Community discussions

MUM Europe 2020
 
ZiadZone
just joined
Topic Author
Posts: 21
Joined: Tue Aug 27, 2019 10:37 am

(pptp-client) in a mikrotik behind another gateway mikrotik .. is that possible?

Mon Sep 23, 2019 4:36 am

Hello guys i will jump a head to my secanrio

It's very easy to create pptp-client interface in a mikrotik facing the ISP, because it looks for the default gateway in route table with distance=1 and connect normally .. so clear

==========

what if i have another mikrotik behind the gateway mikrotik just like this scenario

APs--> switch --> (Mikrotik_A) --> (Mikrotik_B where i have pptp-client connected and working) --> ISP

i wan't to move pptp-client to mikrotik_A

APs--> switch --> (Mikrotik_A with pptp-client) --> (Mikrotik_B) --> ISP

=========

the problem is pptp-client in Mikrotik_A is not able to reach the ISP interface because Mikrotik_A is behind Mikrotik_B which is facing the ISP
how can i make pptp-client in Mikrotik_A see the ISP so to make it connected ?!
 
Zacharias
Forum Guru
Forum Guru
Posts: 1086
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: (pptp-client) in a mikrotik behind another gateway mikrotik .. is that possible?

Mon Sep 23, 2019 8:55 am

I ve done it in the past, forward pptp ports, tcp 1723 on your second router and make sure gre47 is not blocked by firewall.
 
ZiadZone
just joined
Topic Author
Posts: 21
Joined: Tue Aug 27, 2019 10:37 am

Re: (pptp-client) in a mikrotik behind another gateway mikrotik .. is that possible?

Mon Sep 23, 2019 8:58 pm

I ve done it in the past, forward pptp ports, tcp 1723 on your second router and make sure gre47 is not blocked by firewall.
thank for the reply Zacharias .. ok so by forwarding 1723 i have to add nat rule that forward port to Mikrotik_A .. is that correct ?
and for gre yes it's enabled on input chain on both routers just before the invalid drop chain
 
Zacharias
Forum Guru
Forum Guru
Posts: 1086
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: (pptp-client) in a mikrotik behind another gateway mikrotik .. is that possible?

Mon Sep 23, 2019 9:03 pm

Yes... give it a try and let me know
 
ZiadZone
just joined
Topic Author
Posts: 21
Joined: Tue Aug 27, 2019 10:37 am

Re: (pptp-client) in a mikrotik behind another gateway mikrotik .. is that possible?

Mon Sep 23, 2019 9:08 pm

Sure.. i will inform you with the result thanks again
 
zakynthoswifi
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Thu Jul 17, 2014 12:38 am
Location: Zakynthos
Contact:

Re: (pptp-client) in a mikrotik behind another gateway mikrotik .. is that possible?

Tue Sep 24, 2019 11:37 am

Please DO NOT use pptp. Is very unsafe protocol. Personally I was getting a very big ammount of fake connections per day from random attackers.
Instead use SSTP!
Ilias Theodosis
Network & Security Engineer
Cisco CCNA,CCNP,CCIE
Network Solutions Ltd.
Zakynthos, Greece
 
Zacharias
Forum Guru
Forum Guru
Posts: 1086
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: (pptp-client) in a mikrotik behind another gateway mikrotik .. is that possible?

Tue Sep 24, 2019 1:17 pm

He asked if its possible... ofcorse pptp is not safe at all but that's something different.
 
ZiadZone
just joined
Topic Author
Posts: 21
Joined: Tue Aug 27, 2019 10:37 am

Re: (pptp-client) in a mikrotik behind another gateway mikrotik .. is that possible?

Tue Oct 22, 2019 9:22 am

thank you both zakynthoswifi Zacharias for comments, sorry for late reply
i waited to get a new RB951 which will be dedicated for vpn traffic only
and yes i know PPTP is not encrypted and vulnerable but it's easy to configure and setup without the need for client configuration
and it's only used for internet traffic, my ISP is blocking pubg and Instagram, so pptp is doing well to bypass the blocking

just one last question
since i have a router for only vpn use
i have one isp line configured as pppoe-client interface and one pptp-client interface
how to make all traffic goes through pptp tunnel

i couldn't make this work unless by adding those mangle rules:
/ip firewall mangle add chain=prerouting in-interface=lan action=mark-connection new-connection-mark=vpnconn
/ip firewall mangle add chain=prerouting in-interface=lan connection-mark=vpnconn action=mark-routing new-routing-mark=tovpn

then in route table
/ip route add gateway=pptp-client routing-mark=tovpn

Is there a way to route all traffic through pptp without the need for mangle table use?
 
Zacharias
Forum Guru
Forum Guru
Posts: 1086
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: (pptp-client) in a mikrotik behind another gateway mikrotik .. is that possible?

Tue Oct 22, 2019 3:48 pm

In your pptp client check the add default route and set priority higher than your PPPoE client...

Masquerade your out interface wich is the pptp interface...

Test it and let me know....
 
Van9018
Long time Member
Long time Member
Posts: 515
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: (pptp-client) in a mikrotik behind another gateway mikrotik .. is that possible?

Wed Oct 23, 2019 9:11 am

so by forwarding 1723 i have to add nat rule that forward port to Mikrotik_A .. is that correct ?
and for gre yes it's enabled on input chain on both routers just before the invalid drop chain
I don't think that's correct... If your Mikrotik A is the PPTP-Client then I don't think you need any port forwarding or firewall rules because Mikrotik A is creating an outbound connection. If mikrotik A is a PPTP-Server then you'd need forwarding and input firewall rules.

If you want all your traffic to go through the PPTP client then yes, you'd need to create a route. However, I'm not sure what happens when the route becomes active. Will the Mikrotik A try and route the VPN tunnel over itself? You may have to create 2 mangle rules that says:
1. "when the packets are outbound (meaning they originate from Mikrotik A ) and are IP Protocol GRE 47, mark the packet with DONTROUTE
2. "when the packets are outbound and are IP Protocol TCP 6 with Port 1723, mark the packet with DONTROUTE

Finally, create yet another route that applies to packets with a routing-mark of DONTROUTE, then route it through Mikrotik B.

Does that make sense?
 
PaulGreeff
just joined
Posts: 8
Joined: Tue Oct 15, 2019 12:26 pm

Re: (pptp-client) in a mikrotik behind another gateway mikrotik .. is that possible?

Wed Oct 23, 2019 11:49 am

The PPTP client does not need any port forwarding as it is initiating the connection. This is not the same as IPSec which initiates connections from both ends.

There are three steps necessary to make this work.
1. Create a route out via Mikrotik B with the destination of your ISPs PPTP-server IP. This is to ensure you don't end up trying to route your PPTP connection down the PPTP tunnel.
2. Create the PPTP client interface and make sure add default route is in place, assuming you want to route all traffic out via the PPTP interface. As a precaution you can also have a default route to the Internet via Mikrotik B with a weight of 2 in case the PPTP is down. So if the PPTP interface is up, it will route via PPTP
3. Add a Masquerade rule for traffic exiting via the PPTP interface.

This should be all that is required to make this work.

Who is online

Users browsing this forum: MSN [Bot] and 83 guests