Community discussions

 
scarletchain
just joined
Topic Author
Posts: 3
Joined: Fri Sep 13, 2019 6:34 am

Access UDP port 47808 via PPTP VPN

Fri Sep 13, 2019 8:20 am

Hello,

I'm using mikrotik RB750 for my office.
I've configure the PPTP VPN and it works fine. I can access the server (192.168.1.5) and other devices through it.
Every time I want to access device01 (192.168.1.42), I just need to connect to PPTP VPN and remote to the server (192.168.1.5). Then I use an application from the server to access device01.using UDP port 47808.

Now I want to access device01 without remote to the server first. I have copied the application that used for accessing device01 from the server to my laptop. I also make sure that device01 can be ping when VPN connection is established. I use the same PPTP VPN.
I run the application from VPN, it can't connect to device01 using UDP port 47808. But when I connect directly to LAN, the application is able to access device01 using UDP port 47808.
Here is the mikrotik configuration.
# sep/13/2019 11:36:38 by RouterOS 6.45.3
# software id = 2I7M-S1UK
#
# model = 750
# serial number = 566004B31B2D
/interface ethernet
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
    name=LAN_KEKAR
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=LAN_OLD
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=WAN
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
    C8:B3:73:3C:3C:2C name=WAN@Publik-MNC
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=kekar_lan ranges=192.168.10.100-192.168.10.254
add name=dhcp_pool2 ranges=192.168.1.200-192.168.1.250
add name=pptp-pool ranges=192.168.1.100-192.168.1.150
add name=lukman-pptp ranges=192.168.1.151
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool2 authoritative=after-2sec-delay \
    disabled=no interface=LAN_KEKAR name=dhcp2
/ppp profile
add local-address=pptp-pool name=pptp-profile remote-address=pptp-pool
add local-address=lukman-pptp name=lukman-vpn remote-address=lukman-pptp
/queue tree
add max-limit=2M name=Download parent=LAN_KEKAR priority=1
add max-limit=2M name=Upload parent=WAN@Publik-MNC priority=1
/queue type
add kind=pcq name=pcq_down pcq-classifier=dst-address,dst-port \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=pcq_up pcq-classifier=src-address,src-port \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64
/queue tree
add limit-at=2M max-limit=2M name="Group Down Priority 1" packet-mark=\
    Down_Priority_1 parent=Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name="Group Up Priority 1" packet-mark=\
    Up_Priority_1 parent=Upload priority=1 queue=pcq_up
add limit-at=2M max-limit=2M name="Group Up Priority 2" packet-mark=\
    Up_Priority_2 parent=Upload priority=3 queue=pcq_up
add limit-at=2M max-limit=2M name=Steve-DL packet-mark=Steve-DL1 parent=\
    Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name=Steve-UP packet-mark=Steve-UP1 parent=\
    Upload priority=1 queue=pcq_up
add limit-at=2M max-limit=2M name=Soni-DL packet-mark=Soni-DL1 parent=\
    Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name=Soni-UP packet-mark=Soni-UP1 parent=Upload \
    priority=1 queue=pcq_up
add limit-at=2M max-limit=2M name=Stevan-DL1 packet-mark=Stevan-DL1 parent=\
    Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name=Stevan-UP1 packet-mark=Stevan-UP1 parent=\
    Upload priority=1 queue=pcq_up
add limit-at=2M max-limit=2M name="Group Down Priority 2" packet-mark=\
    Down_Priority_2 parent=Download priority=3 queue=pcq_down
add limit-at=2M max-limit=2M name=Stevan-DL2 packet-mark=Stevan-DL2 parent=\
    Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name=Stevan-UP2 packet-mark=Stevan-UP2 parent=\
    Upload priority=1 queue=pcq_up
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add name=actionpantau target=echo
/interface detect-internet
set detect-interface-list=all
/interface pptp-server server
set enabled=yes
/ip accounting
set enabled=yes
/ip address
add address=192.168.1.1/24 interface=LAN_KEKAR network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN@Publik-MNC
