Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

VPN does not connect

Locked
 
marcus65
newbie
Topic Author
Posts: 26
Joined: Fri Feb 08, 2013 4:15 am
Location: Brooklyn, New York

VPN does not connect

Wed Mar 26, 2014 3:45 pm

I cannot VPN into my RB2011 over the public Internet. I setup a pptp server on my RB2011 and got it to work on my LAN. The client machine shows a p-t-p connection with the proper IP addresses and a ppp0 interface when I issue a ifconfig command and it shows up on the mikrotik router as an active connection, however I cannot connect from the coffee shop down the street.

I tried to open the firewall several different ways but nothing worked.
These are my current "IP Firewall Filter" rules for VPN:

add chain=input comment="Allow VPN" dst-address=xxx.xxx.xxx.xxx dst-port=1723 \
protocol=tcp src-port=""
add chain=input dst-address=xxx.xxx.xxx.xxx protocol=gre

Is this a firewall issue?

I also am not sure of the theory behind this PPP connection:
- Does each ppp connection need a unique local and remote address or can several remote users share the same local address?
- One VPN example I found showed using the routers internal address as the local VPN address. I could connect this way but this connection froze-up immediately (clearly a bad idea).
- Is each pptp connection a /32 as described in Steve Discher's book?

I really need to get VPN working for my client!!

