Community discussions

 
Charlie86
newbie
Topic Author
Posts: 26
Joined: Thu Apr 05, 2018 6:54 pm

VPN PPTP

Thu Jul 05, 2018 9:36 pm

Hi,

I did successfully set up VPN server on RB951, I can connect from other network but can not access to internet because DNS problem. I can ping 8.8.8.8 but not google.com

For reference I used this tutorial

https://www.bgocloud.com/knowledgebase/ ... erver.html

For DNS I try to set 8.8.8.8 and 8.8.4.4 and also 192.168.178.1

I also have own DNS server on RB951 and NAT rule to force users to use DNS 192.168.178.1 but it is not accessible form WAN.

If someone can help me, I will be more than thankful.

Here is FW output
/ip firewall filter
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=input comment="DNS udp Barbados" dst-port=53 protocol=udp src-address=192.168.25.0/24
add action=accept chain=input comment="DNS tcp Barbados" dst-port=53 protocol=tcp src-address=192.168.25.0/24
add action=accept chain=input comment="Allow DNS internal" dst-port=53 protocol=udp src-address=192.168.178.0/24
add action=drop chain=input comment="Drop UDP DNS remote requests allow GUEST" dst-port=53 in-interface=!Bridge_vlan20 protocol=udp src-address-list="!Internal network"
add action=drop chain=input comment="Drop TCP DNS remote requests" dst-port=53 protocol=tcp src-address-list="!Internal network"
add action=accept chain=input comment="Allow SSH Internal Network" dst-port=22 protocol=tcp src-address=192.168.178.0/24
add action=drop chain=input comment="DROP SSH" dst-port=22 protocol=tcp
add action=accept chain=input comment="Allow WinBox Internal Network" dst-port=8291 protocol=tcp src-address=192.168.178.0/24
add action=drop chain=input comment="DROP WinBox" dst-port=8291 protocol=tcp
add action=drop chain=input comment="Drop PING" disabled=yes protocol=icmp src-address-list="!Internal network"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add chain=forward comment="Allow Established/Related Forward Chain" connection-state=established,related
add chain=input comment="Allow Established/Related iNPUT Chain" connection-state=established,related
add action=drop chain=forward comment="NO connection Barbados to Main" dst-address=192.168.178.0/24 src-address=192.168.25.0/24
add action=drop chain=input comment="Router protect from Barbados" src-address=192.168.25.0/24
 
User avatar
pietroscherer
Trainer
Trainer
Posts: 151
Joined: Thu Mar 05, 2015 3:05 pm
Location: RS, Brazil
Contact:

Re: VPN PPTP

Fri Jul 06, 2018 4:47 pm

Hello,

Which network did you use for PPTP? In the tutorial, they used "192.168.99.10-192.168.99.200". If you used the same, you must accept it in your firewall input chain.

add action=accept chain=input comment="DNS udp PPTP" dst-port=53 protocol=udp src-address=192.168.99.0/24

Thank you!
Pietro Scherer
https://about.me/pietroscherer
Skype: pietroscherer
 
maara
newbie
Posts: 40
Joined: Fri Jun 10, 2011 8:42 am

Re: VPN PPTP

Fri Jul 06, 2018 6:38 pm

...just stopped at this thread to say that you should consider using other vpn than pptp...
 
Charlie86
newbie
Topic Author
Posts: 26
Joined: Thu Apr 05, 2018 6:54 pm

Re: VPN PPTP

Sat Jul 07, 2018 2:10 pm

Hi,

Thank you, I added new rule to FW but DNS is stll blocked for PPTP connections.

@marra, yeah I know PPTP is not secure, but all I need is IP from my local internet provider, so I can watch IP TV on vacation :)

