 Basics

 Mikrotik
 Ubiquiti
 Tips
 FAQ
 Request new topic

Networking For Integrators

 Basics
 Mikrotik
 Ubiquiti
 Tips
 FAQ
 Request new topic

Have a questio
Search

How to… PPTP VPN

/Mikrotik /How to… PPTP VPN

 August 12, 2012

 admin
 Mikrotik
 48 Comments

How to set up PPTP VPN on your Mikrotik

Don’t get overwhelmed by the long list below. Here is all you are trying to
accomplish:

1. Turn on PPTP Server in the router

2. Set up a login and password for the VPN connection
3. Tell the router what IP addresses you want to use for this connection
4. Opening port 1723 and gre protocol in the Firewall
5. That’s it.

Basic setup

1. Click PPP
2. Click PPTP Server
3. In the PPTP Server window, click the Enabled checkbox and click OK
 4. Click the Secrets tab
5. Click the + to add a new Secret
6. In Name, enter the login you want to use for your VPN connection
7. In Password, enter the password you want to use
8. In Service, click the drop-down and select pptp
9. In Profile, select default-encryption
10. In Local Address, enter an address on the LAN that you want to send your traffic
through. I’ve used the router’s LAN IP, a ‘random’ IP address on the subnet,
etc. Haven’t seen that one is better than the other…yet…
11. In Remote Address, enter the IP address that you want your device to get when it
establishes a connection. Pick an IP address on a different subnet from your LAN. Trust
me, it will work.
12. Enter a Comment if you want
13. Click OK
14. Click on IP, then Firewall, then the Filter Rules tab
15. Add a new rule with the + sign
16. Set Chain to input
17. Set Protocol to tcp
18. Set Dst. Port to 1723
19. Click on the Action tab and make sure Action is set to accept
20. Give it a Comment of “VPN” or something meaningful to you
21. Click OK
22. Drag this rule ABOVE THE DEFAULT “drop” RULE
23. Add another new Firewall Filter rule
24. Set Chain to input
25. Set Protocol to gre
26. Click on the Action tab and make sure Action is set to accept
27. Give it a Comment of “VPN” or something meaningful to you
28. Click OK
29. Drag this rule ABOVE THE DEFAULT “drop” RULE
30. Done

I know it looks like a lot, but once you’ve done this a few times, you can do all these steps in
about 2 minutes.

Related Posts

 Port Forwarding on Mikrotik

 Changing the incoming port for port forwarding on a Mikrotik

 Mikrotik + Fios router

 Mikrotik – Basic VLAN example

 DHCP Reservations

Zemanta

Share this:

 Facebook
 Google
 Twitter
 Email


Tagged:VPN
Related Articles

 Mikrotik cable-test
 Winbox for OSX
 [Quick Steps] – Hairpin NAT
 Mikrotik + Fios router
 Mikrotik – how to import a script in an .rsc file
 Hairpin NAT – or how to use your DynDNS address internally or externally

 Cory

So PPTP is required for VPN? This has nothing to do with PPPOE WAN connections
right?

o admin

Yup, PPTP is a ‘version’ of VPN. Point to Point Tunneling Protocol. You have to
set up a PPTP Server and that is what you connect to remotely from your VPN
Client. PPTP is supported in every major OS right out of the box, so there is no
client software you have to run to connect to it. There are more secure and more
recent versions of VPN, but that is another whole story…

You’ll only really run into PPPoE on DSL jobs. That is where you need the login
and password to connect to the ISP. Two totally different things.

 Cory

Isn’t there a script I can copy and past in to do everything you listed above ;-p

With VPN, i read once that you have to have the same router on both, sides, but it sounds
like that isn’t the case with this method or maybe anymore at all.

o admin

Yes, there is a script, actually, I just haven’t written it yet…lol…

I think you’re talking about a site-to-site VPN… like if you have a Main Office
and a Remote Office, you can keep a VPN connection open between them so
they’re working off of the same LAN and sharing files, etc. What most of us talk
about is a way for you to connect to a client site from your laptop, or office PC, or
from an iPod/iPad/etc.

