Professional Documents
Culture Documents
Mikrotik
Ubiquiti
Tips
FAQ
Request new topic
Basics
Mikrotik
Ubiquiti
Tips
FAQ
Request new topic
Have a questio
Search
Basic setup
1. Click PPP
2. Click PPTP Server
3. In the PPTP Server window, click the Enabled checkbox and click OK
4. Click the Secrets tab
5. Click the + to add a new Secret
6. In Name, enter the login you want to use for your VPN connection
7. In Password, enter the password you want to use
8. In Service, click the drop-down and select pptp
9. In Profile, select default-encryption
10. In Local Address, enter an address on the LAN that you want to send your traffic
through. I’ve used the router’s LAN IP, a ‘random’ IP address on the subnet,
etc. Haven’t seen that one is better than the other…yet…
11. In Remote Address, enter the IP address that you want your device to get when it
establishes a connection. Pick an IP address on a different subnet from your LAN. Trust
me, it will work.
12. Enter a Comment if you want
13. Click OK
14. Click on IP, then Firewall, then the Filter Rules tab
15. Add a new rule with the + sign
16. Set Chain to input
17. Set Protocol to tcp
18. Set Dst. Port to 1723
19. Click on the Action tab and make sure Action is set to accept
20. Give it a Comment of “VPN” or something meaningful to you
21. Click OK
22. Drag this rule ABOVE THE DEFAULT “drop” RULE
23. Add another new Firewall Filter rule
24. Set Chain to input
25. Set Protocol to gre
26. Click on the Action tab and make sure Action is set to accept
27. Give it a Comment of “VPN” or something meaningful to you
28. Click OK
29. Drag this rule ABOVE THE DEFAULT “drop” RULE
30. Done
I know it looks like a lot, but once you’ve done this a few times, you can do all these steps in
about 2 minutes.
Related Posts
DHCP Reservations
Zemanta
Share this:
Facebook
Google
Twitter
Email
Tagged:VPN
Related Articles
Mikrotik cable-test
Winbox for OSX
[Quick Steps] – Hairpin NAT
Mikrotik + Fios router
Mikrotik – how to import a script in an .rsc file
Hairpin NAT – or how to use your DynDNS address internally or externally
Cory
So PPTP is required for VPN? This has nothing to do with PPPOE WAN connections
right?
o admin
Yup, PPTP is a ‘version’ of VPN. Point to Point Tunneling Protocol. You have to
set up a PPTP Server and that is what you connect to remotely from your VPN
Client. PPTP is supported in every major OS right out of the box, so there is no
client software you have to run to connect to it. There are more secure and more
recent versions of VPN, but that is another whole story…
You’ll only really run into PPPoE on DSL jobs. That is where you need the login
and password to connect to the ISP. Two totally different things.
Cory
Isn’t there a script I can copy and past in to do everything you listed above ;-p
With VPN, i read once that you have to have the same router on both, sides, but it sounds
like that isn’t the case with this method or maybe anymore at all.
o admin
I think you’re talking about a site-to-site VPN… like if you have a Main Office
and a Remote Office, you can keep a VPN connection open between them so
they’re working off of the same LAN and sharing files, etc. What most of us talk
about is a way for you to connect to a client site from your laptop, or office PC, or
from an iPod/iPad/etc.
Chris has done some site-to-site VPNs with Mikrotik using IPSec VPN between
them. He logged into a job I was doing in Miami and set it up so we had an IPSec
VPN to the clients other home in Baltimore and I could be on one network at
either site and talk to everything at the other site. It’s pretty slick.
Ross
I was just wondering if you have an article on how to setup the site to site
VPN but not using IPSEC but rather a EOIP PPTP tunnel betwen RB750s
?
admin
I do not, but Chris who replies on here often has done some testing
on that. Maybe he can chime in. I remember him saying that the
main provider in our area does something that inadvertently breaks
EOIP so I don’t know how far he persued it.
