Community discussions

MikroTik App
 
User avatar
samotoka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Fri Aug 18, 2006 2:18 pm
Location: Hot Water Beach, New Zealand

MikroTikVPN and M$ Windows Networking - Step by Step- How to

Thu Oct 05, 2006 5:06 pm

Hi ...
follow this
1. I have MT 2.9.x
2. i have a pptp user who can log with user name and pass successful
3. after log in via vpn - windows file sharing dont work
4. Pls give a manual - how to do
5. I need /ip firewall filter - rules for pptp for M$ Windows Networking
6 I need /ip firewall nat - rules for pptp for M$ Windows Networking
7. If i use default gateway for pptp user is OK - but i dont

Image

8. m0n0wall`s vpn can do this easy
Last edited by samotoka on Thu Oct 05, 2006 5:16 pm, edited 1 time in total.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Thu Oct 05, 2006 5:10 pm

you will find PPTP configuration example between MikroTik PPTP server and Windows client here,
http://www.mikrotik.com/docs/ros/2.9/interface/pptp
PPTP uses TCP port 1723 and protocol 47 traffic (GRE), firewall should not drop respective traffic.
Special helper exists for PPTP traffic over NAT in MikroTik RouterOS, to enable it:
'ip firewall service-port set pptp disabled=no'.
 
User avatar
samotoka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Fri Aug 18, 2006 2:18 pm
Location: Hot Water Beach, New Zealand

Thu Oct 05, 2006 5:23 pm

Image
 
cabana
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Fri Feb 18, 2005 9:18 pm

Thu Oct 05, 2006 6:22 pm

post the config from your router.
 
User avatar
samotoka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Fri Aug 18, 2006 2:18 pm
Location: Hot Water Beach, New Zealand

Thu Oct 05, 2006 6:39 pm

Terminal vt102 detected, using multiline input mode
[admin@RouTer] > interface
[admin@RouTer] interface> pr
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
2 R pptp-in1 pptp-in 0 0 1400
3 pptp-in2 pptp-in 0 0
[admin@RouTer] interface> /



[admin@RouTer] > ip firewall filter
[admin@RouTer] ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; NETBIOS block
chain=forward protocol=tcp dst-port=135 action=drop

1 ;;; To deny acces to the router via Telnet (protocol TCP, port 23), type >
following command:
chain=input protocol=tcp dst-port=23 action=drop

2 X ;;; To only allow not more than 5 simultaneous connections from each of t>
clients, do the following:
chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32
action=drop

3 ;;; Drop Invalid connections
chain=input connection-state=invalid action=drop

4 ;;; Allow Established connections
chain=input connection-state=established action=accept

5 ;;; Allow UDP
chain=input protocol=udp action=accept

6 ;;; Allow ICMP
chain=input protocol=icmp action=accept

7 ;;; Allow access to router from known network
chain=input src-address=192.168.1.0/24 action=accept

8 ;;; Drop anything else
chain=input action=drop

9 ;;; drop invalid connections
chain=forward protocol=tcp connection-state=invalid action=drop

10 ;;; allow already established connections
chain=forward connection-state=established action=accept

11 ;;; allow related connections
chain=forward connection-state=related action=accept

12 chain=forward src-address=0.0.0.0/8 action=drop

13 chain=forward dst-address=0.0.0.0/8 action=drop

14 chain=forward src-address=127.0.0.0/8 action=drop

15 chain=forward dst-address=127.0.0.0/8 action=drop

16 chain=forward src-address=224.0.0.0/3 action=drop

17 chain=forward dst-address=224.0.0.0/3 action=drop

18 chain=forward protocol=tcp action=jump jump-target=tcp

19 chain=forward protocol=udp action=jump jump-target=udp

20 chain=forward protocol=icmp action=jump jump-target=icmp

21 ;;; deny TFTP
chain=tcp protocol=tcp dst-port=69 action=drop

22 ;;; deny RPC portmapper
chain=tcp protocol=tcp dst-port=111 action=drop

23 ;;; deny RPC portmapper
chain=tcp protocol=tcp dst-port=135 action=drop

24 ;;; deny NBT
chain=tcp protocol=tcp dst-port=137-139 action=drop

25 ;;; deny cifs
chain=tcp protocol=tcp dst-port=445 action=drop

26 ;;; deny NFS
chain=tcp protocol=tcp dst-port=2049 action=drop

27 ;;; deny NetBus
chain=tcp protocol=tcp dst-port=12345-12346 action=drop

28 ;;; deny NetBus
chain=tcp protocol=tcp dst-port=20034 action=drop

29 ;;; deny BackOriffice
chain=tcp protocol=tcp dst-port=3133 action=drop

30 ;;; deny DHCP
chain=tcp protocol=tcp dst-port=67-68 action=drop

31 ;;; deny TFTP
chain=udp protocol=udp dst-port=69 action=drop

32 ;;; deny PRC portmapper
chain=udp protocol=udp dst-port=111 action=drop

33 ;;; deny PRC portmapper
chain=udp protocol=udp dst-port=135 action=drop

34 ;;; deny NBT
chain=udp protocol=udp dst-port=137-139 action=drop

35 ;;; deny NFS
chain=udp protocol=udp dst-port=2049 action=drop

36 ;;; deny BackOriffice
chain=udp protocol=udp dst-port=3133 action=drop

37 ;;; drop invalid connections
chain=icmp protocol=icmp icmp-options=0:0 action=accept

