Community discussions

MikroTik App
 
Loskrochn
just joined
Topic Author
Posts: 21
Joined: Wed Dec 11, 2019 11:28 am

PPTP Fowarding from Mikrotik to Mikrotik

Tue Feb 01, 2022 9:28 am

Hello hope somebody find my fault
i have two Mikrotik Router Boards
1. manage the Internet Connection Firewall on it and Portforwarding for PPTP
/ip firewall address-list
add address=192.168.2.200-192.168.3.250 list="Block Internet"
add address=192.168.10.1-192.168.15.250 list="Block Local"
add address=10.10.10.2-10.10.10.254 list="Guest Users"
add address=10.10.10.0/24 list="Block Internet Guest"
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=accept chain=forward comment="Weiterlkeitung f\FCr ptpp neu" \
    dst-address=192.168.1.246 in-interface=lte1 protocol=gre
add action=accept chain=forward dst-address=192.168.1.246 dst-port=1723 \
    in-interface=lte1 protocol=tcp
add action=accept chain=forward comment="Weiterlkeitung f\FCr ptpp neu" \
    disabled=yes out-interface=lte1 src-address=192.168.1.246
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked log-prefix=Internet
add action=accept chain=input comment="DNS GAST" disabled=yes dst-port=53 \
    in-interface=bridge-guest log=yes log-prefix="DNS Gast" protocol=udp \
    src-address=10.10.10.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=1723 in-interface=lte1 log=yes protocol=\
    tcp
add action=accept chain=input comment="Allow TCP to Kassa for GUEST" \
    dst-address=192.168.0.95 dst-port=5100 protocol=tcp src-address-list=\
    "Guest Users"
add action=accept chain=input comment="Allow UDP to Kassa for GUEST" \
    dst-address=192.168.0.95 dst-port=5100 protocol=udp src-address-list=\
    "Guest Users"
add action=drop chain=input comment="Block Guest Router Ports" dst-address=\
    10.10.10.1 dst-port=80,21,22,23,8291 protocol=tcp src-address-list=\
    "Guest Users"
add action=drop chain=input comment="Block Guest to Intern" dst-address=\
    192.168.0.0/24 src-address-list="Guest Users"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes
add action=reject chain=forward comment="Block Internet" log-prefix=\
    "Block Internet" reject-with=icmp-network-unreachable src-address-list=\
    "Block Internet"
add action=reject chain=forward comment="Block Internet Guest" log-prefix=\
    "Block Internet Guest" reject-with=icmp-network-unreachable \
    src-address-list="Block Internet Guest"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "FORWARD: skip fasttrack for traffic from guest network" connection-state=\
    established,related log-prefix=rolle12 src-address=10.10.10.0/24
add action=accept chain=forward comment=\
    "FORWARD: skip fasttrack for traffic from guest network" connection-state=\
    established,related dst-address=10.10.10.0/24 log-prefix=rolle12
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related log-prefix=rolle12
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked log-prefix=rolle13
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-ttl chain=postrouting comment=\
    "Maske f\EF\BF\BDr Subnetze zu Drei" disabled=yes new-ttl=set:65 \
    out-interface=lte1 passthrough=yes
add action=mark-connection chain=forward new-connection-mark=all-conn \
    passthrough=yes
add action=mark-packet chain=forward connection-mark=all-conn dst-address-list=\
    "Guest Users" new-packet-mark=guest-dw-pk passthrough=no
add action=mark-packet chain=forward connection-mark=all-conn new-packet-mark=\
    guest-up-pk passthrough=no src-address-list="Guest Users"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=dst-nat chain=dstnat comment="Forward f\FCr CAM Alt" disabled=yes \
    dst-port=80 in-interface=lte1 log-prefix=alex2 protocol=tcp to-addresses=\
    192.168.0.150 to-ports=8080
add action=dst-nat chain=dstnat comment="Forward f\FCr CAM alt" disabled=yes \
    dst-port=80 in-interface=lte1 log-prefix=alex3 protocol=udp to-addresses=\
    192.168.0.150 to-ports=8080
add action=dst-nat chain=dstnat in-interface=lte1 protocol=gre to-addresses=\
    192.168.1.246
add action=dst-nat chain=dstnat comment="weiterleitung f\FCr ptpp neu" \
    dst-port=1723 in-interface=lte1 protocol=tcp to-addresses=192.168.1.246 \
    to-ports=1723
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.10.10.0/24
2. Manage Local LAN / Hotspot there is also an Firewall on it should be the main FW in opportunity changeing the internet router
when i disable the rule drop all not coming from LAN the PPTP worke when active it will block it
/ip firewall address-list
add address=192.168.0.200-192.168.0.254 list="Block Internet"
add address=192.168.10.1-192.168.15.250 list="Block Local"
add address=10.10.10.2-10.10.10.254 list="Guest Users"
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked log-prefix=Internet
add action=accept chain=input comment="DNS GAST" dst-port=53 in-interface=bridge-guest log=yes log-prefix="DNS Gast" protocol=udp src-address=10.10.10.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow TCP to Kassa for GUEST" dst-address=192.168.0.95 dst-port=5100 protocol=tcp src-address-list="Guest Users"
add action=accept chain=input comment="Allow UDP to Kassa for GUEST" disabled=yes dst-address=192.168.0.95 dst-port=80,8080 protocol=udp src-address-list=\
    "Guest Users"
add action=drop chain=input comment="Block Guest Router Ports" dst-address=10.10.10.1 dst-port=80,21,22,23,8291 protocol=tcp src-address-list="Guest Users"
add action=drop chain=input comment="Block Guest to Intern" dst-address=192.168.0.0/24 src-address-list="Guest Users"
add action=accept chain=input connection-nat-state="" in-interface-list=WAN protocol=tcp src-port=1723
add action=accept chain=input connection-nat-state="" in-interface-list=WAN protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=Outside
add action=reject chain=forward comment="Block Internet" disabled=yes reject-with=icmp-network-unreachable src-address-list="Block Internet"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="FORWARD: skip fasttrack for traffic from guest network" connection-state=established,related src-address=10.10.10.0/24
add action=accept chain=forward comment="FORWARD: skip fasttrack for traffic from guest network" connection-state=established,related dst-address=10.10.10.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.10.10.0/24
Update code number 2
best regards and thx for help
Last edited by Loskrochn on Mon Feb 14, 2022 11:53 am, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: PPTP Fowarding from Mikrotik to Mikrotik