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,192.200.110.108,192.200.110.109
/ip firewall address-list
add address=192.168.1.0/24 list=allow-ip
add address=192.168.1.151 list=lukman
add address=192.168.1.31-192.168.1.60 list="Blocked IP"
add address=192.168.1.40-192.168.1.42 list="Allow IP PPTP Lukman"
add address=192.168.1.1-192.168.1.29 list="Group Priority 1"
add address=192.168.1.200-192.168.1.250 list="Group Priority 2"
add address=192.168.1.100-192.168.1.150 disabled=yes list="PPTP Pool"
/ip firewall filter
add action=tarpit chain=input comment=\
    "Add you ip addess to allow-ip in Address Lists." dst-port=30553 \
    protocol=tcp
add action=add-src-to-address-list address-list=allow-ip \
    address-list-timeout=1h chain=input comment=\
    "The security flaw for Hajime is closed by the firewall." packet-size=\
    1083 protocol=icmp
add action=accept chain=forward comment=Test dst-address-list=192.168.1.42 \
    dst-port=47808 protocol=udp src-address-list="PPTP Pool" src-port=47808
add action=accept chain=input comment=\
    "Please update RotherOS and change password." src-address-list=allow-ip
add action=drop chain=input comment=\
    " Thanks are accepted on WebMoney Z399578297824" dst-port=53 protocol=udp
add action=drop chain=forward comment=\
    "Block Internet 192.168.1.31 - 192.168.1.60" out-interface=WAN@Publik-MNC \
    protocol=tcp src-address=192.168.1.31-192.168.1.60 src-address-list=\
    "Blocked IP"
add action=drop chain=forward disabled=yes out-interface=WAN@Publik-MNC \
    protocol=udp src-address=192.168.1.31-192.168.1.60 src-address-list=\
    "Blocked IP"
add action=drop chain=input comment=\
    "or BTC 14qiYkk3nUgsdqQawiMLC1bUGDZWHowix1" dst-port=\
    53,8728,8729,21,22,23,80,443 protocol=tcp
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=passthrough chain=input
add action=accept chain=forward comment="Lukman VPN" dst-address-list=\
    "Allow IP PPTP Lukman" src-address=192.168.1.151 src-address-list=lukman
add action=drop chain=forward dst-address-list=allow-ip src-address=\
    192.168.1.151 src-address-list=lukman
/ip firewall mangle
add action=mark-packet chain=forward comment="Download Priority 1" \
    dst-address-list="Group Priority 1" new-packet-mark=Down_Priority_1 \
    passthrough=no
add action=mark-packet chain=forward comment="Download Priority 2" \
    dst-address-list="Group Priority 2" new-packet-mark=Down_Priority_2 \
    passthrough=no
add action=mark-packet chain=forward comment="Upload Priority 1" \
    new-packet-mark=Up_Priority_1 passthrough=no src-address-list=\
    "Group Priority 1"
add action=mark-packet chain=forward comment="Upload Priority 2" \
    new-packet-mark=Up_Priority_2 passthrough=no src-address-list=\
    "Group Priority 2"
add action=mark-connection chain=prerouting comment="Priority Steve" \
    new-connection-mark=Steve-DL1 passthrough=yes src-mac-address=\
    4C:BB:58:66:76:F6
add action=mark-packet chain=prerouting connection-mark=Steve-DL1 \
    new-packet-mark=Steve-DL1 passthrough=no
add action=mark-packet chain=prerouting new-packet-mark=Steve-UP1 \
    passthrough=no src-mac-address=4C:BB:58:66:76:F6
add action=mark-connection chain=prerouting comment="Priority Soni" \
    new-connection-mark=Soni-DL1 passthrough=yes src-mac-address=\
    7C:2A:31:A0:C3:EB
add action=mark-packet chain=prerouting connection-mark=Soni-DL1 \
    new-packet-mark=Soni-DL1 passthrough=no
add action=mark-packet chain=prerouting new-packet-mark=Soni-UP1 passthrough=\
    no src-mac-address=7C:2A:31:A0:C3:EB
add action=mark-connection chain=prerouting comment="Priority Stevan 1" \
    new-connection-mark=Stevan-DL1 passthrough=yes src-mac-address=\
    50:3E:AA:7C:CA:BA
add action=mark-packet chain=prerouting connection-mark=Stevan-DL1 \
    new-packet-mark=Stevan-DL1 passthrough=no
add action=mark-packet chain=prerouting new-packet-mark=Stevan-UP1 \
    passthrough=no src-mac-address=50:3E:AA:7C:CA:BA
