciphers=tkip
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=wifi \
supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk eap-methods="" name=hotspot \
/ip hotspot profile
set [ find default=yes ] dns-name=hotspot.portal hotspot-address= \
html-directory=flash/darkcyanhotspot login-by=http-chap,http-pap name=\
/ip pool
add name=default-dhcp ranges=
add name=wifi-secure ranges=
add name=hs-bro1 ranges=
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay interface=\
bridge-local name=local-dhcp
add add-arp=yes address-pool=hs-unauthenticated bootp-support=none disabled=\
no interface=bridge-hotspot lease-time=6h name=hotspot-dhcp
/ip hotspot
add address-pool=hs-unauthenticated addresses-per-mac=unlimited disabled=no \
idle-timeout=none interface=bridge-hotspot name=WIFI
/ip hotspot user profile
set [ find default=yes ] address-pool=hs-hotspot name=ADMIN on-login="\r\
add address-pool=hs-hotspot !idle-timeout !keepalive-timeout name=VM-1 \
add address-pool=hs-hotspot idle-timeout=1h name=1hr on-login=":local username\
\n:local date [/system clock get date];\r\
\n:local time [/system clock get time];\r\
\n:log warning \"\$username has login - \$time\"; \r\
\n:if ([/system scheduler find name=\$username]=\"\") do={ /ip hotspot use\
r set [find name=\$user] limit-uptime=10s \r\
\n/system scheduler add name=\$username interval=60d on-event=\"/ip hotspo\
t user set profile=EXPIRED [find name=\$username]\\r\\n/ip hotspot active \
remove [find user=\$username]\\r\\n/system scheduler remove [find name=\$u\
\n/system script run moveICMP" rate-limit=5M/10M
set 0 name=usb1
/ppp profile
add change-tcp-mss=yes comment="<-----VIP PLAN----->" dns-server=\ local-address=hs-unauthenticated name="VIP 599 7MB" \
only-one=yes remote-address=hs-bro1
/queue simple
add name=RESIDENTIAL target=
add max-limit=3M/7M name="reyes badette" parent=RESIDENTIAL target=\
/queue tree
add disabled=yes name=X-Bro priority=1
add disabled=yes max-limit=100M name=bro-download parent=X-Bro priority=1
/queue type
add kind=pcq name=gaming-pcq-download pcq-classifier=dst-address,dst-port \
add kind=pcq name=gaming-pcq-upload pcq-classifier=src-address,src-port \
add kind=pcq name="limit dl" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name=main-pcq-download pcq-classifier=dst-address pcq-limit=\
add kind=pcq name=main-pcq-upload pcq-classifier=src-address pcq-limit=40KiB
add kind=pfifo name=main-queue pfifo-limit=100
add kind=pcq name="UPLOAD Gaming" pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="DOWNLOAD Games" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="DOWNLOAD Browsing" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="UPLOAD Browsing" pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=256k pcq-src-address6-mask=64
add kind=pcq name=PPPHOMEDL-15MBPSBURST pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=15M pcq-src-address6-mask=64
add kind=pcq name=PPPHOMEUPLOAD pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=20M pcq-src-address6-mask=64
add kind=pcq name="ALL DOWNLOAD" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=50M pcq-src-address6-mask=64
add kind=pcq name="ALL UPLOAD" pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=50M pcq-src-address6-mask=64
/system logging action
set 1 disk-file-name=log
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
add name=admin policy="reboot,read,write,test,password,web,api,!local,!telnet,\
add name=adminftp policy="ftp,reboot,read,write,password,api,!local,!telnet,!s\
add name=adminlast policy="reboot,read,write,test,password,web,api,!local,!tel\
add name=techedit policy="ftp,reboot,read,write,test,winbox,password,web,api,!\
/interface bridge port
