VPN to other location (pptp)

TheFatal · Tue Oct 21, 2014 12:28 am

Hi,

I have the following problem which I cannot figure out how to do it.

I have the next situation:

What do I want with this.
The other side is from a family member and we want to have remote acces to a NAS. We wanted to do this via VPN to not expose to many ports to the internet, also connecting to " lan" addresses is making it easier.

On my side I have the RB2011UiAS-2HnD-IN set up as router.
My router makes a PPTP VPN connection to an other location (family's house) where a VPN server is running on a Synology DiskStation.
Unfortunately this server cannot set-up routes or push them as I understood.

So far I have it working that the VPN connection works.
From the Mikrotik (terminal) I can Ping the complete internal network on the remote side. (192.168.0.0/24 network)

[admin@HomeNetRouter] > ping 192.168.0.1
HOST                                     SIZE TTL TIME  STATUS                 
192.168.0.1                                56  63 45ms 
192.168.0.1                                56  63 31ms 
192.168.0.1                                56  63 31ms 
    sent=3 received=3 packet-loss=0% min-rtt=31ms avg-rtt=35ms max-rtt=45ms

The thing I can't get to work is acces the remote side via my internal network (192.168.88.0/24)
I have the feeling something goes wrong in the firewall, as soon as I ping from my computer the address 192.168.0.1 I can see this in the log:
Forward: in:bridge-local out:pptp-out1, src-mac 90:27:e4:fd:XX:XX, porto ICMP (type8, code 0), 192.168.88.201->192.168.0.1, len 84.

But further I do not get any reply.

I have setup the following things:

[admin@HomeNetRouter] > /interface pptp-client print
Flags: X - disabled, R - running 
 0  R name="pptp-out1" max-mtu=1450 max-mru=1450 mrru=1600 
      connect-to=94.208.161.XXX user="VPN Account" password="XXXXX" 
      profile=default-encryption keepalive-timeout=60 add-default-route=no 
      dial-on-demand=no allow=pap,chap,mschap1,mschap2

[admin@HomeNetRouter] /ip> address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                              
 0   ;;; default configuration
     192.168.88.1/24    192.168.88.0    bridge-local                           
 1   192.168.10.1/24    192.168.10.0    _HomeNetGuest_                         
 2 X 192.168.11.1/24    192.168.11.0    _HomeNetHotspot_                       
 3 D 94.208.166.XX/23   94.208.166.0    Gateway-ETH10                          
 4 D 10.10.10.1/32      10.10.10.0      pptp-out1

[admin@HomeNetRouter] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=94.208.166.1 
        gateway-status=94.208.166.1 reachable via  Gateway-ETH10 distance=1 
        scope=30 target-scope=10 vrf-interface=Gateway-ETH10 

 1 A S  dst-address=10.10.10.0/24 gateway=bridge-local 
        gateway-status=bridge-local reachable distance=1 scope=30 
        target-scope=10 

 2 ADC  dst-address=10.10.10.0/32 pref-src=10.10.10.1 gateway=pptp-out1 
        gateway-status=pptp-out1 reachable distance=0 scope=10 

 3 ADC  dst-address=94.208.166.0/23 pref-src=94.208.166.56 
        gateway=Gateway-ETH10 gateway-status=Gateway-ETH10 reachable 
        distance=0 scope=10 

 4 A S  ;;; VPN Moeders
        dst-address=192.168.0.0/24 gateway=10.10.10.0 
        gateway-status=10.10.10.0 reachable via  pptp-out1 distance=1 
        scope=30 target-scope=10 

 5  DC  dst-address=192.168.10.0/24 pref-src=192.168.10.1 
        gateway=_HomeNetGuest_ gateway-status=_HomeNetGuest_ unreachable 
        distance=255 scope=10 

 6 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge-local 
        gateway-status=bridge-local reachable distance=0 scope=10

[admin@HomeNetRouter] /ip> firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X  ;;; place hotspot rules here
      chain=unused-hs-chain action=passthrough log=no log-prefix="" 

 1    ;;; Block Guest to Lan
      chain=input action=drop src-address-list=Guest dst-address-list=Home 
      log=no log-prefix="" 

 2    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 3    ;;; default configuration
      chain=input action=accept connection-state=established log=no 
      log-prefix="" 

 4    ;;; default configuration
      chain=input action=accept connection-state=related log=no log-prefix="" 

 5    ;;; VPN
      chain=input action=accept protocol=udp in-interface=Gateway-ETH10 
      dst-port=500 log=no log-prefix="" 

 6    chain=input action=accept protocol=udp in-interface=Gateway-ETH10 
      dst-port=1701 log=no log-prefix="" 

 7    chain=input action=accept protocol=udp in-interface=Gateway-ETH10 
      dst-port=4500 log=no log-prefix="" 

