Mikrotik PPTP VPN: alleen router bereikbaar

woensdag 2 maart 2016 19:33

Acties:

0 Henk 'm!

Hardwareconnaisseur

Official Jony Ive fan

Topicstarter

Ik heb een poging gedaan om via PPTP verbinding te maken met mijn thuisnetwerk door de instructies op deze blog te volgen:
https://rbgeek.wordpress....server-setup-on-mikrotik/

(btw: ik heb ook wel eens geprobeerd om OpenVPN aan de gang te krijgen maar dat lukte helemaal niet, vandaar dat ik het inferieure PPTP maar eens ging proberen)

Ik heb een Mikrotik 2011UiAS-2HnD met RouterOS 6.5 uit oktober 2013 die als router dient en op basis van protocol, poortnummer en adreslijst verkeer via een dsl-router en een 4g-router routeert. In het PPP-profile voor de PPTP-server heb ik 'bridge-local' opgegeven als bridge. 'bridge-local' is de bridge waar mijn privénetwerk op zit. Het leek me logisch om die uit te kiezen. De client krijgt een adres uit dezelfde range als het lokale netwerk.

Wonder boven wonder werkt de VPN-verbinding echter kan ik alleen de router zelf pingen (en vreemd genoeg ook de andere Mikrotik-switches en AP's in mijn netwerk, hoewel ik niet bij de Webfig kan).

Volgens de tutorials en forumtopics die uitbundig over dit probleem aanwezig zijn moet ik proxy-arp aanzetten op de interface waar de PPTP-verbinding op binnenkomt. Dit heb ik op verschillende interfaces waaronder de bridge 'bridge-local' geprobeerd maar haalt helaas niets uit.

Iemand een idee waar ik de oorzaak van dit probleem moet zoeken. Het probleem zal wel bij Proxy ARP liggen maar hoe los ik het op? Voor de duidelijkheid: ik ben geen netwerkexpert en stoeipartijen met mijn Mikrotik's ontaarden regelmatig in blinde woede jegens deze apparaatjes.

Zo staat de configuratie er bij:

Mikrotik config

maandag 7 maart 2016 11:14

Femme

Hardwareconnaisseur

Official Jony Ive fan

Topicstarter

Ik heb het probleem inmiddels kunnen oplossen met de instructies uit dit forumtopic:
http://forum.mikrotik.com/viewtopic.php?t=54397

De oorzaak waren de de mangle rules voor het verdelen van verkeer over de adsl- en 4g-routers. De onderstaande regels voorkomen dat de PPTP-verbinding daarin meedoet:

code:

/ip firewall mangle
add chain=prerouting action=accept dst-address=192.168.4.151-192.168.4.160 in-interface=bridge-local
add chain=prerouting action=accept dst-address=192.168.4.151-192.168.4.160 in-interface=bridge-local

add chain=prerouting dst-address=192.168.4.1 protocol=gre action=accept
add chain=prerouting dst-address=192.168.4.1 protocol=tcp dst-port=1723 action=accept

woensdag 2 maart 2016 19:47

Acties:

0 Henk 'm!

brambo123

Een complete configuratie dump zou handig zijn.
Dit kan je doen door op New Terminal te drukt en daar '/export compact file=export' uit te voeren.
Dan krijg je onder Files een bestandje export.rsc welke je downloaden en in kladblok kan openen.
En die data kun je dan hier posten.

woensdag 2 maart 2016 20:00

Acties:

0 Henk 'm!

Femme

Hardwareconnaisseur

Official Jony Ive fan

Topicstarter

brambo123 schreef op woensdag 02 maart 2016 @ 19:47:
Een complete configuratie dump zou handig zijn.
Dit kan je doen door op New Terminal te drukt en daar '/export compact file=export' uit te voeren.
Dan krijg je onder Files een bestandje export.rsc welke je downloaden en in kladblok kan openen.
En die data kun je dan hier posten.

