Hi, I am a total noob on setting Mikrotik, and I need some advice on VPN.

Basically I managed to set the VPN profile, activated PPTP, the users with secrets etc... and I successfully login from outside the LAN and also manage to get the office's public IP.

The problem is that i cannot ping any other machine on the 192.168.0.x subnet... and i have a 192.168.0.x IP assigned. Is there something else which I am missing?

thanks

set proxy-arp on interface with your local network
/interface ethernet set <ethernet name> arp=proxy-arp

Thanks a lot janisk. Problem solved

set proxy-arp on interface with your local network
/interface ethernet set <ethernet name> arp=proxy-arp

hi janisk

my VPN works fine if i disable drop rules >> action=drop chain=forward comment="" disabled=yes out-interface=Ether1-WAN
if i enable the drop rules the outside client cant connect VPN to my router, how to allow incoming port from outside to router?

thanks

Myron, I'm a noob with VPN too, but I figured it is necessary to set rules that allow a VPN tunnel to be opened up. For IPSec this would be UDP port 500, and ipsec-esp protocol.
Make sure the "drop" rules is at the end of the filter list.

Also note, this will open up VPN to any IP address. It would be better to limit this to known incoming IP addresses.

Which leads me to my question: is this approach correct (namely opening the firewall to ANYONE)? What if the VPN clients do not have a static IP address, how can I ensure that only "known IP's" may go through the firewall (DynDNS)? Or, should I not care since the VPN authentication will "take care" of this and it's ok to basically allow access to this port/protocol?

While you can write scripts that fetch DNS names and re-shuffle address lists, the canonical solution (at least on Cisco) is to let ISAKMP sort it out and allow VPN from anywhere if you have dynamically addresses clients. Additionally, the DNS resolution wouldn't be in real time so there may be times when a client updated an IP address and the headend hasn't run the script yet, leading to effective downtime. DNS might be unavailable for resolution, leading to effective downtime. The script might fail to run, leading to effective downtime. Weigh the security benefits against the added risk.

Use very strong PSKs and rotate them (changing the PSK on a peer doesn't affect active SAs so this can be done without affecting live tunnels), or ideally use certificates for authentication so that one remote end being compromised doesn't compromise the entire VPN cloud.

Myron, I'm a noob with VPN too, but I figured it is necessary to set rules that allow a VPN tunnel to be opened up. For IPSec this would be UDP port 500, and ipsec-esp protocol.

Code: Select all

/ip firewall filter
add action=accept chain=input comment=VPN disabled=no protocol=ipsec-esp
add action=accept chain=input comment=VPN disabled=no protocol=udp src-port=500

Make sure the "drop" rules is at the end of the filter list.

Also note, this will open up VPN to any IP address. It would be better to limit this to known incoming IP addresses.

Which leads me to my question: is this approach correct (namely opening the firewall to ANYONE)? What if the VPN clients do not have a static IP address, how can I ensure that only "known IP's" may go through the firewall (DynDNS)? Or, should I not care since the VPN authentication will "take care" of this and it's ok to basically allow access to this port/protocol?

actually im using ordinary vpn and this mik has public static ip and the puprpose of this the micros opera system (hotel software) and some of corporate remote office accesing the database via vpn, the client connect to mik via vpn work fine if i disable the drop rules and then if i enable the drop rules client vpn cant connect. im gonna try your advise if will work.

i already put this action=accept chain=input comment="INCOMING from Manila VPN" disabled=no dst-port=1723 protocol=tcp

dst-port=1723 or src-port=1723 which one?

thanks

It should be src-port.

Since you use TCP port 1723 I presume you are using a PPTP tunnel. If you do that, you also need to create a firewall rule to let through all traffic via the GRE protocol. But I am not sure on this, first use TCP 1723 only, if that does not work add the GRE rule.

And please remember, I am a noob, you should have this confirmed by an expert, which I am sure there are plenty of on this forum

It should be src-port.

Since you use TCP port 1723 I presume you are using a PPTP tunnel. If you do that, you also need to create a firewall rule to let through all traffic via the GRE protocol. But I am not sure on this, first use TCP 1723 only, if that does not work add the GRE rule.

And please remember, I am a noob, you should have this confirmed by an expert, which I am sure there are plenty of on this forum

oriion!!

it works i use this rules action=accept chain=input comment="" disabled=no protocol=gre

thanks

Hi, I am a total noob on setting Mikrotik, and I need some advice on VPN.

Basically I managed to set the VPN profile, activated PPTP, the users with secrets etc... and I successfully login from outside the LAN and also manage to get the office's public IP.

The problem is that i cannot ping any other machine on the 192.168.0.x subnet... and i have a 192.168.0.x IP assigned. Is there something else which I am missing?

thanks

Hi can you tell me what steps did you follow to set up vpn? I have been trying with no luck.

Thanks.