Community discussions

MikroTik App
 
DejanAgain
just joined
Topic Author
Posts: 10
Joined: Fri May 10, 2019 12:01 am

Problem with PPTP

Sun Nov 20, 2022 10:29 pm

Hi,

Getting lost what I am doing wrong and any hint would be welcome.

My setup is not common, I have following interfaces :

WAN1 (slower connection with public IP)
WAN2 (faster connection but can not have public IP). This is default gateway
LAN

For WAN1 incoming connections for LAN machines
I am marking connection in forward chain from interface WAN1 and after that in prerouting chain marking routing back to WAN1
and this is working OK.

For PPTP have tried everything and this is just not working, tried marking in input chain as well ... this is just not connecting.

Filter rules for GRE and port 1723 are OK, for testing purpose I have disabled WAN2 (so WAN1 become default gateway) and this is working, but if I enable WAN2 just can not route back to WAN1.

Anyone have idea what I am doing wrong ? I guess problem is because can not filter interface, probably need something more and maybe chain is wrong because connections land on router, this is not forwarding but finally got tired of this for today :)

Thank you in advance,
Dejan
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with PPTP

Sun Nov 20, 2022 11:42 pm

connection marking is correct in mangle chain prerouting both for incoming connections that are port-forwarded to LAN hosts and for incoming connections to the router itself. However, for connections to the router itself, the translation of connection-mark to routing-mark must be done in mangle chain output.

But for incoming connections to the router itself, it is enough to use an /ip route rule matching on src-address=ip.of.wan.1 to choose the routing table via wan 1.
 
DejanAgain
just joined
Topic Author
Posts: 10
Joined: Fri May 10, 2019 12:01 am

Re: Problem with PPTP

Mon Nov 21, 2022 3:07 am

Thank you for tip, now this is working.

PPTP was my attempt to simplify process and avoid possible other problems, the idea is to work with L2TP/IPSec, and behavior is same, if I disable another WAN and public IP WAN is default gateway everything is working OK.

With output chain and few other details I've ruined in testing process now this is working fine.

Just to clarify and to improve configuration.

I do not see any traffic on protocol 50 and 115, (ipsec-esp and l2tp), everything is on UDP
500 and 4500 have traffic both input and output
filter (input) do have 1701 but mangle (input) do not have any 1701 packet. There is 1701 in output.

Last one question that for would be :
I do not need to try to catch protocol 50 and 115 and to change route ?
do not need to get 1701 in input ?

Thank you in advance,
Dejan
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with PPTP

Mon Nov 21, 2022 3:46 pm

You do need to permit input traffic to udp port 1701, but maybe it works because there is a rule action=accept ipsec-policy=in,ipsec that permits everything that came as IPsec payload.

You have to permit ESP (IP protocol 50) if your Mikrotik listens on a public address itself and at least one client has a public IP address directly on itself too. In that case, IPsec negotiates use of bare ESP for the security associations; if there is NAT anywhere between the client and the server, ESP gets encapsulated into UDP (originally from 4500 to 4500, NAT can change that).

You don't need to permit IP protocol 115 because that's L2TPv3 which is a different protocol than the plain L2TP that is used for L2TP/IPsec.

If there is a chance that multiple L2TP clients could be connecting from behind the same public IP, read this.

Who is online

Users browsing this forum: Bing [Bot], K0NCTANT1N, ofatieiev and 66 guests