Board logo

標題: 【RouterOS】—— PPTP client and routing local packets to the remote server gateway [打印本頁]
作者: 角色    時間: 2014-8-14 21:34     標題: 【RouterOS】—— PPTP client and routing local packets to the remote server gateway

本帖最後由 角色 於 2014-8-17 15:22 編輯

Objectives:

1) Using RouterOS GUi (or Nat code) to program the device such that the local device can use the remote gateway.

The following post gives you the information of setting up a PPTP client on a Routerboard:
http://www.mikrotik.com/testdocs/ros/3.0/vpn/pptp.php

Also the following post provides a very practical example of setting up a PPTP client.

http://www.hkepc.com/forum/viewt ... ;highlight=mikrotik

The following wiki describes the step to mark which destination IP address has to go out via vpn tunnel (route packets to the remote VPN gateway) and the rest of destination IP addresses will use the local gateway.
http://wiki.mikrotik.com/wiki/Policy_Base_Routing
作者: 角色    時間: 2014-8-15 00:32

本帖最後由 角色 於 2014-8-19 01:20 編輯

The content of easy_setup.rsc
  1. :local username "test"
  2. :local password "1234"
  3. :local hostname "0.0.0.0"
  4. :local internal "192.168.88.0/24"
  5. /interface pptp-client
  6. add add-default-route=no allow=chap,mschap1,mschap2 connect-to=$hostname \
  7. dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1400 max-mtu=\
  8. 1400 mrru=disabled name=vpn_cn password=$password profile=\
  9. default-encryption user=$username
  10. /ip firewall mangle
  11. add action=mark-routing chain=prerouting dst-address-list=UnBlockIPList \
  12. port=80,443,8080 new-routing-mark=through_vpn_cn passthrough=no \
  13. protocol=tcp src-address-list=Internal-Nets disabled=no
  14. /ip firewall nat
  15. add action=masquerade chain=srcnat out-interface=vpn_cn disabled=no
  16. /ip route
  17. add distance=1 gateway=vpn_cn routing-mark=through_vpn_cn disabled=no \
  18. scope=255
  19. /ip dns
  20. set allow-remote-requests=yes servers=8.8.8.8,114.114.114.114
  21. /ip firewall address-list
  22. add list=Internal-Nets address=$internal comment="Internal-Nets"
  23. add list=UnBlockIPList address=103.7.28.0/24
  24. add list=UnBlockIPList address=103.7.30.0/24
  25. add list=UnBlockIPList address=103.7.31.0/24
  26. add list=UnBlockIPList address=107.21.213.0/24
  27. add list=UnBlockIPList address=111.161.48.0/24
  28. add list=UnBlockIPList address=115.182.93.0/24
  29. add list=UnBlockIPList address=117.121.54.0/24
  30. add list=UnBlockIPList address=118.244.244.0/24
  31. add list=UnBlockIPList address=119.147.19.0/24
  32. add list=UnBlockIPList address=119.188.40.0/24
  33. add list=UnBlockIPList address=123.125.195.0/24
  34. add list=UnBlockIPList address=123.125.89.0/24
  35. add list=UnBlockIPList address=123.126.48.0/24
  36. add list=UnBlockIPList address=123.126.53.0/24
  37. add list=UnBlockIPList address=123.126.98.0/24
  38. add list=UnBlockIPList address=123.126.99.0/24