add bridge=bridge-local comment=LAN interface=ether3
add bridge=bridge-hotspot comment=HOTSPOT interface=ether4
add bridge=bridge-hotspot comment=BROADBAND interface=ether5
add bridge=bridge-local disabled=yes interface=*1
add bridge=bridge-hotspot disabled=yes interface=*E
add disabled=yes interface=*A
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/interface pppoe-server server
add disabled=no interface=bridge-hotspot keepalive-timeout=60 max-mru=1480 \
max-mtu=1480 one-session-per-host=yes service-name="GRACE"
/interface sstp-server server
set enabled=yes
/interface wireless access-list
add comment=ron mac-address=6E:5A:88:C7:0C:2A
add comment=rose mac-address=8C:F5:A3:F4:A4:7A
add comment=ron mac-address=90:97:F3:88:EA:C0
/ip address
add address= interface=bridge-local network=
add address= interface=bridge-hotspot network=
add address= interface=bridge-hotspot network=
add address= interface=userman network=
/ip cloud
set update-time=no
/ip dhcp-client
add add-default-route=no comment=WAN1 disabled=no interface=ether1-WAN1 \
/ip dhcp-server lease
add address= client-id=1:8c:f5:a3:f4:a4:7a comment=rose \
mac-address=8C:F5:A3:F4:A4:7A server=hotspot-dhcp
add address= client-id=1:cc:6e:a4:d8:c4:2d comment=samsung \
mac-address=CC:6E:A4:D8:C4:2D server=hotspot-dhcp
add address= client-id=1:34:f1:50:74:58:be comment=tcl \
mac-address=34:F1:50:74:58:BE server=hotspot-dhcp
/ip dhcp-server network
add address= dns-none=yes gateway=
add address= gateway=
add address= comment="default configuration" gateway=\
/ip dns
set allow-remote-requests=yes servers=,
/ip dns static
add address= name=router
/ip firewall address-list
add address= list=local-address
add address= list=local-addressdns
/ip firewall mangle
add action=mark-routing chain=prerouting dst-port=\
1-52,54-1028,3478,3479,5228,8888 new-routing-mark=vpn_ian passthrough=no \
protocol=tcp src-address=
add action=mark-routing chain=prerouting new-routing-mark=vpn_ian \
passthrough=no protocol=udp src-address=
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=WAN1 out-interface=ether1-WAN1
add action=masquerade chain=srcnat comment=VPN out-interface=VPN
/ip hotspot user
add limit-bytes-total=3000000000 limit-uptime=6h mac-address=\
70:8F:47:2D:B0:73 name=emem
add limit-bytes-total=3000000000 limit-uptime=6h mac-address=\
20:31:1C:E4:4C:F3 name=macmac
add limit-bytes-total=3000000000 limit-uptime=6h mac-address=\
6C:D9:4C:FF:5B:CD name=patrick
add address= name=oneil
add limit-bytes-total=3000000000 limit-uptime=6h mac-address=\
08:FA:79:DF:64:D3 name=talin
add name=bebe9365
add name=rose532
add mac-address=00:27:15:52:34:A1 name=ron1
/ip proxy
set cache-path=flash/webproxy enabled=yes max-cache-size=none
/ip proxy access
add action=deny dst-host=!
/ip route
add comment=VPN distance=2 gateway=VPN routing-mark=vpn
add comment=WAN2 disabled=yes distance=1 gateway= routing-mark=PL1
add comment=WAN1 distance=1 gateway=
add comment=WAN1_A disabled=yes distance=1 dst-address= \
add comment=WAN1_A disabled=yes distance=1 dst-address=xx.xx.104.116/32 \
/ip route rule
add dst-address= routing-mark=RT-PL1 src-address= table=PL1
add dst-address= routing-mark=RT-PL2 src-address= table=PL2
/ip service
set telnet disabled=yes
set www port=82
set winbox port=8292
set api-ssl disabled=yes
/port firmware
set ignore-directip-modem=yes
/ppp secret
add comment=PAID1 name="reyes badette" profile="VIP 599 7MB" routes=PAID.1MO \
add address= service=login,hotspot
/system clock
set time-zone-autodetect=no
/system clock manual
set time-zone=+08:00
/system ntp client
set enabled=yes
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool sms
set port=usb1

Who is online

Users browsing this forum: No registered users and 9 guests