電訊茶室's Archiver

角色 發表於 2014-8-14 21:34

【RouterOS】—— PPTP client and routing local packets to the remote server gateway

[i=s] 本帖最後由 角色 於 2014-8-17 15:22 編輯 [/i]

Objectives:

1) Using RouterOS GUi (or Nat code) to program the device such that the local device can use the remote gateway.

The following post gives you the information of setting up a PPTP client on a Routerboard:
[url]http://www.mikrotik.com/testdocs/ros/3.0/vpn/pptp.php[/url]

Also the following post provides a very practical example of setting up a PPTP client.

[url]http://www.hkepc.com/forum/viewthread.php?tid=2089157&highlight=mikrotik[/url]

The following wiki describes the step to mark which destination IP address has to go out via vpn tunnel (route packets to the remote VPN gateway) and the rest of destination IP addresses will use the local gateway.
[url]http://wiki.mikrotik.com/wiki/Policy_Base_Routing[/url]

角色 發表於 2014-8-15 00:32

[i=s] 本帖最後由 角色 於 2014-8-19 01:20 編輯 [/i]

The content of easy_setup.rsc[code]:local username "test"
:local password "1234"
:local hostname "0.0.0.0"
:local internal "192.168.88.0/24"
/interface pptp-client
add add-default-route=no allow=chap,mschap1,mschap2 connect-to=$hostname \
dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1400 max-mtu=\
1400 mrru=disabled name=vpn_cn password=$password profile=\
default-encryption user=$username
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=UnBlockIPList \
port=80,443,8080 new-routing-mark=through_vpn_cn passthrough=no \
protocol=tcp src-address-list=Internal-Nets disabled=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vpn_cn disabled=no
/ip route
add distance=1 gateway=vpn_cn routing-mark=through_vpn_cn disabled=no \
scope=255
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,114.114.114.114
/ip firewall address-list
add list=Internal-Nets address=$internal comment="Internal-Nets"
add list=UnBlockIPList address=103.7.28.0/24
add list=UnBlockIPList address=103.7.30.0/24
add list=UnBlockIPList address=103.7.31.0/24
add list=UnBlockIPList address=107.21.213.0/24
add list=UnBlockIPList address=111.161.48.0/24
add list=UnBlockIPList address=115.182.93.0/24
add list=UnBlockIPList address=117.121.54.0/24
add list=UnBlockIPList address=118.244.244.0/24
add list=UnBlockIPList address=119.147.19.0/24
add list=UnBlockIPList address=119.188.40.0/24
add list=UnBlockIPList address=123.125.195.0/24
add list=UnBlockIPList address=123.125.89.0/24
add list=UnBlockIPList address=123.126.48.0/24
add list=UnBlockIPList address=123.126.53.0/24
add list=UnBlockIPList address=123.126.98.0/24
add list=UnBlockIPList address=123.126.99.0/24
add list=UnBlockIPList address=123.58.180.0/24
add list=UnBlockIPList address=125.39.70.0/24
add list=UnBlockIPList address=125.39.95.0/24
add list=UnBlockIPList address=125.89.72.0/24
add list=UnBlockIPList address=163.177.71.0/24
add list=UnBlockIPList address=163.177.79.0/24
add list=UnBlockIPList address=163.177.89.0/24
add list=UnBlockIPList address=180.153.106.0/24
add list=UnBlockIPList address=180.153.21.0/24
add list=UnBlockIPList address=180.153.225.0/24
add list=UnBlockIPList address=180.76.2.0/24
add list=UnBlockIPList address=182.16.230.0/24
add list=UnBlockIPList address=183.61.119.0/24
add list=UnBlockIPList address=184.51.15.0/24
add list=UnBlockIPList address=192.241.222.0/24
add list=UnBlockIPList address=202.108.14.0/24
add list=UnBlockIPList address=202.108.23.0/24
add list=UnBlockIPList address=202.108.37.0/24
add list=UnBlockIPList address=202.108.5.0/24
add list=UnBlockIPList address=202.55.10.0/24
add list=UnBlockIPList address=202.55.12.0/24
add list=UnBlockIPList address=210.129.145.0/24
add list=UnBlockIPList address=211.151.181.0/24
add list=UnBlockIPList address=218.205.72.0/24
add list=UnBlockIPList address=218.30.66.0/24
add list=UnBlockIPList address=218.77.91.0/24
add list=UnBlockIPList address=220.181.109.0/24
add list=UnBlockIPList address=220.181.118.0/24
add list=UnBlockIPList address=220.181.153.0/24
add list=UnBlockIPList address=220.181.154.0/24
add list=UnBlockIPList address=220.181.185.0/24
add list=UnBlockIPList address=220.181.19.0/24
add list=UnBlockIPList address=220.181.61.0/2
add list=UnBlockIPList address=220.181.74.0/24
add list=UnBlockIPList address=220.181.90.0/24
add list=UnBlockIPList address=220.181.94.0/24
add list=UnBlockIPList address=220.194.199.0/24
add list=UnBlockIPList address=221.238.18.0/24
add list=UnBlockIPList address=42.156.140.0/24
add list=UnBlockIPList address=42.62.20.0/24
add list=UnBlockIPList address=42.62.49.0/24
add list=UnBlockIPList address=54.243.116.0/24
add list=UnBlockIPList address=58.215.179.0/24
add list=UnBlockIPList address=58.222.17.0/24
add list=UnBlockIPList address=58.63.237.0/24
add list=UnBlockIPList address=58.83.190.0/24
add list=UnBlockIPList address=59.151.12.0/24
add list=UnBlockIPList address=60.217.235.0/24
add list=UnBlockIPList address=60.28.164.0/24
add list=UnBlockIPList address=61.135.132.0/24
add list=UnBlockIPList address=61.135.181.0/24
add list=UnBlockIPList address=61.135.183.0/24
add list=UnBlockIPList address=61.135.196.0/24
add list=UnBlockIPList address=61.135.253.0/24
add list=UnBlockIPList address=66.102.246.0/24
[/code]Test

