I'm using mikrotik RB750 for my office.
I've configure the PPTP VPN and it works fine. I can access the server (192.168.1.5) and other devices through it.
Every time I want to access device01 (192.168.1.42), I just need to connect to PPTP VPN and remote to the server (192.168.1.5). Then I use an application from the server to access device01.using UDP port 47808.
Now I want to access device01 without remote to the server first. I have copied the application that used for accessing device01 from the server to my laptop. I also make sure that device01 can be ping when VPN connection is established. I use the same PPTP VPN.
I run the application from VPN, it can't connect to device01 using UDP port 47808. But when I connect directly to LAN, the application is able to access device01 using UDP port 47808.
Here is the mikrotik configuration.
Code: Select all
# sep/13/2019 11:36:38 by RouterOS 6.45.3
# software id = 2I7M-S1UK
#
# model = 750
# serial number = 566004B31B2D
/interface ethernet
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
name=LAN_KEKAR
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
name=LAN_OLD
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
name=WAN
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
C8:B3:73:3C:3C:2C name=WAN@Publik-MNC
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=kekar_lan ranges=192.168.10.100-192.168.10.254
add name=dhcp_pool2 ranges=192.168.1.200-192.168.1.250
add name=pptp-pool ranges=192.168.1.100-192.168.1.150
add name=lukman-pptp ranges=192.168.1.151
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool2 authoritative=after-2sec-delay \
disabled=no interface=LAN_KEKAR name=dhcp2
/ppp profile
add local-address=pptp-pool name=pptp-profile remote-address=pptp-pool
add local-address=lukman-pptp name=lukman-vpn remote-address=lukman-pptp
/queue tree
add max-limit=2M name=Download parent=LAN_KEKAR priority=1
add max-limit=2M name=Upload parent=WAN@Publik-MNC priority=1
/queue type
add kind=pcq name=pcq_down pcq-classifier=dst-address,dst-port \
pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=pcq_up pcq-classifier=src-address,src-port \
pcq-dst-address6-mask=64 pcq-src-address6-mask=64
/queue tree
add limit-at=2M max-limit=2M name="Group Down Priority 1" packet-mark=\
Down_Priority_1 parent=Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name="Group Up Priority 1" packet-mark=\
Up_Priority_1 parent=Upload priority=1 queue=pcq_up
add limit-at=2M max-limit=2M name="Group Up Priority 2" packet-mark=\
Up_Priority_2 parent=Upload priority=3 queue=pcq_up
add limit-at=2M max-limit=2M name=Steve-DL packet-mark=Steve-DL1 parent=\
Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name=Steve-UP packet-mark=Steve-UP1 parent=\
Upload priority=1 queue=pcq_up
add limit-at=2M max-limit=2M name=Soni-DL packet-mark=Soni-DL1 parent=\
Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name=Soni-UP packet-mark=Soni-UP1 parent=Upload \
priority=1 queue=pcq_up
add limit-at=2M max-limit=2M name=Stevan-DL1 packet-mark=Stevan-DL1 parent=\
Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name=Stevan-UP1 packet-mark=Stevan-UP1 parent=\
Upload priority=1 queue=pcq_up
add limit-at=2M max-limit=2M name="Group Down Priority 2" packet-mark=\
Down_Priority_2 parent=Download priority=3 queue=pcq_down
add limit-at=2M max-limit=2M name=Stevan-DL2 packet-mark=Stevan-DL2 parent=\
Download priority=1 queue=pcq_down
add limit-at=2M max-limit=2M name=Stevan-UP2 packet-mark=Stevan-UP2 parent=\
Upload priority=1 queue=pcq_up
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add name=actionpantau target=echo
/interface detect-internet
set detect-interface-list=all
/interface pptp-server server
set enabled=yes
/ip accounting
set enabled=yes
/ip address
add address=192.168.1.1/24 interface=LAN_KEKAR network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN@Publik-MNC