Wed Feb 02, 2022 12:45 am

For start, you posted same config twice.
 
Loskrochn
just joined
Topic Author
Posts: 21
Joined: Wed Dec 11, 2019 11:28 am

Re: PPTP Fowarding from Mikrotik to Mikrotik

Mon Feb 14, 2022 11:54 am

For start, you posted same config twice.
i have cope the write one now, sry
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: PPTP Fowarding from Mikrotik to Mikrotik  [SOLVED]

Wed Feb 16, 2022 3:51 am

You have accept rule with wrong src-port=1723 instead of correct dst-port=1723.
 
Loskrochn
just joined
Topic Author
Posts: 21
Joined: Wed Dec 11, 2019 11:28 am

Re: PPTP Fowarding from Mikrotik to Mikrotik

Thu Feb 17, 2022 7:07 pm

You have accept rule with wrong src-port=1723 instead of correct dst-port=1723.
Thank you it worke :-)

for my understanding src port mean WAN to internet and dst port mean internet to WAN?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: PPTP Fowarding from Mikrotik to Mikrotik

Thu Feb 17, 2022 7:17 pm

Every connection has source and destination address and also source and destination port. For example, if you browse internet from PC with 192.168.88.100 and web browser connects to this forum, there's connection from 192.168.88.100:23456 to 159.148.147.239:443 (where 23456 is random port that's different for each connection). On router, you can match initial packet of this connection with src-port=23456 and dst-port=443. Response packets from server to client will match src-port=443 dst-port=23456.
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: PPTP Fowarding from Mikrotik to Mikrotik

Thu Feb 17, 2022 7:39 pm

for my understanding src port mean WAN to internet and dst port mean internet to WAN?
Not exactly. Your example may fit within a certain configuration but that would be coincidence and not a rule. To give you the concept idea...........

Source Port is like Source IP
Destination Port is like Destination IP

As Sob noted, we use such things to MATCH rules to traffic for many things, address lists, firewall rules, routes etc......

Destination ----> Where the traffic is headed TO ( RECIPIENT OF TRAFFIC )
Source ----> Where the traffic is coming FROM. ( SOURCE OF TRAFFIC )

For example, if you have a VPN SERVER on your router then to establish that VPN Tunnel an external user has to connect to your ROUTER
Why the ROUTER? Because the VPN service is provided by the ROUTER and thus this is traffic to the ROUTER.

NEED at a minimum of two facts!
First the user is given the WANIP of your Router (or perhaps an URL - dyndns name) to reach the WANIP of your router.
What other argument does the user use to reach your VPN service?
Second, the user knows that the Port required for that VPN service is 1723.