Chris has done some site-to-site VPNs with Mikrotik using IPSec VPN between
them. He logged into a job I was doing in Miami and set it up so we had an IPSec
VPN to the clients other home in Baltimore and I could be on one network at
either site and talk to everything at the other site. It’s pretty slick.
  Ross

I was just wondering if you have an article on how to setup the site to site
VPN but not using IPSEC but rather a EOIP PPTP tunnel betwen RB750s
?

 admin

I do not, but Chris who replies on here often has done some testing
on that. Maybe he can chime in. I remember him saying that the
main provider in our area does something that inadvertently breaks
EOIP so I don’t know how far he persued it.

 Cory

Okay, so after its all setup in the router, what do you do on the remote device? I was just
going to setup in my iPad as a test and it requires a SERVER field and Account. I’m
guessing the account is my login that I chose on the router side, but not sure.

 Cory

I figure the Server is either the WAN IP address of the router or a DNS hostname?

 scott

the server is your public IP address.

http://www.whatsmyip.org/

the account and password is what you setup on the server side for user and password.

 Jason

I must be missing one thing here. After setting up the Mikrotik, I’m trying to connect
with the VPN built into Windows 7. I keep getting “verifying user name and password”
but then it jumps to “disconnected, error 619, a connection to the remote computer could
not be established, so the port for this connection was closed”.

If I’m on the local network, The VPN connect without a problem which tells me it’s
setup correctly??

Thoughts…

o admin

Funny, I never tried connecting locally, but I just tried it and it does work.
 So you’re trying to connect from the internet to your Mikrotik and it’s not
working… what are you using as the VPN ‘server’ address? It should be set to
your WAN IP from the site with the Mikrotik.

 Jason

Wow, lots of actions since I was last here.

I’m using a dyndns for my VPN server address.

 Cory

Okay, So i have this setup and working (I think) from my iPad. It shows VPN connected.
However, I can’t figure out how to establish the same connection from my W7 machine.
Is there a VPN setup setting to dictate that its PPTP?

Side questions, the point of this is so that my computer acts as if its on the local network
of my client, right? So that I could log-in to their AVR or power switch or control
processor…right? Would I just type in the IP address of the device as if I was on their
local network?

o admin

I think in W7 it automatically picks what type of VPN connection it is. I just enter
the server address (“Internet address:”) and name it something, then click Next,
then enter the user name and credentials and hit Connect.

Once you’re connected, yes you can access an AVR or processor as if you were
on site. So if the processor on the job’s IP is 192.168.1.150, and you’re at your
house, you VPN to the job and go to 192.168.1.150.

There are some caveats to PPTP VPN… such as broadcasting won’t work across
the VPN. So with Control4 the programming software “sees” the processor on the
network when you’re connected locally. When connected over a VPN it can’t see
the broadcast. You can still access it, though, by simply entering the IP address.

 Cory

I keep getting this error (and I know the username & password are good because I’m able
to select PPTP and make a connection from my iPad)
The remote connection was denied because the user name and password combination you
provided is not recognized, or the selected authentication protocol is not permitted on the
remote access server.

 Cory
 I do notice while it is try to connect it says using “WAN miniport (SSTP)”. Not sure if
that means anything.

o admin

Open a Terminal and go to /ppp and do an export and post it here. When you
paste it, make sure you delete/mask out your login and password credentials.

(open a New Terminal connection in Winbox. Type ‘PPP’ and hit enter. Type
‘export’ and hit enter. Copy and paste the text it spits out. Delete your login and
password.)

 Cory

Okay. it’s long as hell. Maybe you can point out anything obvious you notice that I’m not
doing that I should be…if you notice. THanks!