add action=mark-connection chain=prerouting comment="Priority Stevan 2" \
    new-connection-mark=Stevan-DL2 passthrough=yes src-mac-address=\
    28:C6:3F:FE:53:DF
add action=mark-packet chain=prerouting connection-mark=Stevan-DL2 \
    new-packet-mark=Stevan-DL2 passthrough=no
add action=mark-packet chain=prerouting new-packet-mark=Stevan-UP2 \
    passthrough=no src-mac-address=28:C6:3F:FE:53:DF
add action=log chain=postrouting comment=192.168.1.42 dst-address=\
    192.168.1.42 dst-port=47808 log-prefix=request protocol=udp
add action=log chain=prerouting log-prefix=response protocol=udp src-address=\
    192.168.1.42 src-port=47808
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN@Publik-MNC
add action=dst-nat chain=dstnat comment="server ubuntu 192.168.1.5" dst-port=\
    8080 protocol=tcp to-addresses=192.168.1.5 to-ports=80
add action=dst-nat chain=dstnat dst-port=1883 protocol=tcp to-addresses=\
    192.168.1.5 to-ports=1883
add action=dst-nat chain=dstnat comment=192.168.1.81 dst-port=8081 protocol=\
    tcp to-addresses=192.168.1.81 to-ports=8888
add action=accept chain=dstnat dst-address=192.168.1.81 dst-address-list="" \
    dst-port=80 protocol=tcp src-address=110.50.84.164 src-port=82
add action=dst-nat chain=dstnat comment=192.168.1.30 dst-port=4539 log=yes \
    protocol=tcp to-addresses=192.168.1.30 to-ports=80
add action=dst-nat chain=dstnat dst-port=4540 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=81
add action=dst-nat chain=dstnat dst-port=4541 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=82
add action=dst-nat chain=dstnat dst-port=4542 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=8336
add action=dst-nat chain=dstnat dst-port=4543 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=8337
add action=dst-nat chain=dstnat dst-port=4544 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=8888
add action=dst-nat chain=dstnat dst-port=4545 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=8889
add action=dst-nat chain=dstnat dst-port=4546 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=10001
add action=dst-nat chain=dstnat dst-port=4547 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=10002
add action=dst-nat chain=dstnat dst-port=4548 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=14000
add action=dst-nat chain=dstnat comment=192.168.1.33 disabled=yes dst-port=\
    47808-47823 log=yes protocol=udp to-addresses=192.168.1.33 to-ports=\
    47808-47823
add action=dst-nat chain=dstnat comment=192.168.1.40 disabled=yes dst-port=\
    47808-47823 log=yes protocol=udp to-addresses=192.168.1.40 to-ports=\
    47808-47823
add action=dst-nat chain=dstnat comment=192.168.1.41 disabled=yes dst-port=\
    47808-47823 log=yes protocol=udp to-addresses=192.168.1.41 to-ports=\
    47808-47823
add action=dst-nat chain=dstnat comment=192.168.1.42 disabled=yes \
    dst-address-type=local dst-port=47808 log=yes protocol=udp to-addresses=\
    192.168.1.42 to-ports=47808
/ip route
add disabled=yes distance=1 gateway=110.50.84.1
/ip service
set telnet disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
/ppp secret
add name=soni password=******** profile=pptp-profile
add name=stevan password=******** profile=pptp-profile
add name=soni1 password=******** profile=pptp-profile
add local-address=10.1.101.1 name=Admin password=******** profile=\
    default-encryption remote-address=10.1.101.100 service=pptp
add local-address=192.168.1.1 name=lukman password=******** profile=\
    lukman-vpn remote-address=192.168.1.151
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=KEKARTAMA
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
add action=actionpantau disabled=yes topics=ssh
/system note
set note="The security flaw for Hajime is closed by the firewall. Please updat\
    e RotherOS. Gratitude is accepted on WebMoney Z399578297824 or BTC 14qiYkk\
    3nUgsdqQawiMLC1bUGDZWHowix1"
/tool traffic-monitor
add interface=LAN_KEKAR name=tmon1 threshold=1000 trigger=always
add interface=LAN_KEKAR name=tmon2 threshold=0