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,192.200.110.108,192.200.110.109
/ip firewall address-list
add address=192.168.1.0/24 list=allow-ip
add address=192.168.1.151 list=lukman
add address=192.168.1.31-192.168.1.60 list="Blocked IP"
add address=192.168.1.40-192.168.1.42 list="Allow IP PPTP Lukman"
add address=192.168.1.1-192.168.1.29 list="Group Priority 1"
add address=192.168.1.200-192.168.1.250 list="Group Priority 2"
add address=192.168.1.100-192.168.1.150 disabled=yes list="PPTP Pool"
/ip firewall filter
add action=tarpit chain=input comment=\
"Add you ip addess to allow-ip in Address Lists." dst-port=30553 \
protocol=tcp
add action=add-src-to-address-list address-list=allow-ip \
address-list-timeout=1h chain=input comment=\
"The security flaw for Hajime is closed by the firewall." packet-size=\
1083 protocol=icmp
add action=accept chain=forward comment=Test dst-address-list=192.168.1.42 \
dst-port=47808 protocol=udp src-address-list="PPTP Pool" src-port=47808
add action=accept chain=input comment=\
"Please update RotherOS and change password." src-address-list=allow-ip
add action=drop chain=input comment=\
" Thanks are accepted on WebMoney Z399578297824" dst-port=53 protocol=udp
add action=drop chain=forward comment=\
"Block Internet 192.168.1.31 - 192.168.1.60" out-interface=WAN@Publik-MNC \
protocol=tcp src-address=192.168.1.31-192.168.1.60 src-address-list=\
"Blocked IP"
add action=drop chain=forward disabled=yes out-interface=WAN@Publik-MNC \
protocol=udp src-address=192.168.1.31-192.168.1.60 src-address-list=\
"Blocked IP"
add action=drop chain=input comment=\
"or BTC 14qiYkk3nUgsdqQawiMLC1bUGDZWHowix1" dst-port=\
53,8728,8729,21,22,23,80,443 protocol=tcp
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=passthrough chain=input
add action=accept chain=forward comment="Lukman VPN" dst-address-list=\
"Allow IP PPTP Lukman" src-address=192.168.1.151 src-address-list=lukman
add action=drop chain=forward dst-address-list=allow-ip src-address=\
192.168.1.151 src-address-list=lukman
/ip firewall mangle
add action=mark-packet chain=forward comment="Download Priority 1" \
dst-address-list="Group Priority 1" new-packet-mark=Down_Priority_1 \
passthrough=no
add action=mark-packet chain=forward comment="Download Priority 2" \
dst-address-list="Group Priority 2" new-packet-mark=Down_Priority_2 \
passthrough=no
add action=mark-packet chain=forward comment="Upload Priority 1" \
new-packet-mark=Up_Priority_1 passthrough=no src-address-list=\
"Group Priority 1"
add action=mark-packet chain=forward comment="Upload Priority 2" \
new-packet-mark=Up_Priority_2 passthrough=no src-address-list=\
"Group Priority 2"
add action=mark-connection chain=prerouting comment="Priority Steve" \
new-connection-mark=Steve-DL1 passthrough=yes src-mac-address=\
4C:BB:58:66:76:F6
add action=mark-packet chain=prerouting connection-mark=Steve-DL1 \
new-packet-mark=Steve-DL1 passthrough=no
add action=mark-packet chain=prerouting new-packet-mark=Steve-UP1 \
passthrough=no src-mac-address=4C:BB:58:66:76:F6
add action=mark-connection chain=prerouting comment="Priority Soni" \
new-connection-mark=Soni-DL1 passthrough=yes src-mac-address=\
7C:2A:31:A0:C3:EB
add action=mark-packet chain=prerouting connection-mark=Soni-DL1 \
new-packet-mark=Soni-DL1 passthrough=no
add action=mark-packet chain=prerouting new-packet-mark=Soni-UP1 passthrough=\
no src-mac-address=7C:2A:31:A0:C3:EB
add action=mark-connection chain=prerouting comment="Priority Stevan 1" \
new-connection-mark=Stevan-DL1 passthrough=yes src-mac-address=\
50:3E:AA:7C:CA:BA
add action=mark-packet chain=prerouting connection-mark=Stevan-DL1 \
new-packet-mark=Stevan-DL1 passthrough=no
add action=mark-packet chain=prerouting new-packet-mark=Stevan-UP1 \
passthrough=no src-mac-address=50:3E:AA:7C:CA:BA
add action=mark-connection chain=prerouting comment="Priority Stevan 2" \
new-connection-mark=Stevan-DL2 passthrough=yes src-mac-address=\