[CODE]# oct/08/2012 23:16:28 by RouterOS 5.16

# software id = UB2U-EHT1
#
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 mac-address=00:0C:42:E6:88:D6 master-port=none
mtu=1500 \
name=ether1-gateway speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 mac-address=00:0C:42:E6:88:D7 master-port=none
mtu=1500 \
name=ether2-master-local speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 mac-address=00:0C:42:E6:88:D8 master-port=\
ether2-master-local mtu=1500 name=ether3-slave-local speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 mac-address=00:0C:42:E6:88:D9 master-port=\
ether2-master-local mtu=1500 name=ether4-slave-local speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 mac-address=00:0C:42:E6:88:DA master-port=\
ether2-master-local mtu=1500 name=ether5-slave-local speed=100Mbps
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/ip hotspot profile
set [ find default=yes ] dns-name=”” hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default \
rate-limit=”” smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default \
shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des
lifetime=\
30m name=default pfs-group=modp1024
/ip pool
add name=default-dhcp ranges=192.168.1.60-192.168.1.99
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay bootp-support=static \
disabled=no interface=ether2-master-local lease-time=3d name=default
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default \
use-encryption=default use-mpls=default use-vj-compression=default
set 1 change-tcp-mss=yes name=default-encryption only-one=default use-compression=\
default use-encryption=yes use-mpls=default use-vj-compression=default
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-
limit=60 \
red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes disabled=no ignore-as-path-len=no \
name=default out-filter=”” redistribute-connected=no redistribute-ospf=no \
redistribute-other-bgp=no redistribute-rip=no redistribute-static=no router-id=\
0.0.0.0 routing-table=””
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never in-filter=ospf-in \
metric-bgp=auto metric-connected=20 metric-default=1 metric-other-ospf=auto \
metric-rip=20 metric-static=20 name=default out-filter=ospf-out redistribute-bgp=no \
redistribute-connected=no redistribute-other-ospf=no redistribute-rip=no \
redistribute-static=no router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=backbone \
type=default
/snmp community
set [ find default=yes ] address=0.0.0.0/0 authentication-password=”” \
authentication-protocol=MD5 encryption-password=”” encryption-protocol=DES name=\
public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 disk-stop-on-full=no \
name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote-port=514 syslog-facility=daemon syslog-
severity=\
auto target=remote
/user group
set read name=read
policy=”local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,se\
nsitive,api,!ftp,!write,!policy” skin=default
set write name=write
policy=”local,telnet,ssh,reboot,read,write,test,winbox,password,web,\
sniff,sensitive,api,!ftp,!policy” skin=default
set full name=full policy=”local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pass\
word,web,sniff,sensitive,api” skin=default
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=disabled
set 1 vlan-header=leave-as-is vlan-mode=disabled
set 2 vlan-header=leave-as-is vlan-mode=disabled
set 3 vlan-header=leave-as-is vlan-mode=disabled
set 4 vlan-header=leave-as-is vlan-mode=disabled
set 5 vlan-header=leave-as-is vlan-mode=disabled
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
enabled=\
no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default \
enabled=no keepalive-timeout=60 mac-address=FE:78:98:22:7D:57 max-mtu=1500
mode=ip \
netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=yes \
keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default \
enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled
port=443 \
verify-client-certificate=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.1.1/24 comment=”default configuration” disabled=no interface=\
ether2-master-local network=192.168.1.0
/ip dhcp-client
add add-default-route=yes comment=”default configuration” default-route-distance=1 \
disabled=no interface=ether1-gateway use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server lease
add address=192.168.1.2 client-id=1:0:1f:d0:97:2f:39 comment=”Service Computers” \
disabled=no lease-time=428w4d23h59m59s mac-address=00:1F:D0:97:2F:39
server=default
add address=192.168.1.100 comment=”Crestron Processors” disabled=no mac-address=\
00:10:7F:1C:41:E6
add address=192.168.1.160 comment=”Media Players” disabled=no mac-address=\
00:11:D9:32:BD:E5
add address=192.168.1.175 comment=”Game Systems” disabled=no mac-address=\
7C:ED:8D:90:81:33
add address=192.168.1.161 client-id=1:0:23:32:34:f4:10 disabled=no mac-address=\
00:23:32:34:F4:10 server=default
add address=192.168.1.163 client-id=1:0:4:20:29:77:1 disabled=no mac-address=\
00:04:20:29:77:01 server=default
add address=192.168.1.50 comment=”POWER & UPS” disabled=no lease-
time=42w6d20h20m20s \
mac-address=00:0B:78:66:53:B2
add address=192.168.1.165 client-id=1:0:1f:5b:84:e8:d disabled=no mac-address=\
00:1F:5B:84:E8:0D server=default
add address=192.168.1.164 client-id=1:70:73:cb:e0:96:c2 disabled=no mac-address=\
70:73:CB:E0:96:C2 server=default
add address=192.168.1.5 client-id=1:0:27:22:8c:ee:c8 comment=WAP disabled=no \
mac-address=00:27:22:8C:EE:C8 server=default use-src-mac=yes
add address=192.168.1.166 client-id=1:0:e0:6f:10:69:ce disabled=no mac-address=\
00:E0:6F:10:69:CE server=default
/ip dhcp-server network
add address=192.168.1.0/24 comment=”default configuration” dhcp-option=”” dns-
server=\
192.168.1.1 gateway=192.168.1.1 ntp-server=”” wins-server=””
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-
size=\
512 servers=75.75.75.75,75.75.76.76
/ip dns static
add address=192.168.1.1 disabled=no name=router ttl=1d
add address=192.168.1.100 comment=” Crestron DNS Internal” disabled=no name=\
cb.mycrestron.com ttl=1d
add address=192.168.1.50 disabled=no name=cb.mycrestron.com ttl=1d
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s \
tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=”default configuration” disabled=no
protocol=icmp
add action=accept chain=input comment=”default configuration” connection-state=\
established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment=”default configuration” connection-
state=related \
disabled=no in-interface=ether1-gateway
add action=accept chain=input comment=”VPN CONNECTION” disabled=no dst-
port=1723 \
protocol=tcp
add action=accept chain=input comment=”VPN CONNECTION 2″ disabled=no
protocol=gre
add action=drop chain=input comment=”default configuration” disabled=no in-
interface=\
ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment=”default configuration” disabled=no \
out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment=”rule for crestron” disabled=no dst-port=8081
\
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.100 to-ports=8081
add action=dst-nat chain=dstnat comment=”rule for crestron 2″ disabled=no dst-port=\
41790-41795 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.100 \
to-ports=41790-41795
add action=dst-nat chain=dstnat comment=”Rule for Xbox Live 1″ disabled=no dst-
port=\
88 in-interface=ether1-gateway protocol=udp to-addresses=192.168.1.175 to-ports=88
add action=dst-nat chain=dstnat comment=”Rule for Xbox Live 2″ disabled=no dst-
port=\
3074 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.175 to-ports=\
3074
add action=dst-nat chain=dstnat comment=”Rule for Xbox Live 3″ disabled=no dst-
port=\
3074 in-interface=ether1-gateway protocol=udp to-addresses=192.168.1.175 to-ports=\
3074
add action=dst-nat chain=dstnat comment=”Rule for Digital Loggers” disabled=no dst-
port=\
8050 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.50 to-ports=80
add action=dst-nat chain=dstnat comment=”IOS CAM” disabled=no dst-port=8065 \
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.65 to-ports=80
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set ether1-gateway disabled=yes
set ether2-master-local disabled=no
set ether3-slave-local disabled=no
set ether4-slave-local disabled=no
set ether5-slave-local disabled=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-
disk=no \
enabled=no max-cache-size=none max-client-connections=600 max-fresh-time=3d \
max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 \
serialize-connections=no src-address=0.0.0.0
/ip service
set telnet address=”” disabled=no port=23
set ftp address=”” disabled=no port=21
set www address=”” disabled=no port=80
set ssh address=”” disabled=no port=22
set www-ssl address=”” certificate=none disabled=yes port=443
set api address=”” disabled=yes port=8728
set winbox address=”” disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no
interfaces=all
/ip smb shares
set [ find default=yes ] comment=”default share” directory=/pub disabled=no \
max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password=”” read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no inactive-flow-timeout=15s \
interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no lsr-id=\
0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 use-explicit-null=no
/port firmware
set directory=firmware
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/ppp secret
add caller-id=”” comment=”Home VPN” disabled=no limit-bytes-in=0 limit-bytes-out=0
\
local-address=192.168.1.254 name=LOGIN password=PASSWORD profile=\
default-encryption remote-address=192.168.5.1 routes=”” service=pptp
/queue interface
set ether1-gateway queue=ethernet-default
set ether2-master-local queue=ethernet-default
set ether3-slave-local queue=ethernet-default
set ether4-slave-local queue=ethernet-default
set ether5-slave-local queue=ethernet-default
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s multiplier=\
5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m gateway-
selection=\
no-gateway origination-interval=5s preferred-gateway=0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no routing-table=\
main timeout-timer=3m update-timer=30s
/snmp
set contact=”” enabled=no engine-id=”” location=”” trap-generators=”” trap-target=”” \
trap-version=1
/system clock
set time-zone-name=America/Los_Angeles
/system clock manual
set dst-delta=+00:00 dst-end=”jan/01/1970 00:00:00″ dst-start=”jan/01/1970 00:00:00″ \
time-zone=+00:00
/system console
set [ find ] disabled=no term=vt102
/system identity
set name=MikroTik
/system logging
set 0 action=memory disabled=no prefix=”” topics=info
set 1 action=memory disabled=no prefix=”” topics=error
set 2 action=memory disabled=no prefix=”” topics=warning
set 3 action=echo disabled=no prefix=”” topics=critical
/system note
set note=”” show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=204.235.61.9 secondary-ntp=64.73.32.13
/system resource irq
set 0 cpu=auto
/system routerboard settings
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=40
force-backup-booter=no silent-boot=no
/system scheduler
add disabled=no interval=1h name=NTP_Update_Schedule on-event=Update_NTP
policy
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start
startup
/system script
add name=Update_NTP policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api sourc
60s\r\
\n/system ntp client set primary-ntp=[:resolve 0.pool.ntp.org]\r\
\n/system ntp client set secondary-ntp=[:resolve 1.pool.ntp.org]”
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.
/system watchdog
set auto-send-supout=yes automatic-supout=yes no-ping-delay=5m send-email-from=
cory@customacoustix.com send-email-to=cory@customacoustix.com watch-address
67.195.160.76 watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set address=0.0.0.0 from= password=”” port=25 user=””
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
 add disabled=no interface=ether5-slave-local
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number=”” channel=0 keep-max-sms=0 receive-enabled=no secret=””
/tool sniffer
set file-limit=1000KiB file-name=”” filter-ip-address=”” filter-ip-protocol=””
filter-mac-address=”” filter-mac-protocol=”” filter-port=”” filter-stream=y
interface=all memory-limit=100KiB memory-scroll=yes only-headers=no \
streaming-enabled=no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups=”” interim-update=0s use-r
[/CODE]

