VPN server IP: 172.16.10.1
Client IP given: 172.16.10.250-254
I can connect fine to the VPN through a public IP and ping and access the mikrotik that is acting as the PPTP server, as well as anything on the same subnet that isn't a mikrotik. For example, we have multiple Alvarion access points that I can ping and access through SNMP, but the mikrotik access points are inaccessible, as are the mikrotiks we use for backhaul. VPN is running 4.3, and I upgraded the MT access points to 4.5 while testing, as well as removed the firewall filter rules that were set to only allow access by certain IPs (address list already included the IPs assigned by the vpn server as well as the vpn ip itself) to no avail.
When on the network, using the same IP even, I can access everything fine.
Any help is appreciated.
Thanks,
Greg
Re: PPTP connection, can't ping anything mikrotik
My guess is that the packets are received by your MikroTik devices, but that they don't send the new packets back on the correct route. Ensure that the gateway address / routing table entries for the path to the VPN clients are correct.
You could also enable a log filter for the forward chain to log all the packets of the ICMP (1) protocol. By doing so, you could perhaps see that the packets are forwarded by the VPN server to the MikroTik devices and perhaps also received by the VPN server, but not forwarded back to the VPN clients?
Since you're saying that the replies are received from the Alvarion access points, but not from the MikroTik devices, you could always try and match up their routing tables. If its not a problem in the routing tables of the MikroTik devices, then it has to be an error with your NAT/masquerade firewall entry.
Could you perhaps post your firewall rules & IP routes, as well as the subnet of the MikroTik devices that are inaccessible?
Note: I'm not an expert in this field, so please excuse me if I have it completely wrong here.
Edit:
I've just had an issue with my PPTP VPN server (running on ROS v4.5), where I was unable to access any Google pages. It was due to the MTU being set to 1492, instead of the default 1460.
You could also enable a log filter for the forward chain to log all the packets of the ICMP (1) protocol. By doing so, you could perhaps see that the packets are forwarded by the VPN server to the MikroTik devices and perhaps also received by the VPN server, but not forwarded back to the VPN clients?
Since you're saying that the replies are received from the Alvarion access points, but not from the MikroTik devices, you could always try and match up their routing tables. If its not a problem in the routing tables of the MikroTik devices, then it has to be an error with your NAT/masquerade firewall entry.
Could you perhaps post your firewall rules & IP routes, as well as the subnet of the MikroTik devices that are inaccessible?
Note: I'm not an expert in this field, so please excuse me if I have it completely wrong here.
Edit:
I've just had an issue with my PPTP VPN server (running on ROS v4.5), where I was unable to access any Google pages. It was due to the MTU being set to 1492, instead of the default 1460.
Re: PPTP connection, can't ping anything mikrotik
All the hosts I'm unable to access are also in the 172.16.10.x subnet and use 172.16.10.1 as the default route, and are accessible from other subnets when not going through the VPN. The routerboard at 172.16.10.1 also does routing for the 172.16.1.x and 172.16.2.x network - that's actually it's main purpose. Ether5 has the public IP for the VPN and uses the firewall rules below.
mangle
0 chain=input action=mark-connection new-connection-mark=vpn passthrough=no in-interface=ether5
1 chain=output action=mark-routing new-routing-mark=vpn passthrough=no connection-mark=vpn
nat
0 chain=srcnat action=masquerade out-interface=ether5
Removing the masquerade rule doesn't appear to change anything, so it wouldn't surprise me if I have something wrong with it.
mangle
0 chain=input action=mark-connection new-connection-mark=vpn passthrough=no in-interface=ether5
1 chain=output action=mark-routing new-routing-mark=vpn passthrough=no connection-mark=vpn
nat
0 chain=srcnat action=masquerade out-interface=ether5
Removing the masquerade rule doesn't appear to change anything, so it wouldn't surprise me if I have something wrong with it.
Re: PPTP connection, can't ping anything mikrotik
The NAT rule is fine, however I'm not so sure about the mangling.