  39. add list=UnBlockIPList address=123.58.180.0/24
  40. add list=UnBlockIPList address=125.39.70.0/24
  41. add list=UnBlockIPList address=125.39.95.0/24
  42. add list=UnBlockIPList address=125.89.72.0/24
  43. add list=UnBlockIPList address=163.177.71.0/24
  44. add list=UnBlockIPList address=163.177.79.0/24
  45. add list=UnBlockIPList address=163.177.89.0/24
  46. add list=UnBlockIPList address=180.153.106.0/24
  47. add list=UnBlockIPList address=180.153.21.0/24
  48. add list=UnBlockIPList address=180.153.225.0/24
  49. add list=UnBlockIPList address=180.76.2.0/24
  50. add list=UnBlockIPList address=182.16.230.0/24
  51. add list=UnBlockIPList address=183.61.119.0/24
  52. add list=UnBlockIPList address=184.51.15.0/24
  53. add list=UnBlockIPList address=192.241.222.0/24
  54. add list=UnBlockIPList address=202.108.14.0/24
  55. add list=UnBlockIPList address=202.108.23.0/24
  56. add list=UnBlockIPList address=202.108.37.0/24
  57. add list=UnBlockIPList address=202.108.5.0/24
  58. add list=UnBlockIPList address=202.55.10.0/24
  59. add list=UnBlockIPList address=202.55.12.0/24
  60. add list=UnBlockIPList address=210.129.145.0/24
  61. add list=UnBlockIPList address=211.151.181.0/24
  62. add list=UnBlockIPList address=218.205.72.0/24
  63. add list=UnBlockIPList address=218.30.66.0/24
  64. add list=UnBlockIPList address=218.77.91.0/24
  65. add list=UnBlockIPList address=220.181.109.0/24
  66. add list=UnBlockIPList address=220.181.118.0/24
  67. add list=UnBlockIPList address=220.181.153.0/24
  68. add list=UnBlockIPList address=220.181.154.0/24
  69. add list=UnBlockIPList address=220.181.185.0/24
  70. add list=UnBlockIPList address=220.181.19.0/24
  71. add list=UnBlockIPList address=220.181.61.0/2
  72. add list=UnBlockIPList address=220.181.74.0/24
  73. add list=UnBlockIPList address=220.181.90.0/24
  74. add list=UnBlockIPList address=220.181.94.0/24
  75. add list=UnBlockIPList address=220.194.199.0/24
  76. add list=UnBlockIPList address=221.238.18.0/24
  77. add list=UnBlockIPList address=42.156.140.0/24
  78. add list=UnBlockIPList address=42.62.20.0/24
  79. add list=UnBlockIPList address=42.62.49.0/24
  80. add list=UnBlockIPList address=54.243.116.0/24
  81. add list=UnBlockIPList address=58.215.179.0/24
  82. add list=UnBlockIPList address=58.222.17.0/24
  83. add list=UnBlockIPList address=58.63.237.0/24
  84. add list=UnBlockIPList address=58.83.190.0/24
  85. add list=UnBlockIPList address=59.151.12.0/24
  86. add list=UnBlockIPList address=60.217.235.0/24
  87. add list=UnBlockIPList address=60.28.164.0/24
  88. add list=UnBlockIPList address=61.135.132.0/24
  89. add list=UnBlockIPList address=61.135.181.0/24
  90. add list=UnBlockIPList address=61.135.183.0/24
  91. add list=UnBlockIPList address=61.135.196.0/24
  92. add list=UnBlockIPList address=61.135.253.0/24
  93. add list=UnBlockIPList address=66.102.246.0/24
複製代碼
Test

