Hello,

I'm new to Mikrotik and I'm using a CCR1036-12G-4S v6.45.6 to provide internet services to a few home users.

2 users have difficulty establishing VPN connections from their Sophos client (on PC) at home to their Sophos firewall server at the office.

I'm using pppoe to connect multiple users on my Mikrotik NAS which connects to my core router where my ISP connects to. Users can browse fine just these 2 users can't connect to their Sophos VPN servers. They can however, connect to their servers using other mobile networks as hotspot.

I thought since I was providing a transparent internet service to the clients I'm basically a pipe through the internet for them and shouldn't interrupt their protocols just as I don't interrupt their browsing.

I read online about opening ports 50,51.1701,1723,500,4500 which I have done but complaint still persists.

Please what can I do to resolve this?

I'll appreciate your help. Thanks.

Very strange, I would have thought no changes were needed to even default firewall rules on a hex, in terms of PC clients going out what is internet traffic to a server.
Suggest maybe you have a firewall rule blocking it??

Also found it strange when the first complaint came in. Dismissed it until the second request came in from another user in another location trying to connect to a sophos server.

The only firewall rules I had were for NAT and blocking port 25. Client claims they are trying to connect over port 500 for ike connections hence my reason for delibrately opening earler said ports.

Still no luck

Please check PPPoE server profile for TCP MSS which option is checked

TCP MSS is on default option.

Tested with the client and discovered that connections to the sophos server complete on another IP address going through my core router directly, i.e, bypassing the Mikrotik router.

Changed the IP address on the Mikrotik but it is still the same situation.

So something is blocking the pppoe clients coming through the Mikrotik router (before going out through the core router) from connecting using the NAT IP address on the Mikrotik router

What could possibly be wrong (knowing everything else seems to be fine apart from this sophos vpn connection)?

Could it be an IP blacklist?

First of all, could it be that those two clients are using L2TP or PPTP, both connect to the same VPN server, and you NAT both of them to the same public IP address? If so, it cannot work due to the NAT, as in both cases, the server to which they connect is unable to distinguish the connections from one another. The thing is that

• GRE used by PPTP has no notion of ports so the only differentiator of one connection from the other are the IP addresses, and since both the the IP of the server and public IP you assign the clients' connections are identical for both connections, not only that the server cannot distinguish the two GRE connections from one another, but also the NAT handling on your machine cannot allow more than one such GRE tunnel through as it would be unable to forward the packets from the server to the client for the same reason.
• L2TP/IPsec uses UDP so your NAT serves each connection with a different port at your public IP, but if both clients are the Microsoft Windows' embedded ones, both use the same port at their side in the L2TP payload encrypted inside the IPsec transport packet, and L2TP uses transport, rather than tunnel, mode of encapsulation, so the original IP headers of the payload packets are not transported. So although the transport packets arrive to the server from different ports on your public IP, after unpacking, they still bear your public IP as source but the original client-side port which is the same for both.

So for both cases, there is no other solution at your level but to use several public IPs to serve these types of VPN (one per each client of any given server). To make things worse, even if you do have multiple public IPs available, there is no embedded functionality which would automatically choose a different public address to these connections - if you restrict the to-ports to a single value and you do have a range in to-addresses, the second connection is not let through rather than getting another address from the range. So you need a script which tracks this type of connections and modifies the rule.
If you only have a single IP address, the clients have to change the VPN type to some other one supported by Sophos. Bare IPsec in tunnel mode and OpenVPN have no problem with multiple clients behind the same NAT.

Thanks Sindy.

Both clients are actually connecting to different sophos servers in different offices.

Error message received is "THE IKE.UDP PORT SEEMS TO BE BLOCKED".

Trace to their respective server IP addresses shows the packet going way past my network before dropping for both cases. Clients are using Sophos vpn client to log on.

What I'm trying to understand if there is something I should be doing on my Mikrotik to allow their traffic through my network as using a different IP address at the client's end other than the NAT address allowed a successful connection. But if client comes through my pppoe router he gets blocked from the sophos vpn.

I suppose what fails many hops from your Mikrotik is a traceroute from that Mikrotik itself, correct? If so, I can see two possibilities:

• a traceroute from anywhere stops at that point, this sometimes happens if forwarding of ICMP is disabled there
• your public IP is blacklisted by the administrators of those firewalls. Possibly, some unrelated customer of yours has an infected device (or more) which spam the world, and due to this your public IP has been added to some publicly used blacklists, which has an impact on all your customers. So you have to talk to the admins of those Sophos firewalls to check this variant.