 8    chain=input action=accept protocol=ipsec-esp in-interface=Gateway-ETH10 
      log=no log-prefix="" 

 9    ;;; VPN Moeders
      chain=forward action=accept src-address=192.168.88.0/24 
      dst-address=192.168.0.0/24 log=yes log-prefix="" 

10    chain=forward action=accept src-address=192.168.88.0/24 
      dst-address=10.10.10.0/24 log=yes log-prefix="" 

11    chain=forward action=accept src-address=192.168.0.0/24 
      dst-address=192.168.88.0/24 log=yes log-prefix="" 

12    chain=forward action=accept src-address=10.10.10.0/24 
      dst-address=192.168.88.0/24 log=yes log-prefix="" 

13    ;;; VPN Ubuntu test
      chain=input action=accept protocol=tcp dst-address=192.168.88.147 
      in-interface=Gateway-ETH10 src-port=1723 dst-port=1723 log=no 
      log-prefix="" 

14    ;;; NAS
      chain=input action=accept protocol=tcp dst-address=192.168.88.220 
      in-interface=Gateway-ETH10 src-port=443 dst-port=5001 log=no 
      log-prefix="" 

15    ;;; default configuration
      chain=input action=drop in-interface=Fiber1-gateway log=no 
      log-prefix="" 

16    ;;; default configuration
      chain=input action=drop in-interface=Gateway-ETH10 log=no log-prefix=""

[admin@HomeNetRouter] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Test voor VPN Moeders
      chain=srcnat action=accept src-address=192.168.88.0/24 
      dst-address=192.168.0.0/24 log=no log-prefix="" 

 1 X  ;;; place hotspot rules here
      chain=unused-hs-chain action=passthrough to-addresses=0.0.0.0 log=no 
      log-prefix="" 

 2 X  ;;; default configuration
      chain=srcnat action=masquerade out-interface=Fiber1-gateway log=no 
      log-prefix="" 

 3    ;;; default configuration
      chain=srcnat action=masquerade out-interface=Gateway-ETH10 log=no 
      log-prefix="" 

 4    chain=srcnat action=masquerade src-address=192.168.10.0/24 
      out-interface=Gateway-ETH10 log=no log-prefix=""

Does some one have a idea what I am missing in this story?

Tue Oct 21, 2014 5:36 pm

Look at this example on my website please
Server instellingen
http://www.wirelessinfo.be/index.php/mi ... pages/pptp
Client instellingen
http://www.wirelessinfo.be/index.php/mi ... ges/pptp-c

TheFatal · Tue Oct 21, 2014 8:34 pm

Thanks for the links.

On the server side I do not have a Mikrotik but a Synology NAS with less possibilities.

However I have followed your guide for the Client side and have created a new profile where my Local Bridge has been selected and I needed to set encryption level to yes otherwise it wouldn't connect.
After this I could not ping the remote side. I have enabled the routes again in /ip routes than I was able to ping them from the Router. But not from the "LAN" side.
Also I have tried it with the firewall rules enabled again, but didn't succeed.

TheFatal · Wed Oct 22, 2014 11:35 pm

Any other ideas?

pants6000 · Fri Oct 24, 2014 8:42 am

The VPN server probably doesn't have a correct route back to your LAN at 192.168.88.1. You might try setting up a rule on the mikrotik to masqurerade connections going out the pptp interface, that way the VPN server doesn't need a route back to you.

TheFatal · Fri Oct 24, 2014 7:45 pm

thanks that did the trick !!

I had already did NAT but not masqurerade.... Only accepts.

pants6000 · Fri Oct 24, 2014 7:48 pm

Sweet! It's kind of a dirty hack but it'll work for this just fine.

TheFatal · Fri Oct 24, 2014 7:52 pm

is there also a nice way to do it?

Fri Oct 24, 2014 9:37 pm

You will install a vpn-server to your Mikrotik ore reverse

login with your mikrotik to vpn-server on synology?

pants6000 · Fri Oct 24, 2014 11:04 pm

If you can put routes in the NAS, put in a route to 192.168.88.0/24 with the Mikrotik's VPN interface (10.10.10.1) as the next-hop.

It's no big deal here though, since it's unlikely the NAS will have to open connections to machines on your LAN.

tania · Sun Jan 11, 2015 10:45 am

https://www.youtube.com/watch?v=7Uz1V9WqnL8

VPN to other location (pptp)

VPN to other location (pptp)

Re: VPN to other location (pptp)

Re: VPN to other location (pptp)

Re: VPN to other location (pptp)

Re: VPN to other location (pptp)

Re: VPN to other location (pptp)

Re: VPN to other location (pptp)

Re: VPN to other location (pptp)

Re: VPN to other location (pptp)

Re: VPN to other location (pptp)

Re: VPN to other location (pptp)

Who is online