I'm using:
/ip firewall mangle
add chain=prerouting action=mark-connection connection-mark=vpn passthrough=yes src-address=172.16.10.250-172.16.10.254
add chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=no connection-mark=vpn
I think someone else should help you out here if that doesn't solve your routing problem.
I'm using:
/ip firewall mangle
add chain=prerouting action=mark-connection connection-mark=vpn passthrough=yes src-address=172.16.10.250-172.16.10.254
add chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=no connection-mark=vpn
I think someone else should help you out here if that doesn't solve your routing problem.
Re: PPTP connection, can't ping anything mikrotik
Swapping out the mangle rules I had for the ones you provided makes it so I can only ping the vpn router and nothing past it, not even what I could before.
Re: PPTP connection, can't ping anything mikrotik
Hi,
I'm not sure if you've managed to solved this yet, but I'm sort of in the same situation now. I saw that I've made a syntax error in my previous post:
I find it quite odd: my games & web browser works fine, but my IRC is connecting from the wrong interface when I'm just using:
I'm connecting from a PPTP VPN (192.168.128.8/30) and trying to use ISP1 (interface = pppoe-isp1) which would be dedicated for me and my PPTP VPN IP address block only!
I now have everything working when I add a new rule at the end:
Here's all most of the relevant code:
The problem with the last line is that the gateway identifier is lost as soon as <pptp-vpn> connection drops (or reconnects for that matter!). I haven't had the time yet to write a script to fix it. I just wish ROS won't delete that gateway identifier as soon as the connection is lost!
I'm not sure if you've managed to solved this yet, but I'm sort of in the same situation now. I saw that I've made a syntax error in my previous post:
should've beenadd chain=prerouting action=mark-connection connection-mark=vpn passthrough=yes src-address=172.16.10.250-172.16.10.254
Code: Select all
add chain=prerouting action=mark-connection new-connection-mark=vpn passthrough=yes src-address=172.16.10.250-172.16.10.254I'm connecting from a PPTP VPN (192.168.128.8/30) and trying to use ISP1 (interface = pppoe-isp1) which would be dedicated for me and my PPTP VPN IP address block only!
Code: Select all
/ip route
add dst-address=192.168.128.8/30 gateway=<pptp-vpn> routing-mark=isp1
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=isp1 passthrough=yes src-address=192.168.128.8/30
add chain=input action=mark-connection new-connection-mark=isp1 passthrough=yes in-interface=isp1
add chain=prerouting action=mark-routing new-routing-mark=isp1 passthrough=no connection-mark=isp1Code: Select all
add chain=output action=mark-routing new-routing-mark=isp1 passthrough=no connection-mark=isp1
Code: Select all
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=isp1 passthrough=yes src-address=192.168.128.8/30
add chain=input action=mark-connection new-connection-mark=isp1 passthrough=yes in-interface=pppoe-isp1
add chain=prerouting action=mark-routing new-routing-mark=isp1 passthrough=no connection-mark=isp1
add chain=output action=mark-routing new-routing-mark=isp1 passthrough=no connection-mark=isp1
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.128.8/30 routing-mark=isp1 out-interface=pppoe-isp1
/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-isp1 routing-mark=isp1
add dst-address=192.168.128.8/30 gateway=<pptp-vpn> routing-mark=isp1
Re: PPTP connection, can't ping anything mikrotik
Any sollution?
Re: PPTP connection, can't ping anything mikrotik
I've got the same problem yesterday while using VPN connection. I could not ping any local address so I've changed ARP to proxy-arp on the appropriate interface which definitely solved my problem. Cheers!
Re: PPTP connection, can't ping anything mikrotik
Thank you. Two week I lost with find a way to solve this problem.I've got the same problem yesterday while using VPN connection. I could not ping any local address so I've changed ARP to proxy-arp on the appropriate interface which definitely solved my problem. Cheers!
Client if had unmark "Use gateway of remote network", can connect only to Mikrotik gate.
Now I change ARP from "Enabled" to "Proxy-ARP" on WAN interface and local bridge. And now all works perfect!
Sorry for my English)
Re: PPTP connection, can't ping anything mikrotik
How do you enable proxy arp on an interface? all i can find is CLI commands, surely there is a way to do it through the GUI?