And this the device that I want to connect into
Device01.jpeg

Pls advise.
Thank you.
You do not have the required permissions to view the files attached to this post.
 
User avatar
16again
newbie
Posts: 48
Joined: Fri Dec 29, 2017 12:23 pm

Re: Access UDP port 47808 via PPTP VPN

Fri Sep 13, 2019 8:56 am

This rule looks suspicious:
add action=accept chain=forward comment=Test dst-address-list=192.168.1.42 \
    dst-port=47808 protocol=udp src-address-list="PPTP Pool" src-port=47808
Drop the source port, as most protocols use a source port from a random pool

Also , some endpoints don't have default gateway set, or for security are only manageable from local subnet.
Workaround: Add src-nat rule on LAN interface, so traffic is sourced from MT LAN address.
 
scarletchain
just joined
Topic Author
Posts: 3
Joined: Fri Sep 13, 2019 6:34 am

Re: Access UDP port 47808 via PPTP VPN

Fri Sep 13, 2019 10:55 am

This rule looks suspicious:
add action=accept chain=forward comment=Test dst-address-list=192.168.1.42 \
    dst-port=47808 protocol=udp src-address-list="PPTP Pool" src-port=47808
Drop the source port, as most protocols use a source port from a random pool

Also , some endpoints don't have default gateway set, or for security are only manageable from local subnet.
Workaround: Add src-nat rule on LAN interface, so traffic is sourced from MT LAN address.

I try your suggestion but the result still the same.
Or did I configure it wrong?

