【RouterOS】——PPTP Server

角色

The previous link was no longer valid and replaced by the following link to set up PPTP service on RB.

http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP



Old link:
http://www.mikrotik.com/testdocs/ros/2.9/interface/pptp.php


If you want to connect the VPN server permanently, set keepalive-timeout=0.

角色

http://blog.cscworm.net/?p=2454

角色

http://ros2008.blog.51cto.com/477924/99042

角色

http://wordpress.wlevels.nl/configuring-routeros-as-pptp-server/

The above link is no longer valid.

角色

http://wordpress.wlevels.nl/configuring-routeros-as-pptp-server/

/ppp secret> add name=Laptop service=pptp password=123
local-address=10.1.101.1 remote-address=10.1.101.100
/ppp secret> print detail
Flags: X - disabled
  0   name="Laptop" service=pptp caller-id="" password="123" profile=default
      local-address=10.1.101.1 remote-address=10.1.101.100 routes==""

/ppp secret>
Notice that pptp local address is the same as routers address on local interface and remote address is form the same range as local network (10.1.101.0/24).

Next step is to enable pptp server and pptp client on the laptop.

/interface pptp-server server> set enabled=yes
/interface pptp-server server> print
            enabled: yes
            max-mtu: 1460
            max-mru: 1460
               mrru: disabled
     authentication: mschap2
  keepalive-timeout: 30
    default-profile: default
/interface pptp-server server>

/ip firewall filter
add chain=input protocol=tcp dst-port=1723 action=accept
add chain=input protocol=gre action=accept

Qnewbie

http://wiki.mikrotik.com/wiki/PPTP_Server_With_Profile

角色

回復 6# Qnewbie

Thanks.

It seems that after VPN, the remoted end machine's operations is not the same as it is connected to the physical port of the local network segment.

Qnewbie

Yes, you're right.
For example in the wiki:
Local:
192.168.112.1/24
Remote:
172.16.0.1/24
And a NAT rule for 172.16.0.1/24.

In the NAT tab add a new FIREWALL rule, press the PLUS sign. chain=srcnat , src.address=172.16.0.0/24 , then goto Action's tab in the same window, select action=masquerade. Then press APPLY and OK.

角色

More examples：
http://www.hkepc.com/forum/redir ... 57&pid=31912460
http://blog.cscworm.net/?p=2454

角色

RB Gateway IP = 192.168.88.1

Problem found = PPTP connection is still connection but no packet traffic can through the PPTP server.

The following settings were tested and found no error for PPTP server without using IP pool:

/interface pptp-server server set authentication=mschap1,mschap2 \
default-profile=default-encryption enabled=yes keepalive-timeout=30 \
max-mru=1460 max-mtu=1460 mrru=disabled

/ppp profile add name=my-profile local-address=172.20.21.1 \ remote-address=172.20.21.2 \
dns-server=8.8.8.8,8.8.4.4 use-compression=default use-encryption=yes

/ppp secret add profile=my-profile name=myuser password=mypasswd service=pptp disabled=no

/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 src-address=172.20.21.0/28 disabled=no

/ip firewall filter
add chain=input comment="PPTP tcp" dst-port=1723 protocol=tcp action=accept
add chain=input comment="PPTP gre" protocol=gre action=accept

Qnewbie

How about the filter rules?
/ip firewall filter
add chain=input comment="PPTP tcp" dst-port=1723 protocol=tcp  action=accept
add chain=input comment="PPTP gre" protocol=gre  action=accept

角色

回復 11# Qnewbie

Thank you QNewbie. The action=accept has already added to each line. In fact, they "action=accept" were included in the firewall list.

yiucsw

有那个SETUP SCRIPT 能运行成功的？siteto site 的 pptp

角色

Site to Site不是非常简单吗？连好了，加static route去对面的network不是可以吗？

yiucsw

第一次用RB。 所以不懂。 有SCRIPT能减少问题。例如。动态IP的处理