Ok, hierbij de export van de configuratie:

code:

# mar/02/2016 19:53:50 by RouterOS 6.5
# software id = GYVG-U613
#
/interface bridge
add l2mtu=1594 name=bridge-dslrouter
add l2mtu=1594 name=bridge-guest
add admin-mac=4C:5E:0C:2B:01:CE arp=proxy-arp auto-mac=no l2mtu=1594 name=\
    bridge-local protocol-mode=rstp
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp mac-address=4C:5E:0C:2B:08:CF \
    name="ether1-Wago 750-842"
set [ find default-name=ether2 ] name=ether2-WAN-4G
set [ find default-name=ether3 ] name=ether3-trunk
set [ find default-name=ether4 ] name=ether4-ipcam
set [ find default-name=ether5 ] name=ether5-ipcam
set [ find default-name=ether6 ] name=ether6-ipcam
set [ find default-name=ether7 ] master-port=ether6-ipcam name=\
    ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-ipcam name=\
    ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-ipcam name=\
    ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-ipcam name=\
    ether10-slave-local
/ip neighbor discovery
set "ether1-Wago 750-842" discover=no
/interface vlan
add interface=ether3-trunk l2mtu=1594 name=ether3-vlan1-local vlan-id=1
add interface=ether3-trunk l2mtu=1594 name=ether3-vlan2-guest vlan-id=2
add interface=ether3-trunk l2mtu=1594 name=ether3-vlan3-dslrouter vlan-id=3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=local \
    supplicant-identity="" wpa-pre-shared-key=**** \
    wpa2-pre-shared-key=****
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=guest \
    supplicant-identity="" wpa-pre-shared-key=Wichmond wpa2-pre-shared-key=\
    Wichmond
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no l2mtu=2290 mode=\
    ap-bridge security-profile=local ssid="Groot Okhorst" wireless-protocol=\
    802.11
add disabled=no l2mtu=2290 mac-address=4E:5E:0C:2B:01:D7 master-interface=\
    wlan1 name=wlan2-guest security-profile=guest ssid="Logies Groot Okhorst" \
    wds-cost-range=0 wds-default-cost=0
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=local-dhcp ranges=192.168.4.10-192.168.4.150
add name=guest-dhcp ranges=192.168.3.10-192.168.3.150
add name=pptp-pool ranges=192.168.4.151-192.168.4.160
/ip dhcp-server
add address-pool=local-dhcp disabled=no interface=bridge-local name=\
    dhcp-local
add address-pool=guest-dhcp disabled=no interface=bridge-guest name=\
    dhcp-guest
/port
set 0 name=serial0
/ppp profile
add bridge=bridge-local local-address=pptp-pool name=pptp-profile \
    remote-address=pptp-pool use-encryption=required
/queue simple
add disabled=yes dst=ether3-vlan3-dslrouter max-limit=512k/0 name=\
    "Limit upload" packet-marks=Limit-upload
/interface bridge filter
add chain=forward comment="Drop traffic from bridge-guest to bridge-local" \
    in-bridge=bridge-guest out-bridge=bridge-local
/interface bridge port
add bridge=bridge-local interface=ether4-ipcam
add bridge=bridge-local interface=ether5-ipcam
add bridge=bridge-local interface=ether6-ipcam
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
add bridge=bridge-guest interface=ether3-vlan2-guest
add bridge=bridge-local interface=ether3-vlan1-local
add bridge=bridge-guest interface=wlan2-guest
add bridge=bridge-dslrouter interface=ether3-vlan3-dslrouter
add bridge=bridge-local interface="ether1-Wago 750-842"
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface l2tp-server server
set enabled=yes
/interface pptp-server server
set default-profile=pptp-profile enabled=yes max-mru=1460 max-mtu=1460
/interface wireless access-list
add comment=\
    "Restrict access to clients with signal strength between -85dB and 120dB" \
    signal-range=-85..120
add authentication=no comment=\
    "Reject access to clients with signal strength below -85dB" forwarding=no \
    signal-range=-120..-86
/interface wireless connect-list
add comment="Reject connection to clients with signal strength below -85dB" \