Down are my new FW rules, if someone can help me
/ip firewall filter
add action=drop chain=input comment="dropping port scanners" disabled=yes \
src-address-list="port scanners"
add action=accept chain=input comment="DNS PPTP" dst-port=53 protocol=udp \
src-address=192.168.99.0/24
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=input comment="DNS udp Barbados" dst-port=53 \
protocol=udp src-address=192.168.25.0/24
add action=accept chain=input comment="DNS tcp Barbados" dst-port=53 \
protocol=tcp src-address=192.168.25.0/24
add action=accept chain=input comment="Allow DNS internal" dst-port=53 \
protocol=udp src-address=192.168.178.0/24
add action=drop chain=input comment=\
"Drop UDP DNS remote requests allow GUEST" dst-port=53 in-interface=\
!Bridge_vlan20 protocol=udp src-address-list="!Internal network"
add action=drop chain=input comment="Drop TCP DNS remote requests" dst-port=\
53 protocol=tcp src-address-list="!Internal network"
add action=accept chain=input comment="Allow SSH Internal Network" dst-port=\
22 protocol=tcp src-address=192.168.178.0/24
add action=drop chain=input comment="DROP SSH" dst-port=22 protocol=tcp
add action=accept chain=input comment="Allow WinBox Internal Network" \
dst-port=8291 protocol=tcp src-address=192.168.178.0/24
add action=drop chain=input comment="DROP WinBox" dst-port=8291 protocol=tcp
add action=drop chain=input comment="Drop PING" disabled=yes protocol=icmp \
src-address-list="!Internal network"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=yes protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=yes \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
yes protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=yes \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=yes \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add chain=forward comment="Allow Established/Related Forward Chain" \
connection-state=established,related
add chain=input comment="Allow Established/Related iNPUT Chain" \
connection-state=established,related
add action=drop chain=forward comment="NO connection Barbados to Main" \
dst-address=192.168.178.0/24 src-address=192.168.25.0/24
add action=drop chain=input comment="Router protect from Barbados" \
src-address=192.168.25.0/24
 
Charlie86
newbie
Topic Author
Posts: 26
Joined: Thu Apr 05, 2018 6:54 pm

Re: VPN PPTP

Sun Jul 08, 2018 9:04 pm

Hi,

Can maybe someone advice me what rule to FW should I add if I want to successfully connect to IKEv2 VPN server on Mikrotik?

I did all steps on this tutorial but after I press connect on iPhone it immediately say "Disconnected"

I also try to scan ports 500 and 4500 and they are not responding.

This is tutorial I used


https://jcutrer.com/howto/networking/mi ... n-mikrotik


Thanks and have a nice day
 
Charlie86
newbie
Topic Author
Posts: 26
Joined: Thu Apr 05, 2018 6:54 pm

Re: VPN PPTP

Sat Jul 14, 2018 3:37 am

Hi,

I added new rule in FW for IKEv2 but I still can not reach IKEv2 VPN.

Any ideas what should I try to solve this?

/ip firewall filter
add action=drop chain=input comment="dropping port scanners" disabled=yes \
src-address-list="port scanners"
add action=accept chain=input comment="IKEv2 VPN" dst-port=4500,500 protocol=\
udp

add action=accept chain=input comment="DNS PPTP" dst-port=53 protocol=udp \
src-address=192.168.99.0/24
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=input comment="DNS udp Barbados" dst-port=53 \
protocol=udp src-address=192.168.25.0/24
add action=accept chain=input comment="DNS tcp Barbados" dst-port=53 \
protocol=tcp src-address=192.168.25.0/24
add action=accept chain=input comment="Allow DNS internal" dst-port=53 \
protocol=udp src-address=192.168.178.0/24
add action=drop chain=input comment=\
"Drop UDP DNS remote requests allow GUEST" dst-port=53 in-interface=\
!Bridge_vlan20 protocol=udp src-address-list="!Internal network"
add action=drop chain=input comment="Drop TCP DNS remote requests" dst-port=\
53 protocol=tcp src-address-list="!Internal network"
add action=accept chain=input comment="Allow SSH Internal Network" dst-port=\
22 protocol=tcp src-address=192.168.178.0/24
add action=drop chain=input comment="DROP SSH" dst-port=22 protocol=tcp
add action=accept chain=input comment="Allow WinBox Internal Network" \
dst-port=8291 protocol=tcp src-address=192.168.178.0/24
add action=drop chain=input comment="DROP WinBox" dst-port=8291 protocol=tcp
add action=drop chain=input comment="Drop PING" disabled=yes protocol=icmp \
src-address-list="!Internal network"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=yes protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=yes \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
yes protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=yes \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=yes \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add chain=forward comment="Allow Established/Related Forward Chain" \
connection-state=established,related
add chain=input comment="Allow Established/Related iNPUT Chain" \
connection-state=established,related
add action=drop chain=forward comment="NO connection Barbados to Main" \
dst-address=192.168.178.0/24 src-address=192.168.25.0/24
add action=drop chain=input comment="Router protect from Barbados" \
src-address=192.168.25.0/24

Who is online

Users browsing this forum: No registered users and 7 guests