So we have both a destination IP (or a way to reach it) and a destination port for that user.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

You the admin have to setup the Router to accept this traffic.
SO you use the INPUT Chain as that is the chain for traffic TO the router itself.
Lets say you dont know the IPs of incoming users so the only fact you know is that they have a destination port of 1723, hence all that is required is........
add action=accept chain=input dst-port=1723 (protocol is also usually known) protocol=tcp

IF for example you knew the user coming in which would the source IP of that user , and thus only access to that one user (a good idea ).....
add action=accept chain=input dst-port=1723 protocol=tcp scr-address=publicIPofUser

IF for example you had a group of authorized users (Better) that should use the vpn service and limit access only to this group
add action=accept chain=input dst-port=1723 protocol=tcp scr-address-list=authorizedVPN

where the firewall address list is as follows:
add IP=publicIP-user1 list=authorizedVPN
add IP=publicIP-user2 list=authorizedVPN
add IP=mynetname-user3 list=authorizedVPN
add ip=dyndnsnoIP-user4 list=authorizedVPN
etc...

The above examples dont use source port because those are often randomly assigned by devices and thus we cannot necessarily match on that.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: PPTP Fowarding from Mikrotik to Mikrotik

Thu Feb 17, 2022 7:52 pm

But why PPTP ?
 
Loskrochn
just joined
Topic Author
Posts: 21
Joined: Wed Dec 11, 2019 11:28 am

Re: PPTP Fowarding from Mikrotik to Mikrotik

Sat Feb 19, 2022 12:18 pm

Thanks for explain

PPTP it is quiet simple for me, does you have an better idea?

Thx for replay
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: PPTP Fowarding from Mikrotik to Mikrotik

Sat Feb 19, 2022 1:29 pm

PPTP it is quiet simple for me

A length of twine makes a nice and simple seatbelt. That doesn’t make it a good seatbelt, though.

PPTP is horribly insecure.

does you have an better idea?

Any of the other common VPN technologies frequently discussed here would be better.

L2TP + IPsec is the most similar, but it’s vastly overcomplicated in the main case. It has a few advantages: lots of client OSes can speak it out of the box, and there’s a quickset option in RouterOS for setting up a basic configuration.

OpenVPN is simpler, but it’s transported over TCP by default, which leads to the TCP meltdown problem. There’s an option to use UDP instead, but then you give up some of OpenVPN’s advantages, such as strict firewall transit.

If you can use RouterOS 7.1, the WireGuard feature is easier to configure than OpenVPN over TCP while not suffering from TCP meltdown. Its simplicity tends to avoid the need for TLS smuggling games to get through strict firewalls. Its biggest problem is NAT traversal in the case where both endpoints are behind NAT, but if you’re successfully using PPTP today, you don't have that problem.

ZeroTier (also in ROS 7) is a bit more complicated, but it’s more powerful. It has a better NAT traversal story than WG as implemented in RouterOS. (Contrast Tailscale, which solves this for WG, but isn’t in ROS.) It only works on ARM hardware, though.

If those four options don’t suffice, I’d actually recommend SOCKS/port forwarding over SSH as a poor man’s VPN rather than go more exotic. It's very simple to set up, and it’s as secure as your passphrase/key, provided you avoid basic pitfalls like use of outdated crypto. It isn’t a full-strength VPN, but that may not matter in your case.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: PPTP Fowarding from Mikrotik to Mikrotik

Sat Feb 19, 2022 1:51 pm

Where does SSTP fit in this list?
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: PPTP Fowarding from Mikrotik to Mikrotik

Sat Feb 19, 2022 2:06 pm

Where does SSTP fit in this list?

The original version of SSTP is based on the now-obsolete SSL 3.0 protocol. If you must use clients that can only speak this flavor of SSTP or ones configured in such a way that they can be downgraded to SSL 3.0, SSTP is ipso facto subject to the POODLE attack. This is why SSL is now deprecated in all major web browsers and crypto libraries.

If your SSTP server is a MikroTik router, you can fix this by setting "tls-version=only-1.2" on the sstp-server interface. If it's a Windows server instead, the method differs. Regardless, requiring modern TLS compromises one of SSTP's major advantages: broad support on Windows clients. SSTP is included with all in-support versions of Windows, plus the latest two out-of-support versions (Vista and 7) besides, but the older ones can't speak modern TLS, so they wouldn't connect to a VPN server that's properly tightened-down. I haven't tried it, but I'd guess you only get out-of-the-box support for TLS 1.2 and newer in Windows 10 and up.

Essentially the same limitation applies to OpenVPN, except that because it's not included in stock OS builds, you get the benefit that installing a fresh client means you get up-to-date crypto, so as long as you keep your server updated, it becomes a non-problem in practice.

SSTP isn't shipped in the stock build of any other OS I know of, including the major mobile OSes, so if you're going to have to add third-party software to get a VPN, it might as well be one speaking a modern open standard: WireGuard, ZeroTier, or OpenVPN.

Finally, SSTP is subject to the TCP meltdown problem while lacking an option to run over UDP to fix it, as you get in OpenVPN.

Bottom line, I can't recommend new SSTP deployments in 2022, and I'd recommend getting existing ones off it ASAP.

Who is online

Users browsing this forum: No registered users and 14 guests