MikroTik

I've set up PPTP VPN on several MK routers. They all work except for one problem. I need to access the local network hosted by the MK router. Only one of the routers works right. It has to be a firewall issue, as the only major difference is the firewall settings.
On the problem routers I was able to set them up so I could get to the router itself by adding a FW rule to accept input on the local subnet, which seems odd as everything on the local subnet already has access. But it worked.
Below is my fw list. Adding rule 3 allowed me to access the router itself, but nothing else in the network. Also, the VPN assigns to my computer an IP within the local network structure: i.e. 192.168.1.x


0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

2 ;;; PPTP VPN
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""

3 chain=input action=accept src-address=192.168.1.0/24 log=no log-prefix=""

4 ;;; Guest isolation
chain=forward action=drop src-address=10.0.1.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""

5 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

6 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

8 ;;; Block Guest to Lan
chain=forward action=drop in-interface=bridge-vlan10 out-interface=bridge log=no log-prefix=""

9 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

10 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

11 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

12 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

13 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
14 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

15 ;;; Accept established connections
chain=input connection-state=established

16 ;;; Accept related connections
chain=input connection-state=related

17 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid

18 ;;; UDP
chain=input action=accept protocol=udp

19 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid

20 ;;; Allow limited pings
chain=input protocol=icmp limit=50/5s,2

21 ;;; Drop excess pings
chain=input action=drop protocol=icmp

22 ;;; DROP PING REPLY
chain=input action=drop protocol=icmp src-address=!10.10.0.4

23 ;;; Drop Blaster Worm
chain=virus action=drop protocol=tcp dst-port=135-139

24 ;;; Drop Messenger Worm
chain=virus action=drop protocol=udp dst-port=135-139

25 ;;; Drop Blaster Worm
chain=virus action=drop protocol=tcp dst-port=445

26 ;;; Drop Blaster Worm
chain=virus action=drop protocol=udp dst-port=445
27 ;;; ________
chain=virus action=drop protocol=tcp dst-port=593

28 ;;; ________
chain=virus action=drop protocol=tcp dst-port=1024-1030

29 ;;; Drop MyDoom
chain=virus action=drop protocol=tcp dst-port=1080

30 ;;; ________
chain=virus action=drop protocol=tcp dst-port=1214

31 ;;; ndm requester
chain=virus action=drop protocol=tcp dst-port=1363

32 ;;; ndm server
chain=virus action=drop protocol=tcp dst-port=1364

33 ;;; screen cast
chain=virus action=drop protocol=tcp dst-port=1368

34 ;;; hromgrafx
chain=virus action=drop protocol=tcp dst-port=1373

35 ;;; cichlid
chain=virus action=drop protocol=tcp dst-port=1377

36 ;;; Worm
chain=virus action=drop protocol=tcp dst-port=1433-1434

37 ;;; Bagle Virus
chain=virus action=drop protocol=tcp dst-port=2745

38 ;;; Drop Dumaru.Y
chain=virus action=drop protocol=tcp dst-port=2283

39 ;;; Drop Beagle
chain=virus action=drop protocol=tcp dst-port=2535
40 ;;; Drop Beagle.C-K
chain=virus action=drop protocol=tcp dst-port=2745

41 ;;; Drop MyDoom
chain=virus action=drop protocol=tcp dst-port=3127-3128

42 ;;; Drop Backdoor OptixPro
chain=virus action=drop protocol=tcp dst-port=3410

43 ;;; Worm
chain=virus action=drop protocol=tcp dst-port=4444

44 ;;; Worm
chain=virus action=drop protocol=udp dst-port=4444

45 ;;; Drop Sasser
chain=virus action=drop protocol=tcp dst-port=5554

46 ;;; Drop Beagle.B
chain=virus action=drop protocol=tcp dst-port=8866

47 ;;; Drop Dabber.A-B
chain=virus action=drop protocol=tcp dst-port=9898

48 ;;; Drop Dumaru.Y
chain=virus action=drop protocol=tcp dst-port=10000

49 ;;; Drop MyDoom.B
chain=virus action=drop protocol=tcp dst-port=10080

50 ;;; Drop NetBus
chain=virus action=drop protocol=tcp dst-port=12345

51 ;;; Drop Kuang2
chain=virus action=drop protocol=tcp dst-port=17300

52 ;;; Drop SubSeven
chain=virus action=drop protocol=tcp dst-port=27374

53 ;;; Drop PhatBot, Agobot, Gaobot
chain=virus action=drop protocol=tcp dst-port=65506

54 ;;; jump to the virus chain
chain=forward action=jump jump-target=virus

55 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port scanners address-list-timeout=2w

56 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2w

57 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners address-list-timeout=2w

58 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=port scanners address-list-timeout=2w

59 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list=port scanners address-list-timeout=2w

60 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners address-list-timeout=2w

61 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2w

62 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners

63 ;;; drop ftp brute forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21

64 chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m

65 chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h content=530 Login incorrect

66 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22

67 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=3d
dst-port=22

68 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m
dst-port=22

69 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m
dst-port=22

70 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22

71 ;;; drop ssh brute downstream
chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22

Ok, here's another clue. Looking at the firewall and the established connections, I see my devices source address: 192.168.1.10:56126, the dst address: 192.168.1.5:3389, but the TCP State only goes to: syn sent. There is never an awk, I assume. And you can see in the Orig./Repl. Bytes and Packets that the first have shows traffice, but the second is always at 0. Why?

I've set up PPTP VPN on several MK routers. They all work except for one problem. I need to access the local network hosted by the MK router. Only one of the routers works right. It has to be a firewall issue, as the only major difference is the firewall settings.
On the problem routers I was able to set them up so I could get to the router itself by adding a FW rule to accept input on the local subnet, which seems odd as everything on the local subnet already has access. But it worked.
Below is my fw list. Adding rule 3 allowed me to access the router itself, but nothing else in the network. Also, the VPN assigns to my computer an IP within the local network structure: i.e. 192.168.1.x

It would be easier to diagnose if you posted the config from /export hide-sensitive and also obfuscated any public IP addresses or similar.

That said, it is likely:
You have used the same IP pool for the LAN and VPN clients so you need to enable proxy-arp on the LAN interface, see https://wiki.mikrotik.com/wiki/Manual:I ... ote_Client.
The VPN client will not be in the LAN interface list so the rule chain=input action=drop in-interface-list=!LAN will prevent access.

And don't use PPTP, it is woefully insecure.
[/quote]

Thanks for the reply!
To be honest, I don't know what is a good and simple protocol for Windows computers. I would never use PPTP, but OpenVPN. But then I only use Linux. But all my clients use Windows, so I need to use a protocol that they can easily set up. I'd really appreciate any input about a better, more secure solution that my clients can set up on their computers on their own. Of course, I provide them with instructions, but it should be relatively simply.

Would you mind to check out this article [REMOVED]? Which is written on VPN and Windows. I have had almost the same issue. I was unsure which VPN would be better and suitable for my windows. Glad to get the good guidelines.