Community discussions

MikroTik App
 
User avatar
bekax5
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Thu Apr 30, 2015 11:27 pm

Route for traffic coming from pptp

Sun Jul 25, 2021 1:16 am

Hello everyone,

I have 2 PPTP sites, and I am trying to allow connection from Site 1 to Site 2 through Mikrotik.
Connection flows in right direction and reaches Site2, but reply arrives to router and fails to go through the right gateway.

S1 has a route with routing mark.
I'm not 100% sure how packets flow, but it seems the reply packets only pass through "mangle forward" and "mangle postrouting".
They do not pass through "mangle prerouting", and as such I am unable to add the right routing mark to make traffic go into the PPTP interface instead of 0.0.0.0/0 route.

Any tip how to solve this one ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Route for traffic coming from pptp

Sun Jul 25, 2021 1:28 am

Is hard if you do not:
draw a schema with necessary data on it,
provide the relevant sections of the /export hide-sensitive from the 3 devices.
 
User avatar
bekax5
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Thu Apr 30, 2015 11:27 pm

Re: Route for traffic coming from pptp

Sun Jul 25, 2021 12:15 pm

Yea, I was trying to avoid pasting too much code but it's inevitable...

Basically these are the configs of the router in Site0 (.1.0/24) that is a server of PPTP Site 1 (.2.0/24) and a client of PPTP Site 2 (.0.0/24).

My issue at the moment is ping from Site 1 to Site 2 not working.
Traffic reaches site 2 correctly, but the reply reaches the main router in site 0 where it is not correctly route marked to reach site 1 again. It just leaves through default 0.0.0.0/0 route.
/interface bridge
add name=bridge-internet
add admin-mac=E4:8D:8C:79:DC:EA arp=proxy-arp auto-mac=no comment=defconf name=bridge-local
add admin-mac=E4:8D:8C:79:DC:E9 auto-mac=no name=bridge1 protocol-mode=none

/interface pptp-server
add name=pptp-in_SITE1 user=pptp-SITE1

/interface pptp-client
add allow=mschap2 connect-to=PPTPSITE2.net disabled=no keepalive-timeout=disabled name=pptp-SITE2 profile=profile-pptpSITE2 user=site2user

/ip address
add address=192.168.1.250/24 comment=defconf interface=bridge-local network=192.168.1.0

/ip firewall filter
add action=accept chain=forward comment="IKEv2 FastTrack Bypass - If you have IP/Fasttrack enabled, packet bypasses IPsec policies" src-address=192.168.200.0/24
add action=accept chain=forward dst-address=192.168.200.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=no-mark connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="defconf: accept establieshed,related" connection-state=established,related
add action=drop chain=input comment="Drop Blacklisted" src-address-list=Blacklist
add action=drop chain=forward src-address-list=Blacklist
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="PPTP Server" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="OpenVPN Server" dst-port=1194 in-interface=bridge-internet protocol=tcp
add action=accept chain=input comment="IKEv2 Server" dst-port=500 in-interface=bridge-internet protocol=udp
add action=accept chain=input in-interface=bridge-internet protocol=ipsec-esp
add action=accept chain=input in-interface=bridge-internet protocol=ipsec-ah
add action=accept chain=input dst-port=4500 in-interface=bridge-internet protocol=udp
add action=accept chain=input dst-port=1701 in-interface=bridge-internet protocol=udp
add action=accept chain=input in-interface=bridge-internet ipsec-policy=in,ipsec src-address=192.168.200.0/24
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=bridge1
add action=drop chain=input in-interface=bridge-internet
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=bridge1
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=bridge-internet

/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU" new-mss=clamp-to-pmtu out-interface=bridge-local passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=8159-65535
add action=change-mss chain=forward in-interface=bridge-local new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=8159-65535
add action=mark-connection chain=prerouting comment="Mark so Fast Track wont break PPTP connections (FastTrack will bypass Firewall and Mangle)" in-interface=pptp-in_SITE1 \
    new-connection-mark=conn-mark_pptp passthrough=yes
add action=mark-connection chain=prerouting comment="Mark so Fast Track wont break PPTP connections (FastTrack will bypass Firewall and Mangle)" in-interface=pptp-SITE2 new-connection-mark=\
    conn-mark_pptp passthrough=yes
add action=mark-connection chain=forward new-connection-mark=conn-mark_pptp out-interface=pptp-in_SITE1 passthrough=yes
add action=mark-connection chain=forward new-connection-mark=conn-mark_pptp out-interface=pptp-SITE2 passthrough=yes
add action=mark-routing chain=prerouting comment="Mark route on IKEv2 to SITE1" dst-address=192.168.2.0/24 new-routing-mark=pptp-SITE1 passthrough=no src-address=192.168.200.199
add action=mark-routing chain=prerouting comment="Mark route on Allowed to SITE1" dst-address=192.168.2.0/24 new-routing-mark=pptp-SITE1 passthrough=yes src-address-list=\
    allowed_SITE1
add action=mark-routing chain=output comment="Mark route on Router itself to SITE1" dst-address=192.168.2.0/24 new-routing-mark=pptp-SITE1 passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.200.199
add action=masquerade chain=srcnat dst-address=192.168.7.0/24 src-address=192.168.200.199
add action=accept chain=srcnat comment="IKEv2 NAT Bypass" src-address=192.168.200.0/24
add action=masquerade chain=srcnat comment="Rule for HairPin NAT" disabled=yes dst-address=192.168.0.0/24 out-interface=bridge1 protocol=tcp src-address=192.168.1.0/24
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 out-interface=bridge-local protocol=tcp src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Masquerade for SITE2" out-interface=pptp-SITE2
add action=src-nat chain=srcnat comment="srcnat for SITE1 - https://forum.mikrotik.com/viewtopic.php\?f=2&t=174112" out-interface=pptp-in_apartamento src-address-type=local to-addresses=\
    192.168.1.250
add action=masquerade chain=srcnat out-interface=bridge-internet

/ip route
add distance=1 dst-address=192.168.2.0/24 gateway=pptp-in_SITE1 routing-mark=pptp-SITE1
add distance=1 dst-address=192.168.0.224/27 gateway=pptp-SITE2

 
User avatar
bekax5
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Thu Apr 30, 2015 11:27 pm

Re: Route for traffic coming from pptp

Mon Jul 26, 2021 10:46 pm

I'm still trying to unravel this one...
It seems like a simple problem of a forwarding packet that is missing the right route-mark.

How should I address it ? Do I need to connection-mark first traffic and then catch the reply traffic and route-mark to the right route back?
I'm trying this one, but I'm not able to catch any reply traffic by connection-mark not sure why...

Any tip ?


Edit:
Image

Who is online

Users browsing this forum: Bing [Bot] and 62 guests