Cory
Okay, so after its all setup in the router, what do you do on the remote device? I was just
going to setup in my iPad as a test and it requires a SERVER field and Account. I’m
guessing the account is my login that I chose on the router side, but not sure.
Cory
I figure the Server is either the WAN IP address of the router or a DNS hostname?
scott
the account and password is what you setup on the server side for user and password.
Jason
I must be missing one thing here. After setting up the Mikrotik, I’m trying to connect
with the VPN built into Windows 7. I keep getting “verifying user name and password”
but then it jumps to “disconnected, error 619, a connection to the remote computer could
not be established, so the port for this connection was closed”.
If I’m on the local network, The VPN connect without a problem which tells me it’s
setup correctly??
Thoughts…
o admin
Funny, I never tried connecting locally, but I just tried it and it does work.
So you’re trying to connect from the internet to your Mikrotik and it’s not
working… what are you using as the VPN ‘server’ address? It should be set to
your WAN IP from the site with the Mikrotik.
Jason
Cory
Okay, So i have this setup and working (I think) from my iPad. It shows VPN connected.
However, I can’t figure out how to establish the same connection from my W7 machine.
Is there a VPN setup setting to dictate that its PPTP?
Side questions, the point of this is so that my computer acts as if its on the local network
of my client, right? So that I could log-in to their AVR or power switch or control
processor…right? Would I just type in the IP address of the device as if I was on their
local network?
o admin
I think in W7 it automatically picks what type of VPN connection it is. I just enter
the server address (“Internet address:”) and name it something, then click Next,
then enter the user name and credentials and hit Connect.
Once you’re connected, yes you can access an AVR or processor as if you were
on site. So if the processor on the job’s IP is 192.168.1.150, and you’re at your
house, you VPN to the job and go to 192.168.1.150.
There are some caveats to PPTP VPN… such as broadcasting won’t work across
the VPN. So with Control4 the programming software “sees” the processor on the
network when you’re connected locally. When connected over a VPN it can’t see
the broadcast. You can still access it, though, by simply entering the IP address.
Cory
I keep getting this error (and I know the username & password are good because I’m able
to select PPTP and make a connection from my iPad)
The remote connection was denied because the user name and password combination you
provided is not recognized, or the selected authentication protocol is not permitted on the
remote access server.
Cory
I do notice while it is try to connect it says using “WAN miniport (SSTP)”. Not sure if
that means anything.
o admin
Open a Terminal and go to /ppp and do an export and post it here. When you
paste it, make sure you delete/mask out your login and password credentials.
(open a New Terminal connection in Winbox. Type ‘PPP’ and hit enter. Type
‘export’ and hit enter. Copy and paste the text it spits out. Delete your login and
password.)
Cory
Okay. it’s long as hell. Maybe you can point out anything obvious you notice that I’m not
doing that I should be…if you notice. THanks!
Cory
whoops – typed the code tags wrong…sorry, not sure how to edit?
J.O.
I used these instructions to add the VPN and afterwards did a check using GRC Shields
Up on port 1723 (https://www.grc.com/x/portprobe=1723) and it now shows that port as
open and not secure. Trying to make sure I don’t mess up and do anything to make the
router unsecure. Is this a problem or typical?
o admin
I would say that’s normal, since you’re opening up port 1723 to allow PPTP
traffic through.
J.O.
GRC is an odd little site that is always useful for an outside check. Thanks
for the feedback. Can you use a less common port than 1723 or is that
where every client looks so you can’t change it.
Where did you get the information on port 139? I didn’t see that on GRC.
Cory
Just to confirm, steps 10/11. If my network is 10.0.0.1-254, router at 10.0.0.1. And I have
a few addresses set aside for VPN. For step 10 I would do 10.0.0.40, then for step 11 I
would do 10.0.5.41.
To use a different subnet, I’m changing the third section from “0” to “5”, right?