38 ;;; allow established connections
chain=icmp protocol=icmp icmp-options=3:0 action=accept

39 ;;; allow already established connections
chain=icmp protocol=icmp icmp-options=3:1 action=accept

40 ;;; allow source quench
chain=icmp protocol=icmp icmp-options=4:0 action=accept

41 ;;; allow echo request
chain=icmp protocol=icmp icmp-options=8:0 action=accept

42 ;;; allow time exceed
chain=icmp protocol=icmp icmp-options=11:0 action=accept

43 ;;; allow parameter bad
chain=icmp protocol=icmp icmp-options=12:0 action=accept

44 ;;; deny all other types
chain=icmp action=drop

45 chain=input in-interface=pptp-in1 action=accept

46 chain=output out-interface=pptp-in1 action=accept

47 chain=input src-address=192.168.1.0/24 action=accept

[admin@RouTer] ip firewall filter>



[admin@RouTer] > ip firewall nat
[admin@RouTer] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=ether2 action=masquerade

1 chain=dstnat in-interface=ether2 dst-address=62.x.x.x protocol=tcp
dst-port=0-65535 action=dst-nat to-addresses=192.168.1.10
to-ports=0-65535

2 chain=dstnat in-interface=ether2 dst-address=62.x.x.x protocol=udp
dst-port=0-65535 action=dst-nat to-addresses=192.168.1.10
to-ports=0-65535

3 chain=dstnat in-interface=ether2 dst-address=62.x.x.x protocol=gre
dst-port=0-65535 action=dst-nat to-addresses=192.168.1.10
to-ports=0-65535

4 chain=dstnat in-interface=pptp-in1 src-address=192.168.1.0/24
action=dst-nat to-addresses=192.168.1.10 to-ports=0-65535

5 chain=srcnat out-interface=pptp-in1 src-address=192.168.1.0/24
action=src-nat to-addresses=62.x.x.x to-ports=0-65535
[admin@RouTer] ip firewall nat>
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26354
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Fri Oct 06, 2006 9:53 am

this definetly looks like windows issue :) what does router have to do with sharing permissions ????
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Fri Oct 06, 2006 2:23 pm

everything works on linux for me using pptpconfig whre you can set whtever settngs you wish. and as i said - everythin happens on clients side... so - windows to go
 
User avatar
samotoka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Fri Aug 18, 2006 2:18 pm
Location: Hot Water Beach, New Zealand

Fri Oct 06, 2006 2:46 pm

m0n0wall do this like that -> see the pic

Image
 
User avatar
samotoka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Fri Aug 18, 2006 2:18 pm
Location: Hot Water Beach, New Zealand

Tue Oct 10, 2006 12:58 pm

Come On Pals

I need M$ Windows Netwoking via Mikrotik VPN

give some advices !!!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26354
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Tue Oct 10, 2006 1:16 pm

don't you have to do some kind of EoIP to transparently interconnect your networks?

http://www.mikrotik.com/docs/ros/2.9/interface/eoip
 
User avatar
samotoka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Fri Aug 18, 2006 2:18 pm
Location: Hot Water Beach, New Zealand

Tue Oct 10, 2006 1:39 pm

I try this - and i will tell You what happens
 
User avatar
samotoka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Fri Aug 18, 2006 2:18 pm
Location: Hot Water Beach, New Zealand

Tue Oct 10, 2006 3:34 pm

i have a network
172.16.43.0/24<->MT ip 85.x.x.x<->internet<->RemoteOffice ip 192.168.1.52
now - i mast connect to a pc \\172.16.43.3\c$ using M$ vpn PPTP from 192.168.1.52

Come on - give a simple solution
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Tue Oct 10, 2006 3:55 pm

MikroTik PPTP-server<--->Windows PPTP-client, PPTP server configuration example here,
http://www.mikrotik.com/docs/ros/2.9/in ... t#5.29.6.2

Set appropriate configuration to the Windows PC and connect to 85.x.x.x, it should work fine.
 
User avatar
samotoka
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Fri Aug 18, 2006 2:18 pm
Location: Hot Water Beach, New Zealand

Tue Oct 10, 2006 4:44 pm

Its WORKING ....

/ ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop Invalid \
connections" disabled=no
add chain=input connection-state=established action=accept comment="Allow \
Established connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no
add chain=input action=accept comment="Allow access to router from known \
network - change on 10 10 2006" disabled=no
add chain=input action=drop comment="Drop anything else" disabled=no
add chain=forward protocol=tcp connection-state=invalid action=drop \
comment="drop invalid connections" disabled=no
add chain=forward connection-state=established action=accept comment="allow \
already established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow \
related connections" disabled=no
add chain=forward src-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment="" \
disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment="" \
disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment="" \
disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP" \
disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC \
portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC \
portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT" \
disabled=yes
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs" \
disabled=yes
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" \
disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny \
NetBus" disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" \
disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny \
BackOriffice" disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP" \
disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" \
disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC \
portmapper" disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC \
portmapper" disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" \
disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" \
disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny \
BackOriffice" disabled=no
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop \
invalid connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow \
established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow \
already established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow \
source quench" disabled=no
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow \
echo request" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow \
time exceed" disabled=no
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow \
parameter bad" disabled=no
add chain=icmp action=drop comment="deny all other types" disabled=no
add chain=forward protocol=tcp dst-port=135 action=drop comment="" disabled=no
add chain=input protocol=tcp dst-port=23 action=drop comment="To deny acces to \
the router via Telnet \(protocol TCP, port 23\), type the following \
command:" disabled=no
add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop \
comment="To only allow not more than 5 simultaneous connections from each \
of the clients, do the following:" disabled=yes
add chain=forward src-address=172.16.43.4 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.5 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.6 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.7 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.8 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.9 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.10 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.11 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.12 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.13 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.14 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.15 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.16 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.0/24 dst-address=87.120.40.151 \
protocol=tcp dst-port=80 action=drop comment="online radio block" \
disabled=no
add chain=tcp in-interface=pptp-in1 protocol=tcp dst-port=137-139 \
action=passthrough comment="deny NBT - mod1" disabled=no
add chain=tcp in-interface=pptp-in1 protocol=tcp dst-port=445 \
action=passthrough comment="deny cifs - mod2" disabled=no
add chain=tcp in-interface="pppoe-out1 - netsurf" protocol=tcp \
dst-port=137-139 action=drop comment="deny NBT - mod3" disabled=no
add chain=tcp in-interface="pppoe-out1 - netsurf" protocol=tcp dst-port=445 \
action=drop comment="deny cifs - mod4" disabled=no




/ ip firewall nat
add chain=srcnat out-interface="pppoe-out1" action=masquerade \
comment="" disabled=no
add chain=dstnat in-interface="pppoe-out1 - netsurf" dst-address=85.x.x.x \
protocol=tcp dst-port=0-49999 action=dst-nat to-addresses=172.16.43.1 \
to-ports=0-49999 comment="" disabled=no
add chain=dstnat in-interface="pppoe-out1 - netsurf" dst-address=85.x.x.x \
protocol=icmp dst-port=0-65535 action=dst-nat to-addresses=172.16.43.1 \
to-ports=0-65535 comment="ping via WAN enabled" disabled=no
add chain=dstnat in-interface="pppoe-out1 - netsurf" dst-address=85.x.x.x \
protocol=gre dst-port=0-65535 action=dst-nat to-addresses=172.16.43.1 \
to-ports=0-65535 comment="" disabled=no
add chain=dstnat in-interface="pppoe-out1 - netsurf" dst-address=85.x.x.x \
protocol=udp dst-port=515-65535 action=dst-nat to-addresses=172.16.43.1 \
to-ports=515-65535 comment="" disabled=no
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x \
protocol=igmp dst-port=0-65535 action=dst-nat to-addresses=172.16.43.1 \
to-ports=0-65535 comment="" disabled=no
add chain=srcnat out-interface="pppoe-out1" \
src-address=172.16.43.0/24 protocol=igmp action=masquerade comment="" \
disabled=no
add chain=dstnat in-interface="pppoe-out1" src-address=62.x.x.x
dst-address=85.x.x.x protocol=udp dst-port=514 action=dst-nat \
to-addresses=172.x.x.x to-ports=514 comment="syslog via 62.x.x.x
to 172.x.x.x" disabled=no
add chain=dstnat dst-address=10.0.0.217 protocol=tcp dst-port=80 \
action=dst-nat to-addresses=192.168.0.4 to-ports=0-65535 comment="exsamle \
port forwarding" disabled=yes
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x \
protocol=tcp dst-port=50000 action=dst-nat to-addresses=172.x.x.x \
to-ports=50000 comment="torrents port forwarding - tcp port 50000 for \
172.x.x.x" disabled=no
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x
protocol=udp dst-port=50000 action=dst-nat to-addresses=172.x.x.x \
to-ports=50000 comment="torrents port forwarding - udp port 50000 for \
172.x.x.x" disabled=no
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x \
protocol=tcp dst-port=50001 action=dst-nat to-addresses=172.x.x.x \
to-ports=50001 comment="torrents port forwarding - TCP port 50000 for \
172.x.x.x" disabled=no
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x \
protocol=udp dst-port=50001 action=dst-nat to-addresses=172.x.x.x \
to-ports=50001 comment="torrents port forwarding - UDP port 50000 for \
172.x.x.x" disabled=no
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x \
protocol=tcp dst-port=50002-65535 action=dst-nat to-addresses=172.16.43.1 \
to-ports=50002-65535 comment="" disabled=no
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x \
protocol=udp dst-port=0-513 action=dst-nat to-addresses=172.16.43.1 \
to-ports=0-513 comment="" disabled=no

Who is online

Users browsing this forum: fritzme, rsvrww, VirtualEvan and 57 guests