# sep/13/2019 14:45:35 by RouterOS 6.45.3
# software id = 2I7M-S1UK
#
# model = 750
# serial number = 566004B31B2D
/interface ethernet
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
    name=LAN_KEKAR
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=LAN_OLD
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=WAN
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
    C8:B3:73:3C:3C:2C name=WAN@Publik-MNC
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=kekar_lan ranges=192.168.10.100-192.168.10.254
add name=dhcp_pool2 ranges=192.168.1.200-192.168.1.250
add name=pptp-pool ranges=192.168.1.100-192.168.1.150
add name=lukman-pptp ranges=192.168.1.151
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool2 authoritative=after-2sec-delay \
    disabled=no interface=LAN_KEKAR name=dhcp2
/ppp profile
add local-address=pptp-pool name=pptp-profile remote-address=pptp-pool
add local-address=lukman-pptp name=lukman-vpn remote-address=lukman-pptp
/queue tree
add max-limit=2M name=Download parent=LAN_KEKAR priority=1
add max-limit=2M name=Upload parent=WAN@Publik-MNC priority=1
/queue type
add kind=pcq name=pcq_down pcq-classifier=dst-address,dst-port \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=pcq_up pcq-classifier=src-address,src-port \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64
/queue tree
add limit-at=2M max-limit=2M name="Group Down Priority 1" packet-mark=\
    Down_Priority_1 parent=Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name="Group Up Priority 1" packet-mark=\
    Up_Priority_1 parent=Upload priority=1 queue=pcq_up
add limit-at=2M max-limit=2M name="Group Up Priority 2" packet-mark=\
    Up_Priority_2 parent=Upload priority=3 queue=pcq_up
add limit-at=2M max-limit=2M name=Steve-DL packet-mark=Steve-DL1 parent=\
    Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name=Steve-UP packet-mark=Steve-UP1 parent=\
    Upload priority=1 queue=pcq_up
add limit-at=2M max-limit=2M name=Soni-DL packet-mark=Soni-DL1 parent=\
    Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name=Soni-UP packet-mark=Soni-UP1 parent=Upload \
    priority=1 queue=pcq_up
add limit-at=2M max-limit=2M name=Stevan-DL1 packet-mark=Stevan-DL1 parent=\
    Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name=Stevan-UP1 packet-mark=Stevan-UP1 parent=\
    Upload priority=1 queue=pcq_up
add limit-at=2M max-limit=2M name="Group Down Priority 2" packet-mark=\
    Down_Priority_2 parent=Download priority=3 queue=pcq_down
add limit-at=2M max-limit=2M name=Stevan-DL2 packet-mark=Stevan-DL2 parent=\
    Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name=Stevan-UP2 packet-mark=Stevan-UP2 parent=\
    Upload priority=1 queue=pcq_up
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add name=actionpantau target=echo
/interface detect-internet
set detect-interface-list=all
/interface pptp-server server
set enabled=yes
/ip accounting
set enabled=yes
/ip address
add address=192.168.1.1/24 interface=LAN_KEKAR network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN@Publik-MNC
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,192.200.110.108,192.200.110.109
/ip firewall address-list
add address=192.168.1.0/24 list=allow-ip
add address=192.168.1.151 list=lukman
add address=192.168.1.31-192.168.1.60 list="Blocked IP"
add address=192.168.1.40-192.168.1.42 list="Allow IP PPTP Lukman"
add address=192.168.1.1-192.168.1.29 list="Group Priority 1"
add address=192.168.1.200-192.168.1.250 list="Group Priority 2"
add address=192.168.1.100-192.168.1.150 disabled=yes list="PPTP Pool"
/ip firewall filter
add action=tarpit chain=input comment=\
    "Add you ip addess to allow-ip in Address Lists." dst-port=30553 \
    protocol=tcp
add action=add-src-to-address-list address-list=allow-ip \
    address-list-timeout=1h chain=input comment=\
    "The security flaw for Hajime is closed by the firewall." packet-size=\
    1083 protocol=icmp
add action=accept chain=forward comment=Test dst-address-list=192.168.1.42 \
    dst-port=47808 protocol=udp src-port=47808
add action=accept chain=input comment=\
    "Please update RotherOS and change password." src-address-list=allow-ip
add action=drop chain=input comment=\
    " Thanks are accepted on WebMoney Z399578297824" dst-port=53 protocol=udp
add action=drop chain=forward comment=\
    "Block Internet 192.168.1.31 - 192.168.1.60" out-interface=WAN@Publik-MNC \
    protocol=tcp src-address=192.168.1.31-192.168.1.60 src-address-list=\
    "Blocked IP"
add action=drop chain=forward disabled=yes out-interface=WAN@Publik-MNC \
    protocol=udp src-address=192.168.1.31-192.168.1.60 src-address-list=\
    "Blocked IP"
add action=drop chain=input comment=\
    "or BTC 14qiYkk3nUgsdqQawiMLC1bUGDZWHowix1" dst-port=\
    53,8728,8729,21,22,23,80,443 protocol=tcp
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=passthrough chain=input
add action=accept chain=forward comment="Lukman VPN" dst-address-list=\
    "Allow IP PPTP Lukman" src-address=192.168.1.151 src-address-list=lukman
add action=drop chain=forward dst-address-list=allow-ip src-address=\
    192.168.1.151 src-address-list=lukman
/ip firewall mangle
add action=mark-packet chain=forward comment="Download Priority 1" \
    dst-address-list="Group Priority 1" new-packet-mark=Down_Priority_1 \
    passthrough=no
add action=mark-packet chain=forward comment="Download Priority 2" \
    dst-address-list="Group Priority 2" new-packet-mark=Down_Priority_2 \
    passthrough=no
