Page 1 of 1

Can't ping any devices on Lan on the pptp client from the pptp server side

Posted: Thu Sep 19, 2019 9:11 pm
by chris1906
Hello everyone.

So I am experiencing an issue with the pptp VPN
For some reason I can't ping any of my devices that is on Lan on the pptp client from the pptp server side.

I can ping all devices on Lan from pptp client to the pptp server. It is almost like my routing is swopped around.

I have made firewall rules to accept VPN connections and have done my routing accordingly to spec.

Can anybody perhaps assist me or maybe point me into the right direction as to what could be causing this? Thanks

Re: Can't ping any devices on Lan on the pptp client from the pptp server side

Posted: Thu Sep 19, 2019 11:44 pm
by chris1906
here are my configs

/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxxxxx auto-mac=no comment=defconf fast-forward=no \
name=bridge
/interface pptp-server
add name=Advcom user=xxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge name=2GHZ ssid=xxxx wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge name=\
5GHZ ssid=Home wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add enc-algorithm=aes-256,aes-128,3des name=profile1
/ip pool
add name=dhcp ranges=192.168.100.10-192.168.100.253
add name=VPN ranges=10.0.0.1,10.0.0.254
add add-arp=yes address-pool=dhcp always-broadcast=yes disabled=no interface=\
bridge lease-time=1d name=defconf
/ppp profile
add local-address=dhcp name=VPN remote-address=VPN
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=2GHZ
add bridge=bridge comment=defconf interface=5GHZ
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Advcom list=VPN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=VPN enabled=yes \
max-mru=1400 max-mtu=1400
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.100.254/24 comment=defconf interface=ether2 network=\
192.168.100.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.100.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="accept vpn" in-interface-list=VPN
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NVR NAT RULE" disabled=yes dst-port=\
80,6036,554,443 in-interface=ether1 protocol=tcp to-addresses=\
192.168.100.150
add action=masquerade chain=srcnat comment="VPN MASK" out-interface-list=VPN
add action=masquerade chain=srcnat out-interface=Advcom src-address=\
192.168.100.0/24
/ip firewall service-port
set ftp ports=70
/ip route
add distance=1 gateway=169.1.254.1
add comment="VPN ACCESS ROUTE" distance=1 dst-address=192.168.1.0/24 gateway=\
10.0.0.1
add distance=1 dst-address=192.168.100.0/24 gateway=169.1.254.1
/ip service
set telnet port=90
set ftp port=43
set ssh port=68
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=*4
/ppp secret
add local-address=192.168.100.1 name=admin profile=VPN remote-address=10.0.0.1 \
service=pptp
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Turnberry
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Re: Can't ping any devices on Lan on the pptp client from the pptp server side

Posted: Sat Sep 21, 2019 6:07 pm
by chris1906
Anybody out there that can assist me?

Re: Can't ping any devices on Lan on the pptp client from the pptp server side

Posted: Sat Sep 21, 2019 6:51 pm
by nithinkumar2000
here are my configs

/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxxxxx auto-mac=no comment=defconf fast-forward=no \
name=bridge
/interface pptp-server
add name=Advcom user=xxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge name=2GHZ ssid=xxxx wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge name=\
5GHZ ssid=Home wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add enc-algorithm=aes-256,aes-128,3des name=profile1
/ip pool
add name=dhcp ranges=192.168.100.10-192.168.100.253
add name=VPN ranges=10.0.0.1,10.0.0.254
add add-arp=yes address-pool=dhcp always-broadcast=yes disabled=no interface=\
bridge lease-time=1d name=defconf
/ppp profile
add local-address=dhcp name=VPN remote-address=VPN
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=2GHZ
add bridge=bridge comment=defconf interface=5GHZ
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Advcom list=VPN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=VPN enabled=yes \
max-mru=1400 max-mtu=1400
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.100.254/24 comment=defconf interface=ether2 network=\
192.168.100.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.100.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="accept vpn" in-interface-list=VPN
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NVR NAT RULE" disabled=yes dst-port=\
80,6036,554,443 in-interface=ether1 protocol=tcp to-addresses=\
192.168.100.150
add action=masquerade chain=srcnat comment="VPN MASK" out-interface-list=VPN
add action=masquerade chain=srcnat out-interface=Advcom src-address=\
192.168.100.0/24
/ip firewall service-port
set ftp ports=70
/ip route
add distance=1 gateway=169.1.254.1
add comment="VPN ACCESS ROUTE" distance=1 dst-address=192.168.1.0/24 gateway=\
10.0.0.1
add distance=1 dst-address=192.168.100.0/24 gateway=169.1.254.1
/ip service
set telnet port=90
set ftp port=43
set ssh port=68
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=*4
/ppp secret
add local-address=192.168.100.1 name=admin profile=VPN remote-address=10.0.0.1 \
service=pptp
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Turnberry
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Hi,

Please check the IP Mentioned by you in /ppp secret and IP Address of LAN are in different subnets.

Hope this helps!!!

Re: Can't ping any devices on Lan on the pptp client from the pptp server side

Posted: Sat Sep 21, 2019 11:47 pm
by chris1906
Hi there

Yes they are. Lan is 192.168.100. 0
And remote is 10.0.0.0

Re: Can't ping any devices on Lan on the pptp client from the pptp server side

Posted: Sun Sep 22, 2019 2:20 pm
by nithinkumar2000
Hi there

Yes they are. Lan is 192.168.100. 0
And remote is 10.0.0.0
Please add a static route and try. i hope this may solve the issue...