Community discussions

MikroTik App
  4. RouterOS
  5. General

PPTP Client Connection

Post Reply
 
saracen
just joined
Topic Author
Posts: 6
Joined: Sun Sep 09, 2012 7:35 pm

PPTP Client Connection

Mon Sep 10, 2012 3:27 pm

Hi,

I've been trying to set up a pptp client connection for a few days now without success. I've read the forums where people appear to have a similar problem to mine, but were unable to solve it. I've read the wiki pages - and the configuration seems very simple (masquerade, marking packets) - but I'm still unable to allow traffic to go over the pptp connection.

Rather than list the configurations I've tried (as I may have been doing them incorrectly), I hope I can start afresh and have somebody tell me what my next steps should be.

My current basic router configuration without a pptp connection:
Code: Select all
[admin@MikroTik] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                             TYPE               MTU L2MTU  MAX-L2MTU
 0  R  WAN (ether1)                     ether             1500  1526       1526
 1  R  LAN (ether2)                     ether             1500  1522       1522


[admin@MikroTik] /ip dhcp-client> print
Flags: X - disabled, I - invalid 
 #   INTERFACE                         USE ADD STATUS        ADDRESS           
 0   WAN (ether1)                      yes yes bound         188.95.41.184/25  


[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                              
 0   192.168.1.1/24     192.168.1.0     LAN (ether2)                           
 1 D 188.95.41.184/25   188.95.41.128   WAN (ether1)

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=WAN (ether1)


[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          188.95.41.129             1
 1 ADC  188.95.41.128/25   188.95.41.184   WAN (ether1)              0
 2 ADC  192.168.1.0/24     192.168.1.1     LAN (ether2)              0
To summarise: I have two interfaces, WAN and LAN. WAN gets an internet IP via DHCP. LAN has clients (192.168.1.*) that are able to access the internet via my masquerade rule. This works.

Adding a pptp client connection:
Code: Select all
lags: X - disabled, R - running 
 0    name="pptp-out1" max-mtu=1460 max-mru=1460 mrru=disabled connect-to=81.171.97.2 user="fiveturns" password="*****" profile=default-encryption 
      add-default-route=no dial-on-demand=no allow=mschap2
This connection is successful (Local IP: 172.20.0.4, Remote IP: 81.171.97.2). However, the connection periodically times out (pptp debug, "terminating... - keepalives timed out").

Notice the connection doesn't add a default route. Over the last few days, I've been adding a static route with a route mark etc following wiki pages/advice that hasn't yet worked. So at this point, I'm hoping somebody can point me in the correct direction.

What static route should I add? What configuration can I use to prevent the timeouts, ping the pptp connection's gateway and eventually, allow me to, for example, make connections to dst port 80 travel over the pptp connection?

The pptp connection is to one of ipvanish.com's VPN servers - if that is relevant at all.

Thank you in advance and apologies for the verbose post / incorrect terminology (I'm new to both Mikrotik products & networking in general).
Top
 
forne
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Tue Feb 15, 2011 3:18 pm

Re: PPTP Client Connection

Mon Sep 10, 2012 4:41 pm

What static route should I add? What configuration can I use to prevent the timeouts, ping the pptp connection's gateway and eventually, allow me to, for example, make connections to dst port 80 travel over the pptp connection?
Try something like this (untested):
Code: Select all
/ip route add dst-address=0.0.0.0/0 gateway=81.171.97.2 check-gateway=ping routing-mark=vpn
/ip firewall mangle add chain=prerouting action=mark-connection new-connection-mark=vpn connection-mark=no-mark protocol=tcp dst-port=80
/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=vpn connection-mark=vpn
Top
 
forne
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Tue Feb 15, 2011 3:18 pm

Re: PPTP Client Connection

Mon Sep 10, 2012 5:00 pm

If it won't work, add the following:
Code: Select all
/ip route rule
add action=lookup table=main
add action=lookup routing-mark=vpn table=vpn
add action=lookup-only-in-table table=default

/routing filter
add action=accept chain=dynamic-in prefix=0.0.0.0/0 set-routing-mark=default
Top
 
saracen
just joined
Topic Author
Posts: 6
Joined: Sun Sep 09, 2012 7:35 pm

Re: PPTP Client Connection

Mon Sep 10, 2012 5:57 pm

Code: Select all
/ip route add dst-address=0.0.0.0/0 gateway=81.171.97.2 check-gateway=ping routing-mark=vpn
/ip firewall mangle add chain=prerouting action=mark-connection new-connection-mark=vpn connection-mark=no-mark protocol=tcp dst-port=80
/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=vpn connection-mark=vpn
I added these rules, then tested from my desktop (192.168.1.5) to see if I could access a web page. I could not. Also, the route added swaps between "unreachable" and "reachable", not even in time with the pptp timeouts (which is still occurring).