add action=mark-packet chain=forward comment="Upload Priority 1" \
    new-packet-mark=Up_Priority_1 passthrough=no src-address-list=\
    "Group Priority 1"
add action=mark-packet chain=forward comment="Upload Priority 2" \
    new-packet-mark=Up_Priority_2 passthrough=no src-address-list=\
    "Group Priority 2"
add action=mark-connection chain=prerouting comment="Priority Steve" \
    new-connection-mark=Steve-DL1 passthrough=yes src-mac-address=\
    4C:BB:58:66:76:F6
add action=mark-packet chain=prerouting connection-mark=Steve-DL1 \
    new-packet-mark=Steve-DL1 passthrough=no
add action=mark-packet chain=prerouting new-packet-mark=Steve-UP1 \
    passthrough=no src-mac-address=4C:BB:58:66:76:F6
add action=mark-connection chain=prerouting comment="Priority Soni" \
    new-connection-mark=Soni-DL1 passthrough=yes src-mac-address=\
    7C:2A:31:A0:C3:EB
add action=mark-packet chain=prerouting connection-mark=Soni-DL1 \
    new-packet-mark=Soni-DL1 passthrough=no
add action=mark-packet chain=prerouting new-packet-mark=Soni-UP1 passthrough=\
    no src-mac-address=7C:2A:31:A0:C3:EB
add action=mark-connection chain=prerouting comment="Priority Stevan 1" \
    new-connection-mark=Stevan-DL1 passthrough=yes src-mac-address=\
    50:3E:AA:7C:CA:BA
add action=mark-packet chain=prerouting connection-mark=Stevan-DL1 \
    new-packet-mark=Stevan-DL1 passthrough=no
add action=mark-packet chain=prerouting new-packet-mark=Stevan-UP1 \
    passthrough=no src-mac-address=50:3E:AA:7C:CA:BA
add action=mark-connection chain=prerouting comment="Priority Stevan 2" \
    new-connection-mark=Stevan-DL2 passthrough=yes src-mac-address=\
    28:C6:3F:FE:53:DF
add action=mark-packet chain=prerouting connection-mark=Stevan-DL2 \
    new-packet-mark=Stevan-DL2 passthrough=no
add action=mark-packet chain=prerouting new-packet-mark=Stevan-UP2 \
    passthrough=no src-mac-address=28:C6:3F:FE:53:DF
add action=log chain=postrouting comment=192.168.1.42 dst-address=\
    192.168.1.42 dst-port=47808 log-prefix=request protocol=udp
add action=log chain=prerouting log-prefix=response protocol=udp src-address=\
    192.168.1.42 src-port=47808
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN@Publik-MNC
add action=dst-nat chain=dstnat comment="server ubuntu 192.168.1.5" dst-port=\
    8080 protocol=tcp to-addresses=192.168.1.5 to-ports=80
add action=dst-nat chain=dstnat dst-port=1883 protocol=tcp to-addresses=\
    192.168.1.5 to-ports=1883
add action=dst-nat chain=dstnat comment=192.168.1.81 dst-port=8081 protocol=\
    tcp to-addresses=192.168.1.81 to-ports=8888
add action=accept chain=dstnat dst-address=192.168.1.81 dst-address-list="" \
    dst-port=80 protocol=tcp src-address=110.50.84.164 src-port=82
add action=dst-nat chain=dstnat comment=192.168.1.30 dst-port=4539 log=yes \
    protocol=tcp to-addresses=192.168.1.30 to-ports=80
add action=dst-nat chain=dstnat dst-port=4540 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=81
add action=dst-nat chain=dstnat dst-port=4541 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=82
add action=dst-nat chain=dstnat dst-port=4542 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=8336
add action=dst-nat chain=dstnat dst-port=4543 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=8337
add action=dst-nat chain=dstnat dst-port=4544 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=8888
add action=dst-nat chain=dstnat dst-port=4545 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=8889
add action=dst-nat chain=dstnat dst-port=4546 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=10001
add action=dst-nat chain=dstnat dst-port=4547 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=10002
add action=dst-nat chain=dstnat dst-port=4548 log=yes protocol=tcp \
    to-addresses=192.168.1.30 to-ports=14000
add action=dst-nat chain=dstnat comment=192.168.1.33 disabled=yes dst-port=\
    47808-47823 log=yes protocol=udp to-addresses=192.168.1.33 to-ports=\
    47808-47823
add action=dst-nat chain=dstnat comment=192.168.1.40 disabled=yes dst-port=\
    47808-47823 log=yes protocol=udp to-addresses=192.168.1.40 to-ports=\
    47808-47823
add action=dst-nat chain=dstnat comment=192.168.1.41 disabled=yes dst-port=\
    47808-47823 log=yes protocol=udp to-addresses=192.168.1.41 to-ports=\
    47808-47823
add action=dst-nat chain=dstnat comment=192.168.1.42 dst-address-type=local \
    dst-port=47808 log=yes protocol=udp to-addresses=192.168.1.42 to-ports=\
    47808
/ip route
add disabled=yes distance=1 gateway=110.50.84.1
/ip service
set telnet disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
/ppp secret
add name=soni password=******** profile=pptp-profile
add name=stevan password=******** profile=pptp-profile
add name=soni1 password=******** profile=pptp-profile
add local-address=10.1.101.1 name=Admin password=******** profile=\
    default-encryption remote-address=10.1.101.100 service=pptp
add local-address=192.168.1.1 name=lukman password=******** profile=\
    lukman-vpn remote-address=192.168.1.151
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=KEKARTAMA
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
add action=actionpantau disabled=yes topics=ssh
/system note
set note="The security flaw for Hajime is closed by the firewall. Please updat\
    e RotherOS. Gratitude is accepted on WebMoney Z399578297824 or BTC 14qiYkk\
    3nUgsdqQawiMLC1bUGDZWHowix1"
/tool traffic-monitor
add interface=LAN_KEKAR name=tmon1 threshold=1000 trigger=always
add interface=LAN_KEKAR name=tmon2 threshold=0
 
