3

I have network situation like this:

Problem with VPN tunel from local network to the local VPN server

  • ISP Router (modem) - device given to us by our ISP - modem & router in one but it is set into transparent mode - ISP say so ;D we have to find it that it is true :)
  • MikroTik Router (MTR) - our edge router with firewall
  • Server NAS & VPN Server (NAS) - Synology box with our data storage and also with VPN server with running PPTP, OpenVPN, L2TP/IPSec services- to which workers from our local company and from remote location conect to get data
  • Local station (LS) - workers at our network site - they are using Windows 8 which means they use PPTP

Bellow I present our Mikrotik configuration:

Routing table:

Dst. address   | Gateway      | Distance | Pref. source   |
0.0.0.0/0      | 1.1.1.9      | 2        | -              |
1.1.1.8/30     | ether1       | -        | 1.1.1.8/30     |
192.168.1.0/24 | bridge local | -        | 192.168.1.0/24 |

Firewall:

Action | Chain | Dst. Address  | Protocol | Dst. Port |
accept | input | 192.168.1.230 | 6 (TCP)  | 1723      |
accept | input | 192.168.1.230 | 47 (GRE) | -         |
accept | input | 192.168.1.230 | 6 (TCP)  | 5006      |

NAT:

Action     | Chain  | Source Addr    | Dst Address   | Proto    | Dst Port | Out Intf   |
masquerade | srcnat | -              | -             | -        | -        | ether1     |
dstnat     | dstnat | -              | 1.1.1.10      | 6 (TCP)  | 1723     | -          |
dstnat     | dstnat | -              | 1.1.1.10      | 47 (GRE) | -        | -          |
dstnat     | dstnat | -              | 1.1.1.10      | 6 (TCP)  | 5006     | -          |
masquerade | srcnat | 192.168.1.0/24 | 192.168.1.230 | -        | -        | -          |

The last rule is used to avoid hairpin occurrence

Rules at Mikrotik are made for now only for PPTP protocol !!!

When people from local network try connect to the VPN serwer at NAS there is error 807 or 800 occure - it deepends from station. All are Windows 8 and Windows 7. What could be the cause ?

DDos Schwagins
  • 439
  • 1
  • 12
  • 22
  • I don't know what the problem is, but I do know what it isn't: your router and firewall. If you are getting error messages back from the NAS server, then you have network connectivity. Since they are on the same subnet, the local PC can address the NAS server directly without using the router. You should concentrate on the NAS server configuration. – Ron Trunk Jul 31 '14 at 13:14
  • I think the router is the problem. We use public IP of our interface to connect but I took care of HairPin issue and add special rule for this in NAT table. The second thing is that I don`t see port 1723 open from Internet :/ I have rules at router firewall but it is not seen from this point of view. Also it is not our ISP because the test is made from our LAN. Packets went to the router they are NAT-ed end they come back to the NAS in our LAN. – DDos Schwagins Jul 31 '14 at 13:23
  • You said "people from local network" -- I'm assuming that is (or similar to) the station shown at 192.168.1.101. That station is on the same subnet as your NAS server (according to your diagram). If that is true, then you are not routing, so the router or firewall is not involved. – Ron Trunk Jul 31 '14 at 17:56
  • Yes it is because the VPN address is domain.name.ddns.net and it is public IP. So the traffic goes to the router and then it is NAT-ed from public IP to the LOCAL IP. http://wiki.mikrotik.com/wiki/Hairpin_NAT – DDos Schwagins Jul 31 '14 at 18:22
  • I see. Can you post the actual configuration (not just show outputs)? Also, if you connect to the NAS via IP address (using a local IP address instead of a name), does it work? – Ron Trunk Jul 31 '14 at 18:35
  • Yes. For short time after my reconfig at firewall using private IP like 192.168.1.230 VPN works. But not remotely from public ranges of IP`s :( – DDos Schwagins Jul 31 '14 at 18:53
  • It would be helpful to see the entire configuration of the firewall – Ron Trunk Jul 31 '14 at 19:13
  • From LOCAL VPN is working. Now I dont have connectivity from others ISP :/ Like my earlier post http://networkengineering.stackexchange.com/questions/9939/problem-with-vpn-tunel-from-remote-location-through-isp-pptp – DDos Schwagins Aug 01 '14 at 07:45
  • 1
    I change chains from INPUT to FORWARD and now firewall rules are working. – DDos Schwagins Aug 01 '14 at 10:32

1 Answers1

2

The problem was wrong NAT translation to the VPN server and two rules at the firewall. They should check chain FORWARD instead of INPUT. It is a little hard to belive but it worked.

INPUT chain is for packet which have router public IP in destination address like in my case so they "wants" reach the router not host beyond - like FORWARD chain does. Thats interesting ^^

DDos Schwagins
  • 439
  • 1
  • 12
  • 22