 Cory

whoops – typed the code tags wrong…sorry, not sure how to edit?

 J.O.

I used these instructions to add the VPN and afterwards did a check using GRC Shields
Up on port 1723 (https://www.grc.com/x/portprobe=1723) and it now shows that port as
open and not secure. Trying to make sure I don’t mess up and do anything to make the
router unsecure. Is this a problem or typical?

o admin

I would say that’s normal, since you’re opening up port 1723 to allow PPTP
traffic through.

That GRC site is cool!

Your Internet port 139 does not appear to exist!

One or more ports on this system are operating in FULL STEALTH MODE!
Standard Internet behavior requires port connection attempts to be answered with
a success or refusal response. Therefore, only an attempt to connect to a
nonexistent computer results in no response of either kind. But YOUR computer
has DELIBERATELY CHOSEN NOT TO RESPOND (that’s very cool!) which
represents advanced computer and port stealthing capabilities. A machine
configured in this fashion is well hardened to Internet NetBIOS attack and
intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is
very uncommon for a Windows networking-based PC.) Relative to vulnerabilities
 from Windows networking, this computer appears to be VERY SECURE since it
is NOT exposing ANY of its internal NetBIOS networking protocol over the
Internet.

 J.O.

GRC is an odd little site that is always useful for an outside check. Thanks
for the feedback. Can you use a less common port than 1723 or is that
where every client looks so you can’t change it.

Where did you get the information on port 139? I didn’t see that on GRC.

 Cory

Just to confirm, steps 10/11. If my network is 10.0.0.1-254, router at 10.0.0.1. And I have
a few addresses set aside for VPN. For step 10 I would do 10.0.0.40, then for step 11 I
would do 10.0.5.41.

To use a different subnet, I’m changing the third section from “0” to “5”, right?

 Jason

So I’ve got things working but can’t connect to some devices on the remote site. For
example I can get into the mikrotik and network switches over VPN but that’s it. I can’t
get into access points, receivers, or master controller. Any thoughts??

o Jason

Weird. I can ping some devices also but not others. I thought PPTP would act like
I’m physically on the network.

 admin

Do you have proxy-arp enabled on ether2? And what subnet are you on on
the VPN side compared to the LAN itself?