http://www.hkepc.com/forum/redir ... 57&pid=31963296
作者: 角色    時間: 2014-8-19 01:39

本帖最後由 角色 於 2014-8-19 02:40 編輯

http://www.hkepc.com/forum/viewt ... page=13#pid31614526

http://www.hkepc.com/forum/redir ... 57&pid=31963296

http://www.hkepc.com/forum/redir ... 51&pid=31614526

Temp links:
http://www.hkepc.com/forum/viewt ... =239887&page=14
http://www.hkepc.com/forum/viewt ... ice&tid=2069651
http://www.hkepc.com/forum/viewt ... page=13#pid31614526
作者: 角色    時間: 2014-8-27 00:33

终于搞定,都是按照下面的帖子去做。

http://www.hkepc.com/forum/viewt ... page=13#pid31614526
作者: yiucsw    時間: 2014-12-29 15:12

是香港到中国的?有没有中国到外边的?
作者: 角色    時間: 2014-12-29 17:40

都是一样,你到过来做就可以。
作者: yiucsw    時間: 2014-12-29 23:37

unblock list 会不一样吗?

/ip firewall address-list
作者: 角色    時間: 2014-12-30 00:11

unblockIPList里内容当然不一样,你要log,一个一个找出来。
作者: yiucsw    時間: 2014-12-31 02:01

Run 了Script 不知道为什么Firewall说VPN not ready. Route list unreachable.  (主要连到 Vigor PPTN server)
Run 了Script,如何重新再Run. delete interface, route, firewall entry 都不成。
[attach]3398[/attach]
作者: tc30624100    時間: 2014-12-31 02:40

回復 9# yiucsw


    gateway 改為那interface 的名字就通了
作者: yiucsw    時間: 2014-12-31 18:41

The PPTP client interface, gateway 都是同一名字:VPN_HK。
[[attach]3399[/attach]
作者: yiucsw    時間: 2014-12-31 19:13

不知道对不对。
原本:
PPTP Interface Profile: Default-Encryption 的时候。Status : Link Established
PPTP Interface Profile: Default 的时候。 Status : Connected。

希望可以解决一部分问题
作者: yiucsw    時間: 2014-12-31 20:09

我将下面的变成Script cn.txt。运行时有ERROR,
"value of address expects range of ip addresses"
知道是哪里有问题吗?

/ip firewall address-list
add list=Internal-Nets address=$internal comment="Internal-Nets"
add list=UnBlockIPList address=173.194.72.0/24
add list=UnBlockIPList address=173.194.127.0/24
作者: 角色    時間: 2015-1-1 20:06

你的问题太少信息!
你好想说过RB与Draytek连,但是两边的network addresses是什么我们都不知道。
作者: yiucsw    時間: 2015-1-1 22:42

还没到那一步。RB是PPTP CLIENT。 VIGOR 是 PPTP SERVER。 将你的SCRIPT 分两部分。 以上是加UNBLOCK LIST 的SCRIPT。 有ERROR,我猜是SYNTAX ERROR。
作者: 角色    時間: 2015-1-1 23:34

最初你说,RB在大陆,但是在ADSL modem后的Router接着,理应可以连接香港的Draytek的VPN Server。
我的Script是用于香港,所以可能某些问题不能预先处理好。

(如果你有兴趣,我们可以一起来研究)
作者: yiucsw    時間: 2015-1-3 18:29

现在在香港用Configuration。
RB PPTP Client(Three 3G Mifi) 连到 Vigor 2920 PPTP server(HKBN)。Unblockiplist 加了 www.google.com...
因为两端都在香港,不知道如何测试PPTP VPN是成功没有?
Ping www.google.com 在Interface 的Statistisc 没有看到流量。
有什么办法能知道成功没有?
要是成功了,下一步是要反向的从vigor dial to RB.
作者: 雯雯    時間: 2015-1-3 19:18

回復 17# yiucsw

你在Windows用tracert www.google.com便知是否成功.
作者: yiucsw    時間: 2015-1-3 19:40

thank alot. it is.a good solution. In china, i use Windows tracert. the packet route to HK. but nothing show up in Browser'www.Google.com'. any other method?
作者: 雯雯    時間: 2015-1-3 19:44

回復 19# yiucsw

check o下你HK to China既route是否正常, 咁既情況好多時都係packets有去無回.
作者: 角色    時間: 2015-1-3 22:08

你可以试试看tracert www.netvigator.com
作者: yiucsw    時間: 2015-1-6 12:01

在香港TraceRT。。。 不知道为什么在中国乱转

Tracing route to 223.73.53.145 over a maximum of 30 hops

  1     3 ms    14 ms     6 ms  192.168.85.1
  2    92 ms     4 ms     3 ms  183178116001.ctinets.com [183.178.116.1]
  3    13 ms    37 ms    17 ms  061092090129.ctinets.com [61.92.90.129]
  4    14 ms     6 ms    17 ms  014199254241.ctinets.com [14.199.254.241]
  5    64 ms     4 ms    12 ms  014136129118.ctinets.com [14.136.129.118]
  6   323 ms    10 ms     7 ms  chinamobileintl1-lacp-10G.hkix.net [202.40.160.2
15]
  7     8 ms     6 ms    14 ms  211.136.1.114
  8    14 ms     9 ms    13 ms  223.118.2.205
  9    13 ms    21 ms    14 ms  223.118.10.1
10    10 ms   163 ms    28 ms  221.176.24.229
11   179 ms    19 ms    54 ms  221.176.18.113
12    23 ms     *      519 ms  221.176.19.70
13    13 ms    22 ms    17 ms  120.196.0.2
14   937 ms  1841 ms  3090 ms  120.196.2.166
15     *        *        *     Request timed out.



歡迎光臨 電訊茶室 (http://telecom-cafe.com/forum/) Powered by Discuz! 7.2