    connect=no interface=wlan1 security-profile=local signal-range=-120..-86
add comment="Reject connection to clients with signal strength below -80dB" \
    connect=no interface=wlan2-guest security-profile=guest signal-range=\
    -120..-86
add comment="Restrict connection to clients with signal strength between -85dB\
    \_and 120dB" interface=wlan1 security-profile=local signal-range=-85..120
add comment="Restrict connection to clients with signal strength between -85dB\
    \_and 120dB" interface=wlan2-guest security-profile=guest signal-range=\
    -85..120
/ip address
add address=192.168.2.1/24 comment="default configuration" interface=\
    bridge-dslrouter network=192.168.2.0
add address=192.168.1.2/24 interface=ether2-WAN-4G network=192.168.1.0
add address=192.168.3.1/24 interface=bridge-guest network=192.168.3.0
add address=192.168.4.1/24 interface=bridge-local network=192.168.4.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface="ether1-Wago 750-842" use-peer-dns=no
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
add address=192.168.4.0/24 comment="default configuration" dns-server=\
    192.168.4.1 gateway=192.168.4.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB servers=\
    194.151.228.2,194.151.228.50
/ip dns static
add address=192.168.2.1 disabled=yes name=router
add address=194.109.6.66 disabled=yes name=Xs4ll
add address=194.109.9.99 disabled=yes name=Xs4all
/ip firewall address-list
add address=192.168.4.200-192.168.4.254 list=WAN-ADSL
add address=192.168.4.180-192.168.4.199 comment="Route over 4G" list=WAN-4G
add address=173.194.0.0/16 list=Google-Video
add address=178.249.136.0/24 list=Soundcloud
add address=192.168.3.0/24 list=Allowed-Internet
add address=192.168.3.10-192.168.3.254 comment="Route over adsl" list=\
    WAN-ADSL
add address=93.184.220.0/24 comment=Soundcloud list=Soundcloud
add address=198.38.115.0/24 comment=Netflix list=Netflix
add address=74.125.0.0/16 list=Google-Video
add address=192.168.4.0/24 list=Allowed-Internet
add address=173.252.88.128 comment="Mogelijk een adres van Soundcloud" list=\
    Soundcloud
add address=192.168.4.109 comment="iPad Air" list=WAN-ADSL
add address=192.168.4.142 list=WAN-ADSL
add address=192.168.4.141 list=WAN-ADSL
add address=192.168.4.132 comment="Leonie's MacBook 13\"" disabled=yes list=\
    WAN-ADSL
add address=192.168.4.148 comment="Femme's MacBook in werkruimte" disabled=\
    yes list=WAN-ADSL
add address=192.168.4.110 comment="Apple TV" list=WAN-ADSL
add address=192.168.4.136 comment="Femme's MacBook Pro wifi" disabled=yes \
    list=WAN-ADSL
add address=192.168.4.109 comment=iPad list=WAN-ADSL
add address=64.18.0.0/20 list=Google-Video
add address=64.233.160.0/19 list=Google-Video
add address=66.102.0.0/20 list=Google-Video
add address=66.249.80.0/20 list=Google-Video
add address=72.14.192.0/18 list=Google-Video
add address=207.126.144.0/20 list=Google-Video
add address=209.85.128.0/17 list=Google-Video
add address=216.58.208.0/20 list=Google-Video
add address=216.239.32.0/19 list=Google-Video
add address=69.53.224.0/19 list=Netflix
add address=165.193.233.164/30 list=Netflix
add address=205.139.32.0/19 list=Netflix
add address=66.150.96.0/19 list=Netflix
add address=205.139.45.0/24 list=Netflix
add address=209.177.164.0/24 list=Netflix
add address=54.84.21.0/24 list=Netflix
add address=54.85.33.0/24 list=Netflix
add address=209.177.166.0/24 list=Netflix
add address=192.168.4.148 comment="MacBook Leonie werkruimte" list=WAN-ADSL
add address=17.248.0.0/16 comment="Apple iCloud" list=Google-Video
/ip firewall filter
add chain=input comment="default configuration" disabled=yes protocol=icmp
add chain=input comment="default configuration" connection-state=established \
    disabled=yes
add chain=input comment="default configuration" connection-state=related \
    disabled=yes
add action=drop chain=input comment="default configuration" disabled=yes \
