I would like to set up a pptp or l2pp server (l2pp is nice thanks to hardware support) so i or someone else can use my internet access without being able to access my home network and i am struggling to figure out how do do that exactly and how i can make the choice to give certain vpn accounts access to my local network or not.
for clarity: i am using a 750gr3 and below is my current interface setup.
i would love to get some help on this.
vpn server without local access
You do not have the required permissions to view the files attached to this post.
Re: vpn server without local access
Hi,
So if i understood corectlly you want to connect to your gr750 from outside via PPTP and have internet connection from PPTP tunnel but in the same time not to interference with local lan network.
Here is an idea:
a. you should use one ether especially for this. Remove ether5 from master-bridge ether1
in interface list, double-click ether5 and in General tab on MASTER PORT select "none" ( instead of ether1 )
Open 'New Terminal':
b. assign an ip address/network to ether5
PPTP server stuff
1. activate pptp service-port ( or make sure it is activated already )
2. create a pptp dhcp pool
3. create pptp profile
7. masquerade pptp network range
8. drop forward traffic between local lan and pptp
Hope it helps,
kind regards
So if i understood corectlly you want to connect to your gr750 from outside via PPTP and have internet connection from PPTP tunnel but in the same time not to interference with local lan network.
Here is an idea:
a. you should use one ether especially for this. Remove ether5 from master-bridge ether1
in interface list, double-click ether5 and in General tab on MASTER PORT select "none" ( instead of ether1 )
Open 'New Terminal':
b. assign an ip address/network to ether5
Code: Select all
/ip address
add address=192.168.100.1/24 interface=ether5 network=192.168.100.0
1. activate pptp service-port ( or make sure it is activated already )
Code: Select all
/ ip firewall service-port
set pptp disabled=no
Code: Select all
/ ip pool
add name="pool-pptp" ranges=192.168.100.220-192.168.100.230 Code: Select all
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.100.1 \
name=pptp-in only-one=yes remote-address=pool-pptp use-encryption=\
required use-upnp=no
4. activate PPTP Server* local-address=192.168.100.1 -> ether5 ip address as gateway
* remote-address=pool-pptp -> pptp pool addresses created at step 2
Code: Select all
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=pptp-in enabled=yes max-mru=1460 max-mtu=14605. define user/password for pptp sessions* authentication=mschap1,mschap2 -> only accept those protocols for security;
in windows when you create VPN profile into Security tab at "data encryption" select last option "maximum strength..."
and at "Authentication" on Allow these protocols -> check only Microsot CHAP version 2
Code: Select all
/ppp secret
add name=user1 password=password1 profile=pptp-in service=pptp6. do not forget to add accept rule into firewall before any drop rule ( specially if you have a drop-input all last rule ):* profile: pptp profile name created at step 3
* service: only pptp service allowed
Code: Select all
/ip firewall filter
add action=accept chain=input comment="PPTP inside" dst-port=1723 in-interface=pppoe-xs4all log=yes log-prefix=PPTP-IN protocol=tcpCode: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="NATing pptp" log=yes log-prefix=NAT-PPTP out-interface=pppoe-xs4all src-address=192.168.100.0/24
Code: Select all
/ip firewall filter
add action=drop chain=forward comment="isolate local lan and pptp" dst-address=192.168.100.0/24 in-interface=ether1 log=yes out-interface=ether5 \
src-address={ether1-lan-network-space}
add action=drop chain=forward dst-address={ether1-lan-network-space} in-interface=ether5 log=yes out-interface=ether1 src-address=192.168.100.0/24* {ether1-lan-network-space} = your local lan address range, Ex.: 192.168.0.0/24
Hope it helps,
kind regards
Re: vpn server without local access
thank you for that answer. i will try this and report back.
Re: vpn server without local access
I do not think that op tunnels internet access through his pptp connection. I would just use a simple firewall rule to isolate his vpn connection from local lan:
/ip firewall filter chain=forward action=drop src-address=10.0.0.0/24 dst-address=192.168.0.0/24 log=no log-prefix=""
/ip firewall filter chain=forward action=drop src-address=192.168.0.0/24 dst-address=10.0.0.0/24 log=no log-prefix=""
Where 10.0.0.0 is the ptpp pool and 192.168.0.0 is lan subnet.
/ip firewall filter chain=forward action=drop src-address=10.0.0.0/24 dst-address=192.168.0.0/24 log=no log-prefix=""
/ip firewall filter chain=forward action=drop src-address=192.168.0.0/24 dst-address=10.0.0.0/24 log=no log-prefix=""
Where 10.0.0.0 is the ptpp pool and 192.168.0.0 is lan subnet.