here is the export compact output:
[admin@kp-router] > export compact
# mar/25/2014 18:49:15 by RouterOS 6.0rc14
# software id =
#
/interface bridge
add admin-mac=D4:CA:6D:7B:BC:56 arp=proxy-arp auto-mac=no l2mtu=1598 name=\
bridge-local protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above country="united states" \
disabled=no distance=indoors hide-ssid=yes ht-rxchains=0,1 ht-txchains=\
0,1 l2mtu=2290 mode=ap-bridge ssid=kp-private wireless-protocol=802.11
/interface ethernet
set 0 name=ether1-gateway
set 5 name=ether6-master-local
set 6 master-port=ether6-master-local name=ether7-slave-local
set 7 master-port=ether6-master-local name=ether8-slave-local
set 8 master-port=ether6-master-local name=ether9-slave-local
set 9 master-port=ether6-master-local name=ether10-slave-local
set 10 disabled=yes name=sfp1-gateway
/ip neighbor discovery
set sfp1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik wpa-pre-shared-key=wpakey \
wpa2-pre-shared-key=wpakey
add management-protection=allowed name=Open
/interface wireless
add comment="Public Wireless Network" disabled=no l2mtu=2290 mac-address=\
D6:CA:6D:7B:BC:5F master-interface=wlan1 name=wlan2 security-profile=Open \
ssid=mynet
/interface wireless manual-tx-power-table
set wlan2 comment="Public Wireless Network"
/interface wireless nstreme
set wlan2 comment="Public Wireless Network"
/ip neighbor discovery
set wlan2 comment="Public Wireless Network"
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=default-dhcp ranges=192.168.1.30-192.168.1.59
add name=pool-wlan2 ranges=192.168.2.10-192.168.2.30
add name=pool-pptp-remote ranges=192.168.1.65-192.168.1.79
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local lease-time=\
1d name=default
add address-pool=pool-wlan2 disabled=no interface=wlan2 lease-time=1h name=\
dhcp-srv-2
/port
set 0 name=serial0
/ppp profile
set 0 local-address=192.168.1.1 remote-address=192.168.1.65
add change-tcp-mss=yes local-address=192.168.1.64 name=profile-vpn \
remote-address=pool-pptp-remote use-mpls=no
/queue simple
add disabled=yes name=queue1
add burst-limit=256k/256k burst-threshold=256k/256k burst-time=2s/2s comment=\
"Limit wlan2" max-limit=128k/128k name=queue2 target=wlan2
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
/interface l2tp-server server
set default-profile=profile-vpn
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=profile-vpn \
enabled=yes max-mru=1460 max-mtu=1460
/interface sstp-server server
set default-profile=profile-vpn enabled=yes
/ip address
add address=192.168.1.1/24 comment=LAN interface=bridge-local network=\
192.168.1.0
add address=192.168.2.1/27 comment="Public Wireless Network" interface=wlan2 \
network=192.168.2.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
sfp1-gateway
add comment="default configuration" dhcp-options=hostname,hostname,clientid \
disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.1.0/24 comment=LAN dns-server=\
192.168.1.10,209.18.47.61,209.18.47.62 domain=myplace.us gateway=\
192.168.1.1 netmask=24 ntp-server=192.168.1.10 wins-server=192.168.1.10
add address=192.168.2.0/27 comment=wlan2 dns-server=\
192.168.1.10,209.18.47.61,209.18.47.62 gateway=192.168.2.1 netmask=27 \
ntp-server=192.168.1.10
/ip dns
set allow-remote-requests=yes servers=192.168.1.10
/ip firewall address-list
add address=192.168.2.0/27 list=Open_WLAN
/ip firewall filter
add chain=input comment="default configuration (Accept Ping)" protocol=icmp
add chain=input comment="default configuration (Accept Related)" \
connection-state=related
add chain=input comment="default configuration (Accept Established)" \
connection-state=established
add chain=input comment="Allow FTP, SSH, HTTP & Winbox from LAN" dst-address=\
192.168.1.1 dst-port=21,22,80,8291,1723 in-interface=bridge-local \
protocol=tcp src-address=192.168.1.0/24
add chain=input comment="Allow VPN" dst-address=xxx.xxx.xxx.xxx dst-port=1723 \
protocol=tcp src-port=""
add chain=input dst-address=xxx.xxx.xxx.xxx protocol=gre
add chain=forward comment="Allow remote mail send" dst-port=25 in-interface=\
ether1-gateway protocol=tcp
add action=drop chain=input comment=\
"default configuration (Drop everything else)"
add chain=forward comment=\
"Forward New -- Then accept established & related" connection-state=new \
disabled=yes src-address=192.168.1.0/24
add chain=forward connection-state=established disabled=yes
add chain=forward connection-state=related disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
dst-address=0.0.0.0/0 out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=80 \
protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=21 \
protocol=tcp to-addresses=192.168.1.10 to-ports=21
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=143 \
protocol=tcp to-addresses=192.168.1.10 to-ports=143
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=993 \
protocol=tcp to-addresses=192.168.1.10 to-ports=993
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=25 \
protocol=tcp to-addresses=192.168.1.10 to-ports=25
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=8065 \
protocol=tcp to-addresses=192.168.1.16 to-ports=8065
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-port=\
21,22,25,80,143,587,993,443,8065 out-interface=bridge-local protocol=tcp \
src-address=192.168.1.0/24
/ip smb
set domain=JOP interfaces=bridge-local
/ppp secret
add local-address=192.168.1.1 name=marcus password=marcus00 remote-address=\
192.168.1.60
add name=phil password=phil00 profile=profile-vpn
add local-address=192.168.1.10 name=test password=test00 remote-address=\
192.168.1.193
/routing rip
set redistribute-connected=yes
/special-login
add port=serial0
/system clock
set time-zone-name=America/New_York
/system identity
set name=kp-router
/system ntp client
set enabled=yes mode=unicast primary-ntp=192.168.1.10
/tool mac-server
add disabled=no interface=bridge-local
add disabled=no interface=ether2
add disabled=no interface=ether3
add disabled=no interface=ether4
add disabled=no interface=ether5
add disabled=no interface=ether6-master-local
add disabled=no interface=ether7-slave-local
add disabled=no interface=ether8-slave-local
add disabled=no interface=ether9-slave-local
add disabled=no interface=wlan1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge-local
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=wlan1
[admin@kp-router] >
Top
Locked
  4. RouterOS
  5. Beginner Basics