28:C6:3F:FE:53:DF
add action=mark-packet chain=prerouting connection-mark=Stevan-DL2 \
new-packet-mark=Stevan-DL2 passthrough=no
add action=mark-packet chain=prerouting new-packet-mark=Stevan-UP2 \
passthrough=no src-mac-address=28:C6:3F:FE:53:DF
add action=log chain=postrouting comment=192.168.1.42 dst-address=\
192.168.1.42 dst-port=47808 log-prefix=request protocol=udp
add action=log chain=prerouting log-prefix=response protocol=udp src-address=\
192.168.1.42 src-port=47808
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN@Publik-MNC
add action=dst-nat chain=dstnat comment="server ubuntu 192.168.1.5" dst-port=\
8080 protocol=tcp to-addresses=192.168.1.5 to-ports=80
add action=dst-nat chain=dstnat dst-port=1883 protocol=tcp to-addresses=\
192.168.1.5 to-ports=1883
add action=dst-nat chain=dstnat comment=192.168.1.81 dst-port=8081 protocol=\
tcp to-addresses=192.168.1.81 to-ports=8888
add action=accept chain=dstnat dst-address=192.168.1.81 dst-address-list="" \
dst-port=80 protocol=tcp src-address=110.50.84.164 src-port=82
add action=dst-nat chain=dstnat comment=192.168.1.30 dst-port=4539 log=yes \
protocol=tcp to-addresses=192.168.1.30 to-ports=80
add action=dst-nat chain=dstnat dst-port=4540 log=yes protocol=tcp \
to-addresses=192.168.1.30 to-ports=81
add action=dst-nat chain=dstnat dst-port=4541 log=yes protocol=tcp \
to-addresses=192.168.1.30 to-ports=82
add action=dst-nat chain=dstnat dst-port=4542 log=yes protocol=tcp \
to-addresses=192.168.1.30 to-ports=8336
add action=dst-nat chain=dstnat dst-port=4543 log=yes protocol=tcp \
to-addresses=192.168.1.30 to-ports=8337
add action=dst-nat chain=dstnat dst-port=4544 log=yes protocol=tcp \
to-addresses=192.168.1.30 to-ports=8888
add action=dst-nat chain=dstnat dst-port=4545 log=yes protocol=tcp \
to-addresses=192.168.1.30 to-ports=8889
add action=dst-nat chain=dstnat dst-port=4546 log=yes protocol=tcp \
to-addresses=192.168.1.30 to-ports=10001
add action=dst-nat chain=dstnat dst-port=4547 log=yes protocol=tcp \
to-addresses=192.168.1.30 to-ports=10002
add action=dst-nat chain=dstnat dst-port=4548 log=yes protocol=tcp \
to-addresses=192.168.1.30 to-ports=14000
add action=dst-nat chain=dstnat comment=192.168.1.33 disabled=yes dst-port=\
47808-47823 log=yes protocol=udp to-addresses=192.168.1.33 to-ports=\
47808-47823
add action=dst-nat chain=dstnat comment=192.168.1.40 disabled=yes dst-port=\
47808-47823 log=yes protocol=udp to-addresses=192.168.1.40 to-ports=\
47808-47823
add action=dst-nat chain=dstnat comment=192.168.1.41 disabled=yes dst-port=\
47808-47823 log=yes protocol=udp to-addresses=192.168.1.41 to-ports=\
47808-47823
add action=dst-nat chain=dstnat comment=192.168.1.42 disabled=yes \
dst-address-type=local dst-port=47808 log=yes protocol=udp to-addresses=\
192.168.1.42 to-ports=47808
/ip route
add disabled=yes distance=1 gateway=110.50.84.1
/ip service
set telnet disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
/ppp secret
add name=soni password=******** profile=pptp-profile
add name=stevan password=******** profile=pptp-profile
add name=soni1 password=******** profile=pptp-profile
add local-address=10.1.101.1 name=Admin password=******** profile=\
default-encryption remote-address=10.1.101.100 service=pptp
add local-address=192.168.1.1 name=lukman password=******** profile=\
lukman-vpn remote-address=192.168.1.151
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=KEKARTAMA
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
add action=actionpantau disabled=yes topics=ssh
/system note
set note="The security flaw for Hajime is closed by the firewall. Please updat\
e RotherOS. Gratitude is accepted on WebMoney Z399578297824 or BTC 14qiYkk\
3nUgsdqQawiMLC1bUGDZWHowix1"
/tool traffic-monitor
add interface=LAN_KEKAR name=tmon1 threshold=1000 trigger=always
add interface=LAN_KEKAR name=tmon2 threshold=0
And this the device that I want to connect into
Pls advise.
Thank you.