 Jason

Got it working with help from you guys over at IP. Changing VPN
to a different subnet from the LAN allowed me to ping everything.
Didn’t enable proxy-arp because of what Jayson said. Still don’t
understand why I have to be on a different subnet though. Other
VPN’s I’ve used worked perfectly on the same subnet.

 cory
 yay! finally got it to work!

 Pingback: How to run multiple networks from a Mikrotik | Networking For Integrators()
 Cams

Is this good for doing a site to site VPN? With a 750 at each end?
Or would IPSEC be better?

 nik

One thing I am curious about is why does the firewall rule need to be on there. I’ve
followed the instructions and the set up works, however it lets me in with or without the
rule enabled. What does this rule do exactly?

o admin

With the default firewall rule in place, you should not be able to get in via VPN
without adding those rules. The traffic on port 1723 doesn’t match any of the
“accept” rules in the default firewall, so it hits each one until it hits the “drop”
rule and gets dropped.

You sure your firewall is set up the way you think it is?

 nik

Thats the thing, there is no default set of rules on there. Are those rules something that
gets created when the router is brought to default or there is another way to put them in
place? Thanks for the reply btw!

o admin

It’s definitely created by default with the RB750GL, RB450G, and RB2011UAS-
RM… You can add whatever rules you want, though. Check this page:

 nik

Mine is rb500 so i guess it wont create them by defaulting. Could you re-
add the link because it doesn’t seem to be displaying in your last post.
Much appreciated once again!

 Jemp

Hello, tnx for the explanation, works fine, but I make it with a Dhcp Pool, and i can
connect easily, but once connected, I can not ping any workstation, on the inside.
I can not connect to any local station on my private network.
 Any solution
Tnx Jemp

o admin

Did you add a dhcp network for the subnet you’re connecting to?

 Krisken

Why do yo have to user another subnet for VPN? Can’t you do that on the same subnet as
your LAN?

EG at my home i use the 10.0.0.0/24 subnet. But hey i don’t have 254 computers here

o admin

You don’t have to, and in fact it causes problems with some devices that will only
accept connections from devices on the same subnet.

If you’re going to put your VPN pool on the same subnet, you have to go into
your LAN interface (ether2) and enable proxy-arp.

 Allen

Hi, I recently got a MT RB2011UHnD I think it’s called and configured it exactly as
instructed above. Yet, when the client connects to the vpn, no network resources are
visible in network (client is win7). I have a dns windows server at the main site because i
read that the vpn client needs a naming resolution service in order to see network
resources yet still nothing. I can ping the resources and access them in windows explorer
like this : //192.168.2.x but not when i do this //server. Any ideas?

o admin

Hmm. Let me see if I can get some insight in that.

 anas

Hello sir …
i need to make connection between 2 mikrotik ( site to site ) by VPN ( over internet )
can you help me what the steps to creat it .. thank you a lot

 laxmi

Awesome… see more http://mikrotikroutersetup.blogspot.com

 Steve
 I can’t seem to get this to work… after adding the rules, I try to connect via windows
VPN and it just hangs on Verifying username and password, and it never actually
connects.

o admin

Make sure you drag the firewall rules above the drop rule(s)

o admin

actually check your settings in the Profiles, too

o Travis Bartnes

I know this is old but I am running into the same issue as the poster above. What
needs to be set in the Profiles secion?

 Houman.H

hi all,
i configured my Mikrotik router as PPTP server.i already connected to server via VPN
connection in W7.
everything seems is fine and i can ping the http://www.google.com and tracert command
shows erverything is fine.
when i open my browser and want to visit http://www.google.com :
DNS is working find and i am geeting the below message in status bar.
connected to google.com
But i can not see google page in my browser and does not happen any more.
Please advise. Thanks.

Latest Articles

 Your Wi-Fi Sucks

 Mikrotik cable-test
 Winbox for OSX
 Integrators

Popular Articles

 How to request a new article or update to an old one

 Almost to version 0.2!
 Accessing a Mikrotik router through WinBox over the internet
 MAC address prefix = Manufacturer
Login / Register / RSS

 Register
 Log in
 Entries RSS
 Comments RSS
 WordPress.org

Archives

InMotionHosting

Amazing live tech support! I actually look forward to talking to these guys when I have a
question.

© Copyright, A Swish Theme