mkx
Forum Guru
Forum Guru
Posts: 2792
Joined: Thu Mar 03, 2016 10:23 pm

Re: Access UDP port 47808 via PPTP VPN

Fri Sep 13, 2019 11:52 am

Remove src-port option from the filter rule, it's still there:
/ip firewall filter
unset [ find src-port="47808" ] src-port
(on my RB I had to use the double quotes for find to find something).

BTW, you have 4 similar DST-NAT rules:
add action=dst-nat chain=dstnat comment=192.168.1.33 disabled=yes dst-port=\
    47808-47823 log=yes protocol=udp to-addresses=192.168.1.33 to-ports=\
    47808-47823
Only first one will work as it will catch all the traffic ...
BR,
Metod
 
scarletchain
just joined
Topic Author
Posts: 3
Joined: Fri Sep 13, 2019 6:34 am

Re: Access UDP port 47808 via PPTP VPN

Sat Sep 14, 2019 8:45 am

Remove src-port option from the filter rule, it's still there:
/ip firewall filter
unset [ find src-port="47808" ] src-port
(on my RB I had to use the double quotes for find to find something).

BTW, you have 4 similar DST-NAT rules:
add action=dst-nat chain=dstnat comment=192.168.1.33 disabled=yes dst-port=\
    47808-47823 log=yes protocol=udp to-addresses=192.168.1.33 to-ports=\
    47808-47823
Only first one will work as it will catch all the traffic ...
Thank you for your help.
It's working now. I able to connect my application to the device.

And for the Dest-nat rules, 3 of them are disabled. Only one is running now.
I was testing the rules when I thought that I connect to the wrong device.

Who is online

Users browsing this forum: No registered users and 56 guests