    in-interface="ether1-Wago 750-842"
add chain=forward comment="default configuration" connection-state=\
    established disabled=yes
add chain=forward comment="default configuration" connection-state=related \
    disabled=yes
add chain=input dst-port=1723 protocol=tcp src-address-list=""
add chain=input protocol=gre
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=input comment=\
    "Drop traffic to router not originating from 192.168.4.0/24" disabled=yes \
    dst-port=21,22,23,80,443,8291,8728 protocol=tcp src-address=\
    !192.168.4.0/24
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=\
    Limit-upload src-address-list=WAN-ADSL
add action=mark-routing chain=prerouting dst-port=53 new-routing-mark=\
    "DNS Traffic" passthrough=no protocol=udp
add action=mark-routing chain=prerouting dst-address-list=Soundcloud \
    new-routing-mark=WAN-ADSL passthrough=no src-address-list=\
    Allowed-Internet
add action=mark-routing chain=prerouting dst-address-list=Google-Video \
    new-routing-mark=WAN-ADSL passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=WAN-ADSL \
    passthrough=no src-address-list=WAN-ADSL
add action=mark-routing chain=prerouting dst-address-type="" \
    new-routing-mark=WAN-4G passthrough=no src-address-list=WAN-4G \
    src-address-type=""
add action=mark-routing chain=prerouting dst-port=80 new-routing-mark=\
    "HTTP Traffic" passthrough=no protocol=tcp
add action=mark-routing chain=prerouting dst-port=443 new-routing-mark=\
    "SSL Traffic" passthrough=no protocol=tcp
add action=mark-routing chain=prerouting disabled=yes dst-port=110 \
    new-routing-mark="POP3 Traffic" passthrough=no protocol=tcp
add action=mark-routing chain=prerouting disabled=yes dst-port=25 \
    new-routing-mark="SMTP Traffic" passthrough=no protocol=tcp
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    "P2P Traffic" p2p=all-p2p passthrough=no
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    "Unknown Traffic" passthrough=no
add action=mark-routing chain=prerouting dst-address-list=Netflix \
    new-routing-mark=WAN-ADSL passthrough=no
add action=mark-connection chain=input disabled=yes in-interface=\
    ether2-WAN-4G new-connection-mark=WAN-4G-conn passthrough=no
add action=mark-connection chain=input disabled=yes in-interface=\
    bridge-dslrouter new-connection-mark=WAN-ADSL-conn passthrough=no
add action=mark-routing chain=output connection-mark=WAN-4G-conn disabled=yes \
    new-routing-mark=WAN-4G passthrough=no
add action=mark-routing chain=output connection-mark=WAN-ADSL-conn disabled=\
    yes new-routing-mark=WAN-ADSL passthrough=no
add chain=prerouting dst-address=192.168.3.0/24 in-interface=bridge-guest
add chain=prerouting dst-address=192.168.4.0/24 in-interface=bridge-local
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
    !local in-interface=bridge-local new-connection-mark=WAN-4G-conn \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
    !local in-interface=bridge-local new-connection-mark=WAN-ADSL-conn \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
    !local in-interface=bridge-guest new-connection-mark=WAN-4G-conn \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
    !local in-interface=bridge-guest new-connection-mark=WAN-ADSL-conn \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN-4G-conn \
    disabled=yes in-interface=bridge-local new-routing-mark=WAN-4G \
    passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN-ADSL-conn \
    disabled=yes in-interface=bridge-local new-routing-mark=WAN-ADSL \
    passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN-4G-conn \
    disabled=yes in-interface=bridge-guest new-routing-mark=WAN-4G \
    passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN-ADSL-conn \
    disabled=yes in-interface=bridge-guest new-routing-mark=WAN-ADSL \
    passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    yes out-interface="ether1-Wago 750-842" src-address-list=Allowed-Internet
add action=masquerade chain=srcnat comment="Gateway 4G" out-interface=\
    ether2-WAN-4G src-address-list=Allowed-Internet to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=bridge-dslrouter \
    src-address-list=Allowed-Internet
add action=dst-nat chain=dstnat dst-port=5002 in-interface=bridge-dslrouter \
    protocol=tcp to-addresses=192.168.4.231 to-ports=82
add action=dst-nat chain=dstnat dst-port=5004 in-interface=bridge-dslrouter \
    protocol=tcp to-addresses=192.168.4.238 to-ports=5000
add action=dst-nat chain=dstnat dst-port=5000 in-interface=bridge-dslrouter \
    protocol=tcp to-addresses=192.168.4.230 to-ports=5000
add action=dst-nat chain=dstnat dst-port=5001 in-interface=bridge-dslrouter \
    protocol=tcp to-addresses=192.168.4.231 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=6454 in-interface=\
    bridge-local protocol=udp to-addresses=192.168.1.16 to-ports=6454
add action=dst-nat chain=dstnat disabled=yes dst-port=53001 in-interface=\
    bridge-local protocol=udp to-addresses=192.168.4.231 to-ports=53001
/ip ipsec peer
add dpd-interval=2s exchange-mode=main-l2tp hash-algorithm=sha1 \
    nat-traversal=yes secret=723404
/ip route
add distance=1 gateway=192.168.2.254 routing-mark="DNS Traffic" scope=255
add distance=1 gateway=192.168.2.254 routing-mark=WAN-ADSL scope=255
add distance=1 gateway=192.168.2.254 routing-mark=WAN-4G scope=255
add distance=1 gateway=192.168.2.254 routing-mark="HTTP Traffic" scope=255
add distance=1 gateway=192.168.2.254 routing-mark="SSL Traffic" scope=255
add distance=1 gateway=192.168.2.254 routing-mark="POP3 Traffic" scope=255
add distance=1 gateway=192.168.2.254 routing-mark="SMTP Traffic" scope=255
add check-gateway=ping distance=1 gateway=192.168.2.254 routing-mark=\
    "P2P Traffic" scope=255
add distance=1 gateway=192.168.2.254 routing-mark="Unknown Traffic" scope=255
add distance=1 gateway=192.168.2.254
add disabled=yes distance=1 gateway=192.168.1.1
add check-gateway=ping disabled=yes distance=1 dst-address=93.184.220.0/24 \
    gateway=192.168.2.254
add disabled=yes distance=1 dst-address=192.168.2.0/24 gateway=bridge-local
/lcd interface
set sfp1 interface=sfp1
set "ether1-Wago 750-842" interface="ether1-Wago 750-842"
set ether2-WAN-4G interface=ether2-WAN-4G
set ether3-trunk interface=ether3-trunk
set ether4-ipcam interface=ether4-ipcam
set ether5-ipcam interface=ether5-ipcam
set ether6-ipcam interface=ether6-ipcam
set ether7-slave-local interface=ether7-slave-local
set ether8-slave-local interface=ether8-slave-local
set ether9-slave-local interface=ether9-slave-local
set ether10-slave-local interface=ether10-slave-local
set wlan1 interface=wlan1
/ppp secret
add name=femme password="****" profile=pptp-profile
add name=leonie password="**** profile=pptp-profile
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name="MikroTik router schuur"
/system ntp client
set enabled=yes mode=unicast primary-ntp=194.109.22.18 secondary-ntp=\
    213.154.236.182
/tool graphing interface
add allow-address=192.168.4.0/24 interface=ether2-WAN-4G
add allow-address=192.168.4.0/24 interface=bridge-guest
add allow-address=192.168.4.0/24 interface=bridge-local
add allow-address=192.168.4.0/24 interface=ether3-trunk
add allow-address=192.168.4.0/24 interface=bridge-dslrouter
/tool graphing resource
add allow-address=192.168.2.0/24
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-WAN-4G
add interface=ether3-trunk
add interface=ether4-ipcam
add interface=ether5-ipcam
add interface=ether6-ipcam
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-WAN-4G
add interface=ether3-trunk
add interface=ether4-ipcam
add interface=ether5-ipcam
add interface=ether6-ipcam
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local

