Hi Guys,

I regularly need to Remote Desktop into our server/network from home. My goal is to have a (more) secure solution than just forwarding the rdp port to the server. I think this can be achieved in 3 ways:

1. Setup a VPN server on the Mikrotik router and run the RDP connection over it
2. Setup a VPN server on the Server 2012r2 and rdp
3. Setup Remote Desktop Gateway

Number 3 seems too complicated for me to think about now as it involves certificates and there is no FQDN, just a static IP from our ISP. I get a L2TP/IPSec connection established over LAN in case 1 and 2. I do not get that going over internet in case 2. Therefore I want to focus on setting it up on the Routerboard.

1. When on the LAN I can ping other computers and access shares but internet access stops as soon as the VPN connection establishes (either PPPT or L2PT).
2. When trying to connect from the internet there is no response from the server. However I can connect using PPPT but not L2TP. With PPPT I can only ping the server/routerboard but no other machines. Also no internet access on the VPN connection, only on the physical adapter.

My setup is: WAN IP to modem/router (ports 500, 1701, 4500, 1723 forwarded) to 192.168.1.10 which is the "WAN" port for Mikrotik board which has 192.168.5.0/32 as a LAN. In the top of the firewall it accepts these ports for incoming connections to the router. Proxy-arp is enabled. Disabling the firewall for testing from internet does not make a difference.

I have been Googling and following guides for days now but I am about to give up. Any help is more than welcome.

/ppp profile
set 0 change-tcp-mss=default dns-server=192.168.5.3,192.168.5.1 local-address=vpn-pool name=default only-one=default \
remote-address=vpn-pool use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
set 1 change-tcp-mss=yes dns-server=192.168.5.3 local-address=vpn-pool name=default-encryption only-one=default remote-address=\
vpn-pool use-compression=default use-encryption=yes use-mpls=default use-vj-compression=default wins-server=192.168.5.1
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=pptp password=test profile=default routes="" service=pptp
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=L2TP password=test profile=default-encryption routes="" \
service=l2tp

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 \
enc-algorithm=3des exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" \
nat-traversal=yes port=500 secret=test send-initial-contact=yes

/ip firewall filter
add action=accept chain=input comment="for L2TP acces" disabled=no dst-port=500 protocol=udp
add action=accept chain=input comment="for L2TP acces" disabled=no dst-port=1701 protocol=udp
add action=accept chain=input comment="for L2TP acces" disabled=no dst-port=4500 protocol=udp
add action=accept chain=input comment="vpn allow PPTP " disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input comment="vpn PPTP GRE allowed" disabled=no protocol=gre

I think you may need to start by allowing traffic from your vpn-pool into the remote LAN.

I think you may need to start by allowing traffic from your vpn-pool into the remote LAN.

Thank you mikez. Could you point me a bit further on how/where to do that? My network uses mostly static clients in the range from 192.168.5.10-192.168.5.200. I have a DHCP pool for guests/laptops from 192.168.5.220 - 229. My vpn pool is 192.168.5.230 - 239.

If you're using IP addresses on your VPN clients in the same subnet as your LAN, you're going to have to enable proxy-arp on the LAN interface.

What's likely happening is your VPN client is getting assigned say 192.168.5.230. You are trying to communicate with 192.168.5.10. Your computer knows this traffic needs to go over the VPN since the subnet isn't local, however the remote client (192.168.5.10) is thinking the destination is local and sending out an ARP request on the local LAN. With proxy-arp enabled, your router should respond to those ARP requests for IPs in the VPN pool and forward the traffic as needed.

Here's a good explanation of the behavior:
http://blog.butchevans.com/2010/06/when ... proxy-arp/