Routes:
Code: Select all
admin@MikroTik] /ip route> print detail 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0   S  dst-address=0.0.0.0/0 gateway=81.171.97.2 gateway-status=81.171.97.2 unreachable check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=vpn 

 1 ADS  dst-address=0.0.0.0/0 gateway=188.95.41.129 gateway-status=188.95.41.129 reachable via  WAN (ether1) distance=1 scope=30 target-scope=10 vrf-interface=WAN (ether1) 

 2 ADC  dst-address=81.171.97.2/32 pref-src=172.20.0.4 gateway=pptp-out1 gateway-status=pptp-out1 reachable distance=0 scope=10 

 3 ADC  dst-address=188.95.41.128/25 pref-src=188.95.41.184 gateway=WAN (ether1) gateway-status=WAN (ether1) reachable distance=0 scope=10 

 4 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=LAN (ether2) gateway-status=LAN (ether2) reachable distance=0 scope=10
The mangle rules do appear to be marking correctly however (byte/packet counter increases).
Code: Select all
/ip route rule
add action=lookup table=main
add action=lookup routing-mark=vpn table=vpn
add action=lookup-only-in-table table=default

/routing filter
add action=accept chain=dynamic-in prefix=0.0.0.0/0 set-routing-mark=default
This wasn't successful either. I'm guessing it might be because the "vpn" route keeps going "unreachable" though. Any idea how I can fix that?

Thank you.
Top
 
forne
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Tue Feb 15, 2011 3:18 pm

Re: PPTP Client Connection

Tue Sep 11, 2012 6:14 am

And don't forget to do NAT on the pptp interface too.
Top
 
saracen
just joined
Topic Author
Posts: 6
Joined: Sun Sep 09, 2012 7:35 pm

Re: PPTP Client Connection

Tue Sep 11, 2012 3:48 pm

Added the NAT rule.

Still not working. I can't ping the gateway either, which I'm guessing is why the gateway keeps going "unreachable". I thought perhaps marking the connection "vpn" for icmp traffic would work, but it did not.

Monitoring traffic on the pptp interface, I see the direction is only tx.

Thank you for your help so far. Any other ideas? :(
Top
 
forne
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Tue Feb 15, 2011 3:18 pm

Re: PPTP Client Connection

Tue Sep 11, 2012 4:52 pm

Sorry, I overlooked one of your message somehow. :(
This wasn't successful either. I'm guessing it might be because the "vpn" route keeps going "unreachable" though. Any idea how I can fix that?
Remove "check-gateway=ping" from the static route as yet. Check whether you will get a working connection to tcp port 80 from any host from the local network.

Also I didn't expect any vrf interfaces. Not sure if it makes sense, but try to replace this:
Code: Select all
/routing filter add action=accept chain=dynamic-in prefix=0.0.0.0/0 set-routing-mark=default
by this:
Code: Select all
/routing filter add action=discard chain=dynamic-in prefix=0.0.0.0/0
/ip route add dst-address=0.0.0.0/0 gateway=188.95.41.129 routing-mark=default
Btw, are you sure that your pptp connection is allowed to access Internet at all? Can you ping any remote host through the pptp connection from the router? Just add a static route to any remote host pointing to the pptp gateway and ping that address then:
Code: Select all
/ip route add dst-address=173.194.32.229/32 gateway=81.171.97.2
/ping 173.194.32.229
Top
 
saracen
just joined
Topic Author
Posts: 6
Joined: Sun Sep 09, 2012 7:35 pm

Re: PPTP Client Connection

Tue Sep 11, 2012 6:41 pm

Nope, no working connection through port 80. Pinging a remote host through the pptp connection didn't work either.

I'm sure the connection should work fine. Making a connection from my Windows desktop to the vpn server works fine - traffic goes through as expected. As does making a connection through my local linux server (these are all connected to a switch that connects to the mikrotik router).

My linux server did require this configuration however:

# echo "200 vpn" >> /etc/iproute2/rt_tables
# ip rule add from 81.171.97.2 table vpn
# ip route add default dev ppp0 table vpn

curl --interface ppp0 checkip.dyndns.com then worked.

I tried to replicate this on my router - it also seems pretty similar to the configuration you asked me to set up. But yeah... no luck.
Top
 
forne
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Tue Feb 15, 2011 3:18 pm

Re: PPTP Client Connection

Tue Sep 11, 2012 7:00 pm

saracen, you have no rules in /ip firewall filter, right? Sorry, I don't know what else to try. I'd suggest you to restore your configuration to the initial state (remove routing stuff) and get the pptp connection working using a simple ping from the router through a static route to a remote host. Maybe pptp encryption makes sense - I don't know.
Top
 
saracen
just joined
Topic Author
Posts: 6
Joined: Sun Sep 09, 2012 7:35 pm

Re: PPTP Client Connection

Tue Sep 11, 2012 8:06 pm

No, no firewall filter rules.

Removed rules I added and tried with just the static route to remote host. Still nothing. I think I'm going to have to give up.

I'll try to see if it works with another VPN provider, so the help you've given me will probably come in handy again. Thank you for that.

It will be interesting if it does work with another provider however, and it will bother me as to why. (Bug with the pptp client? IPVanish specifically not playing nice with the router's client?)

Again, thank you for your help.
Top
 
saracen
just joined
Topic Author
Posts: 6
Joined: Sun Sep 09, 2012 7:35 pm

Re: PPTP Client Connection

Wed Sep 12, 2012 12:21 am

So, I just registered with a different VPN provider - this set up immediately works.

It appears there's an incompatibility between mikrotik routers (at least mine 433AH, OS v5.20) pptp client and IPVanish's servers.
Top
Post Reply
  4. RouterOS
  5. General