Jason
So I’ve got things working but can’t connect to some devices on the remote site. For
example I can get into the mikrotik and network switches over VPN but that’s it. I can’t
get into access points, receivers, or master controller. Any thoughts??
o Jason
Weird. I can ping some devices also but not others. I thought PPTP would act like
I’m physically on the network.
admin
Do you have proxy-arp enabled on ether2? And what subnet are you on on
the VPN side compared to the LAN itself?
Jason
Got it working with help from you guys over at IP. Changing VPN
to a different subnet from the LAN allowed me to ping everything.
Didn’t enable proxy-arp because of what Jayson said. Still don’t
understand why I have to be on a different subnet though. Other
VPN’s I’ve used worked perfectly on the same subnet.
cory
yay! finally got it to work!
Pingback: How to run multiple networks from a Mikrotik | Networking For Integrators()
Cams
Is this good for doing a site to site VPN? With a 750 at each end?
Or would IPSEC be better?
nik
One thing I am curious about is why does the firewall rule need to be on there. I’ve
followed the instructions and the set up works, however it lets me in with or without the
rule enabled. What does this rule do exactly?
o admin
With the default firewall rule in place, you should not be able to get in via VPN
without adding those rules. The traffic on port 1723 doesn’t match any of the
“accept” rules in the default firewall, so it hits each one until it hits the “drop”
rule and gets dropped.
You sure your firewall is set up the way you think it is?
nik
Thats the thing, there is no default set of rules on there. Are those rules something that
gets created when the router is brought to default or there is another way to put them in
place? Thanks for the reply btw!
o admin
It’s definitely created by default with the RB750GL, RB450G, and RB2011UAS-
RM… You can add whatever rules you want, though. Check this page:
nik
Mine is rb500 so i guess it wont create them by defaulting. Could you re-
add the link because it doesn’t seem to be displaying in your last post.
Much appreciated once again!
Jemp
Hello, tnx for the explanation, works fine, but I make it with a Dhcp Pool, and i can
connect easily, but once connected, I can not ping any workstation, on the inside.
I can not connect to any local station on my private network.
Any solution
Tnx Jemp
o admin
Did you add a dhcp network for the subnet you’re connecting to?
Krisken
Why do yo have to user another subnet for VPN? Can’t you do that on the same subnet as
your LAN?
EG at my home i use the 10.0.0.0/24 subnet. But hey i don’t have 254 computers here
o admin
You don’t have to, and in fact it causes problems with some devices that will only
accept connections from devices on the same subnet.
If you’re going to put your VPN pool on the same subnet, you have to go into
your LAN interface (ether2) and enable proxy-arp.
Allen
Hi, I recently got a MT RB2011UHnD I think it’s called and configured it exactly as
instructed above. Yet, when the client connects to the vpn, no network resources are
visible in network (client is win7). I have a dns windows server at the main site because i
read that the vpn client needs a naming resolution service in order to see network
resources yet still nothing. I can ping the resources and access them in windows explorer
like this : //192.168.2.x but not when i do this //server. Any ideas?
o admin
anas
Hello sir …
i need to make connection between 2 mikrotik ( site to site ) by VPN ( over internet )
can you help me what the steps to creat it .. thank you a lot
laxmi
Steve
I can’t seem to get this to work… after adding the rules, I try to connect via windows
VPN and it just hangs on Verifying username and password, and it never actually
connects.
o admin
Make sure you drag the firewall rules above the drop rule(s)
o admin
o Travis Bartnes
I know this is old but I am running into the same issue as the poster above. What
needs to be set in the Profiles secion?
Houman.H
hi all,
i configured my Mikrotik router as PPTP server.i already connected to server via VPN
connection in W7.
everything seems is fine and i can ping the http://www.google.com and tracert command
shows erverything is fine.
when i open my browser and want to visit http://www.google.com :
DNS is working find and i am geeting the below message in status bar.
connected to google.com
But i can not see google page in my browser and does not happen any more.
Please advise. Thanks.
Latest Articles
Popular Articles
Register
Log in
Entries RSS
Comments RSS
WordPress.org
Archives
InMotionHosting
Amazing live tech support! I actually look forward to talking to these guys when I have a
question.