Community discussions

MikroTik App
  4. RouterOS
  5. General

VPN client not working after moving to MT

Post Reply
 
kchris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Oct 27, 2004 2:58 pm

VPN client not working after moving to MT

Wed Nov 02, 2005 8:57 pm

Hi!

Previusly we had a simple cheap ADSL Router.
Then me moved to Mikrotik.

I've created simple src-nat rule to share the connection. Everything is working - only the VPN clients behind the MT give error #619 when trying to connect to VPNs outside the office.. What's wrong? With the simple cheap ADSL router everything was working fine (without QoS).

I don't drop any traffic in the firewall...

help-- my collegues are killing me :( :( :(
Top
 
kchris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Oct 27, 2004 2:58 pm

Wed Nov 02, 2005 9:01 pm

tried also to reduce the MTU size, now my computers MTU is 1200 bytes.
Top
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Wed Nov 02, 2005 9:08 pm

try turning your MTU back up to 1480 (on the Mikrotik PPPoE interface), set your computers MTU's back to default 1500, and add the following mangle rule...
Code: Select all
/ ip firewall mangle 
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1360 comment="" disabled=no
Top
 
kchris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Oct 27, 2004 2:58 pm

Wed Nov 02, 2005 9:36 pm

mea culpa...

I had to enable the pptp and gre service ports in the ip firewall menu...

But IMHO this name "service port" doesn't mean that if this is disabled then drops the packets....
Top
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Wed Nov 02, 2005 10:22 pm

mea culpa...

I had to enable the pptp and gre service ports in the ip firewall menu...

But IMHO this name "service port" doesn't mean that if this is disabled then drops the packets....
That's strange, I use PPTP VPN's and have those service ports disabled.. Isn't that for the MT itself? We're you trying to establish the VPN from the MT router? or a software VPN client behind the router?

::EDIT::
connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port
unless you have some firewall rule that matches the connection type I don't see where this would come into play.. but whatever works for you!
Top
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 986
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Thu Nov 03, 2005 10:34 am

/ip firewall service-port helpers are needed for NAT traversal.
Top
 
kchris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Oct 27, 2004 2:58 pm

Thu Nov 03, 2005 4:41 pm

/ip firewall service-port helpers are needed for NAT traversal.
yes i realised... this GRE protocol doesn't use the 'port', what's needed by NAT so without helper it won't go..
I think that this is the same situation, that behind NAT to be able to use active FTP ftp helper is also needed: ip_conntrack_ftp and others by linux...
Top
Post Reply
  4. RouterOS
  5. General