woensdag 2 maart 2016 20:42

Acties:

0 Henk 'm!

nipro

Even een compleet voorbeeld:

code:

/interface pptp-server
add name=pptp user=""

/ppp profile
add dns-server=10.1.1.1 local-address=10.1.1.1 name=pptp remote-address=default-dhcp

/interface pptp-server server
set enabled=yes max-mru=1460 max-mtu=1460

/ip firewall filter
add chain=input dst-port=1723 in-interface=ether-wan protocol=tcp
add chain=input in-interface=ether-wan protocol=gre

/ppp secret
add name=test password=foobar profile=pptp service=pptp

Waarbij `ether-wan` je wan interface is en `10.1.1.1` het ip van je router (de dhcp zou dan ook adressen in die range moeten uitdelen, dus als je pptp in een apart subnet wil, maak dan ook even een extra /ip address entry).

De proxy-arp gaat op je bridge-local. Op je ethernet interfaces hoef je geen proxy-arp in te stellen.

[ Voor 17% gewijzigd door nipro op 02-03-2016 20:51 ]

Hoempapaaa Holladiejeej.

woensdag 2 maart 2016 21:55

Acties:

0 Henk 'm!

Femme

Hardwareconnaisseur

Official Jony Ive fan

Topicstarter

De wan-interface lijkt me in dit geval 'bridge-dslrouter' die via een vlan is verbonden is met een Mikrotik CRS-125 waar een KPN Experiabox aan hangt (de reden hiervoor is dat Mikrotik 2011UiAS-2HnD samen met een 4g-router in de schuur hangen en de Experiabox samen met de CRS-125 in huis staat). De Experiabox doet poort 1723 forwarden naar 192.168.2.1, dit ip zit op interface 'bridge-dslrouter'. De in-interface in de filter rules aanpassen helpt echter niet.

maandag 7 maart 2016 11:14

Acties:

Beste antwoord ✓
0 Henk 'm!

Femme

Hardwareconnaisseur

Official Jony Ive fan

Topicstarter

Ik heb het probleem inmiddels kunnen oplossen met de instructies uit dit forumtopic:
http://forum.mikrotik.com/viewtopic.php?t=54397

De oorzaak waren de de mangle rules voor het verdelen van verkeer over de adsl- en 4g-routers. De onderstaande regels voorkomen dat de PPTP-verbinding daarin meedoet:

code:

/ip firewall mangle
add chain=prerouting action=accept dst-address=192.168.4.151-192.168.4.160 in-interface=bridge-local
add chain=prerouting action=accept dst-address=192.168.4.151-192.168.4.160 in-interface=bridge-local

add chain=prerouting dst-address=192.168.4.1 protocol=gre action=accept
add chain=prerouting dst-address=192.168.4.1 protocol=tcp dst-port=1723 action=accept

Onderwerpen

Vraag

Beste antwoord (via Femme op 07-03-2016 11:14)

Alle reacties