Community discussions

MikroTik App
 
turkel
just joined
Topic Author
Posts: 7
Joined: Tue Dec 29, 2020 10:33 pm

VPN Issue

Fri May 13, 2022 2:23 pm

Hello,

It is about 2 day I am strugiling to connect my Mikrotik 3011 to VPN at office. I am able to connect and use local IPs of office easily with my android phone but not with mikrotik :((( I am total noob so please help.

My PPTP status shows connected but I can`t access local IPs of Office. Office router which is DD-WRT shows client connection.
Mikrotik network gateway is 192.168.1.1
Office DD-WRT network gateway is 192.168.2.1

Please see my Mikrotik configurration below:
# may/13/2022 15:18:05 by RouterOS 6.48
# software id = LF55-EEJP
#
# model = RB3011UiAS
# serial number = jhjh
/interface bridge
add admin-mac=C4:AD:34:2F:gg:69 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    service-name=Ultel use-peer-dns=yes user=091289898
/interface pptp-client
add add-default-route=yes allow=mschap2 connect-to=famv.tk disabled=no \
    name=pptp-ev1 user=turkel
/caps-man configuration
add datapath.bridge=bridge mode=ap name=CAPs security.authentication-types=\
    wpa2-psk security.encryption=aes-ccm ssid=TurkelNet
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.200-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE dns-server=192.168.1.1 local-address=192.168.89.1 \
    remote-address=vpn use-encryption=required
/system logging action
set 0 memory-lines=10000
set 1 disk-file-count=4 disk-lines-per-file=10000
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=CAPs
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=93.111.111.19 interface=pppoe-out1 network=81.11.11.113
/ip arp
add address=192.168.1.10 interface=bridge mac-address=D0:27:88:AD:D7:03
add address=192.168.1.11 interface=bridge mac-address=92:DF:E8:DB:2A:B8
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.10 client-id=\
    ff:88:ad:d7:3:0:1:0:1:27:80:ca:ec:d0:27:88:ad:d7:3 mac-address=\
    D0:27:88:AD:D7:03 server=defconf
add address=192.168.1.11 client-id=\
    ff:e8:db:2a:b8:0:1:0:1:25:a4:a8:95:92:df:e8:db:2a:b8 mac-address=\
    92:DF:E8:DB:2A:B8 server=defconf
add address=192.168.1.82 client-id=\
    ff:28:1c:a:dc:0:1:0:1:27:81:ae:8b:26:6a:28:1c:a:dc mac-address=\
    26:6A:28:1C:0A:DC server=defconf
add address=192.168.1.30 client-id=\
    ff:3e:4d:b9:42:0:1:0:1:27:81:ae:81:7a:41:6c:f3:a0:3d mac-address=\
    FA:EC:3E:4D:B9:42 server=defconf
add address=192.168.1.72 mac-address=E0:61:B2:33:EC:7E server=defconf
add address=192.168.1.71 mac-address=E0:61:B2:33:E7:22 server=defconf
add address=192.168.1.80 client-id=\
    ff:51:94:af:a1:0:1:0:1:27:8c:b2:a4:3a:c0:51:94:af:a1 mac-address=\
    3A:C0:51:94:AF:A1 server=defconf
add address=192.168.1.50 mac-address=76:47:A0:BF:B8:97 server=defconf
add address=192.168.1.81 client-id=\
    ff:65:81:73:7b:0:1:0:1:27:a9:85:d3:9a:d5:65:81:73:7b mac-address=\
    9A:D5:65:81:73:7B server=defconf
add address=192.168.1.20 client-id=\
    ff:c4:ff:ee:e3:0:1:0:1:27:af:4:8b:aa:7f:c4:ff:ee:e3 mac-address=\
    AA:7F:C4:FF:EE:E3 server=defconf
add address=192.168.1.250 client-id=1:e8:2a:44:db:c0:f7 mac-address=\
    E8:2A:44:DB:C0:F7 server=defconf
add address=192.168.1.70 client-id=1:28:57:be:89:41:be mac-address=\
    28:57:BE:89:41:BE server=defconf
add address=192.168.1.60 client-id=\
    ff:99:4b:e8:e2:0:1:0:1:27:8c:b2:a4:3a:c0:51:94:af:a1 mac-address=\
    46:65:99:4B:E8:E2 server=defconf
add address=192.168.1.83 client-id=\
    ff:a6:dd:3b:2a:0:1:0:1:27:8c:b2:a4:3a:c0:51:94:af:a1 mac-address=\
    7E:52:A6:DD:3B:2A server=defconf
add address=192.168.1.21 client-id=\
    ff:8e:2b:6c:2a:0:1:0:1:27:8c:b2:a4:3a:c0:51:94:af:a1 mac-address=\
    62:F7:8E:2B:6C:2A server=defconf
add address=192.168.1.90 client-id=\
    ff:c1:82:5c:1c:0:1:0:1:2a:f:79:b3:c2:f9:c1:82:5c:1c mac-address=\
    C2:F9:C1:82:5C:1C server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
# no interface
add action=accept chain=input dst-port=80,8291 in-interface=*F00024 protocol=\
    tcp
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.11 dst-port=80,443 \
    out-interface-list=LAN protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=93.111.111.19 dst-port=80,443 \
    protocol=tcp to-addresses=192.168.1.11
add action=src-nat chain=srcnat src-address=192.168.1.50 to-addresses=\
    81.21.95.114
add action=src-nat chain=srcnat src-address=192.168.1.11 to-addresses=\
    93.111.111.19
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=93.111.111.19 dst-port=2345 \
    protocol=tcp to-addresses=192.168.1.238 to-ports=5432
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat dst-address=93.111.111.19 dst-port=500 \
    protocol=tcp to-addresses=192.168.1.1 to-ports=500
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=pptp-ev1 routing-mark=pptp-ev1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/lcd
set color-scheme=light default-screen=stats-all
/ppp secret
add name=vpn
/system clock
set time-zone-name=Asia
/system identity
set name=TNet
/system package update
set channel=development
/system scheduler
add interval=1d name=Reboot on-event="system reboot" policy=reboot \
    start-date=jan/03/2021 start-time=06:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Regards
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN Issue

Sat May 14, 2022 8:11 pm

You have set add-default-route=yes at both the PPPoE client interface (WAN) and the PPTP client interface (VPN), and you haven't specified default-route-distance for either, so both have the default distance value of 1 and thus it is random which one of them becomes active when both interfaces are up. Since there's no dedicated route towards the PPTP server, if the default route via PPTP won, the tunnel would keep coming up and dropping, as its transport and control packets would be routed back into it. Since you don't mention that to happen, the defult route via PPPoE probably wins in your case, but this unpredictable setup is wrong in general, so I'd suggest to set add-default-route to no for the PPTP client.

Second, which is probably the actual cause of your trouble - you have created a default route via the PPTP interface in routing table pptp-ev1, but there is neither any /ip firewall mangle rule nor any /ip route rule that would assign the corresponding routing-mark value, so this route is never used by any traffic. So depending on which traffic you want to send into the tunnel, you have to choose the right way to assign a routing-mark to it: /ip route rule is compatible with fasttracking but has limited matching capabilities (in-interface, source prefix, destination prefix), /ip firewall mangle rule can match on address lists, interface lists, protocols, ports, protocol fields), but it is not compatible with fasttracking so you have to either exempt the traffic that needs to be mangled from getting fastracked or disable fasttracking completely.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Google [Bot], itamx, johnson73, mhn6868 and 83 guests