Community discussions

 
ioannis99
just joined
Topic Author
Posts: 6
Joined: Wed Mar 28, 2018 12:46 pm

PPTP behind ISP Router (NAT problem)

Fri Sep 14, 2018 1:15 pm

Hello everyone,

I am a newbie in MKTs and I have set up a pptp connection between 2 MKTs and it works fine.

Each MKT is behind an ISP Adsl modem-router.
I want the PC1 to be able to ping PC2, but that doesn't work.

The only thing that works is that the MKT 1 can ping PC2 and vice versa.

I am sure the problem is in NAT configuration.
The only NAT configuration for both MKTs is the following (ether1 is the interface to the ISP Router)

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Can anyone help me?
Thanx a lot!
You do not have the required permissions to view the files attached to this post.
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 966
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: PPTP behind ISP Router (NAT problem)

Sun Sep 16, 2018 12:57 am

You can make this work with NAT, but that is a workaround and not the correct way.

First make sure there are no firewall rules blocking icmp on the pc's, add routes to the other sides LAN range on the routers to be routed via tunnel
MTCNA, MTCTCE, MTCRE & MTCINE
 
ioannis99
just joined
Topic Author
Posts: 6
Joined: Wed Mar 28, 2018 12:46 pm

Re: PPTP behind ISP Router (NAT problem)

Sun Sep 16, 2018 9:21 pm

Thanx for the answer.

There are no firewall rules or they are disabled during the tests.

The routes I enabled are the following:

for MKT2
/ip route
add check-gateway=ping distance=2 gateway=192.168.1.1
add distance=1 dst-address=192.168.5.0/24 gateway=192.168.9.2

for MKT1
/ip route
add check-gateway=ping distance=2 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=192.168.3.0/24 gateway=192.168.9.1

(192.168.9.1 and 2 are the vpn local/remote addresses)


Each PC can only ping the local vpn remote address.

what else routes should I try?

Edit: If the pptp client is my android phone, I can ping from my PC to the phone and vice versa. So, the problem is when the pptp client is the MKT.
So, I think there is a NAT problem. Or not?
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 752
Joined: Fri Jul 28, 2017 2:53 pm

Re: PPTP behind ISP Router (NAT problem)

Mon Sep 17, 2018 11:36 am

Thanx for the answer.

There are no firewall rules or they are disabled during the tests.

The routes I enabled are the following:

for MKT2
/ip route
add check-gateway=ping distance=2 gateway=192.168.1.1
add distance=1 dst-address=192.168.5.0/24 gateway=192.168.9.2

for MKT1
/ip route
add check-gateway=ping distance=2 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=192.168.3.0/24 gateway=192.168.9.1

(192.168.9.1 and 2 are the vpn local/remote addresses)


Each PC can only ping the local vpn remote address.

what else routes should I try?

Edit: If the pptp client is my android phone, I can ping from my PC to the phone and vice versa. So, the problem is when the pptp client is the MKT.
So, I think there is a NAT problem. Or not?
Do the ISP routers have a routes to your LANs?
 
ioannis99
just joined
Topic Author
Posts: 6
Joined: Wed Mar 28, 2018 12:46 pm

Re: PPTP behind ISP Router (NAT problem)

Mon Sep 17, 2018 12:34 pm

Yes, everything work fine.

Also Port Forwarding works fine.

I am almost sure there is a NAT problem.
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 966
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: PPTP behind ISP Router (NAT problem)

Mon Sep 17, 2018 11:34 pm

Are you sure you allow the other LAN IP's in via firewall on Mikrotik?
MTCNA, MTCTCE, MTCRE & MTCINE
 
ioannis99
just joined
Topic Author
Posts: 6
Joined: Wed Mar 28, 2018 12:46 pm

Re: PPTP behind ISP Router (NAT problem)

Tue Sep 18, 2018 8:17 am

I have no firewall rules.

Only NAT.

Should I have?

Thank you
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 966
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: PPTP behind ISP Router (NAT problem)

Tue Sep 18, 2018 2:14 pm

please provide a new diagram and include the VPN addresses.

Also the config of both routers after obfuscating any sensitive information
MTCNA, MTCTCE, MTCRE & MTCINE
 
ioannis99
just joined
Topic Author
Posts: 6
Joined: Wed Mar 28, 2018 12:46 pm

Re: PPTP behind ISP Router (NAT problem)

Tue Sep 18, 2018 6:47 pm

Mikrotik 1 (pptp server)

# model = RouterBOARD 750G r3

/interface bridge
add arp=proxy-arp fast-forward=no name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether4 trusted=yes
add bridge=bridge1 interface=ether5 trusted=yes
/interface bridge settings
set use-ip-firewall=yes

/ip address
add address=192.168.2.2/24 interface=ether1 network=192.168.2.0
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0

/ip pool
add name=dhcp_pool1 ranges=192.168.5.2-192.168.5.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp1
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/ppp profile
add local-address=192.168.9.1 name="server" remote-address=192.168.9.2 \
use-encryption=required
/interface pptp-server server
set default-profile="server" enabled=yes
/ppp secret
add local-address=192.168.9.1 name=test profile="server" remote-address
192.168.9.2 service=pptp


/ip route
add check-gateway=ping distance=2 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=192.168.3.0/24 gateway=\
192.168.9.2


Mikrotik 2 (pptp client)

# model = RouterBOARD 750G r3

/interface bridge
add arp=proxy-arp name=bridge1
/interface bridge port
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
/interface bridge settings
set use-ip-firewall=yes

/ip address
add address=192.168.1.36/24 interface=ether1 network=192.168.1.0
add address=192.168.3.1/24 interface=bridge1 network=192.168.3.0

/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/interface pptp-client
add connect-to=193.92.xxx.xxx disabled=no name=pptp-out1 user=test
/ppp profile
add local-address=192.168.9.2 name="client" remote-address=192.168.9.1 \
use-encryption=required

/ip route
add check-gateway=ping distance=2 gateway=192.168.1.254
add distance=1 dst-address=192.168.5.0/24 gateway=192.168.9.1
You do not have the required permissions to view the files attached to this post.
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 966
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: PPTP behind ISP Router (NAT problem)

Wed Sep 19, 2018 7:44 pm

On the server side:
Change
/ppp secret
add local-address=192.168.9.1 name=test profile="server" remote-address 192.168.9.2 service=pptp routes="192.168.3.0/24 192.168.9.2 1"


Remove
/ip route
add check-gateway=ping distance=1 dst-address=192.168.3.0/24 gateway=192.168.9.2


The routes= under /ppp secret will dynamically create a route to the client network when the client connects.

On Client side:
Remove
/ppp profile
add local-address=192.168.9.2 name="client" remote-address=192.168.9.1 use-encryption=required


Change
/ip route
add distance=1 dst-address=192.168.5.0/24 gateway=pptp-out1
MTCNA, MTCTCE, MTCRE & MTCINE
 
ioannis99
just joined
Topic Author
Posts: 6
Joined: Wed Mar 28, 2018 12:46 pm

Re: PPTP behind ISP Router (NAT problem)

Thu Sep 20, 2018 9:50 am

I tried these changes but the result is the same.

VPN works, I can still ping from my mikrotik to other LAN but not from a PC to other LAN.

I can't find a solution :?
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 966
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: PPTP behind ISP Router (NAT problem)

Mon Sep 24, 2018 5:17 pm

Any specific reasons you have Bridge ARP configured as "arp=proxy-arp"?

If not, change that to arp=enabled
MTCNA, MTCTCE, MTCRE & MTCINE

Who is online

Users browsing this forum: No registered users and 15 guests