[url]http://www.hkepc.com/forum/redirect.php?goto=findpost&ptid=2089157&pid=31963296[/url]

角色 發表於 2014-8-19 01:39

[i=s] 本帖最後由 角色 於 2014-8-19 02:40 編輯 [/i]

[url]http://www.hkepc.com/forum/viewthread.php?tid=2069651&rpid=31614526&ordertype=0&page=13#pid31614526[/url]

[url]http://www.hkepc.com/forum/redirect.php?goto=findpost&ptid=2089157&pid=31963296[/url]

[url]http://www.hkepc.com/forum/redirect.php?goto=findpost&ptid=2069651&pid=31614526[/url]

Temp links:
[url]http://www.hkepc.com/forum/viewthread.php?tid=2069651&extra=&authorid=239887&page=14[/url]
[url]http://www.hkepc.com/forum/viewthread.php?from=notice&tid=2069651[/url]
[url]http://www.hkepc.com/forum/viewthread.php?tid=2069651&rpid=31614526&ordertype=0&page=13#pid31614526[/url]

角色 發表於 2014-8-27 00:33

终于搞定,都是按照下面的帖子去做。

[url]http://www.hkepc.com/forum/viewthread.php?tid=2069651&rpid=31614526&ordertype=0&page=13#pid31614526[/url]

yiucsw 發表於 2014-12-29 15:12

是香港到中国的?有没有中国到外边的?

角色 發表於 2014-12-29 17:40

都是一样,你到过来做就可以。

yiucsw 發表於 2014-12-29 23:37

unblock list 会不一样吗?

/ip firewall address-list

角色 發表於 2014-12-30 00:11

unblockIPList里内容当然不一样,你要log,一个一个找出来。

yiucsw 發表於 2014-12-31 02:01

Run 了Script 不知道为什么Firewall说VPN not ready. Route list unreachable.  (主要连到 Vigor PPTN server)
Run 了Script,如何重新再Run. delete interface, route, firewall entry 都不成。
[attach]3398[/attach]

tc30624100 發表於 2014-12-31 02:40

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=39965&ptid=6328]9#[/url] [i]yiucsw[/i] [/b]


    gateway 改為那interface 的名字就通了

yiucsw 發表於 2014-12-31 18:41

The PPTP client interface, gateway 都是同一名字:VPN_HK。
[[attach]3399[/attach]

yiucsw 發表於 2014-12-31 19:13

不知道对不对。
原本:
PPTP Interface Profile: Default-Encryption 的时候。Status : Link Established
PPTP Interface Profile: Default 的时候。 Status : Connected。

希望可以解决一部分问题

yiucsw 發表於 2014-12-31 20:09

我将下面的变成Script cn.txt。运行时有ERROR,
"value of address expects range of ip addresses"
知道是哪里有问题吗?

/ip firewall address-list
add list=Internal-Nets address=$internal comment="Internal-Nets"
add list=UnBlockIPList address=173.194.72.0/24
add list=UnBlockIPList address=173.194.127.0/24

角色 發表於 2015-1-1 20:06

你的问题太少信息!
你好想说过RB与Draytek连,但是两边的network addresses是什么我们都不知道。

yiucsw 發表於 2015-1-1 22:42

还没到那一步。RB是PPTP CLIENT。 VIGOR 是 PPTP SERVER。 将你的SCRIPT 分两部分。 以上是加UNBLOCK LIST 的SCRIPT。 有ERROR,我猜是SYNTAX ERROR。

角色 發表於 2015-1-1 23:34

最初你说,RB在大陆,但是在ADSL modem后的Router接着,理应可以连接香港的Draytek的VPN Server。
我的Script是用于香港,所以可能某些问题不能预先处理好。

(如果你有兴趣,我们可以一起来研究)

yiucsw 發表於 2015-1-3 18:29

现在在香港用Configuration。
RB PPTP Client(Three 3G Mifi) 连到 Vigor 2920 PPTP server(HKBN)。Unblockiplist 加了 [url]www.google.com...[/url]
因为两端都在香港,不知道如何测试PPTP VPN是成功没有?
Ping [url]www.google.com[/url] 在Interface 的Statistisc 没有看到流量。
有什么办法能知道成功没有?
要是成功了,下一步是要反向的从vigor dial to RB.

雯雯 發表於 2015-1-3 19:18

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=40033&ptid=6328]17#[/url] [i]yiucsw[/i] [/b]

你在Windows用tracert [url]www.google.com[/url]便知是否成功.

yiucsw 發表於 2015-1-3 19:40

thank alot. it is.a good solution. In china, i use Windows tracert. the packet route to HK. but nothing show up in Browser'www.Google.com'. any other method?

雯雯 發表於 2015-1-3 19:44

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=40035&ptid=6328]19#[/url] [i]yiucsw[/i] [/b]

check o下你HK to China既route是否正常, 咁既情況好多時都係packets有去無回.

角色 發表於 2015-1-3 22:08

你可以试试看tracert [url]www.netvigator.com[/url]

yiucsw 發表於 2015-1-6 12:01

在香港TraceRT。。。 不知道为什么在中国乱转

Tracing route to 223.73.53.145 over a maximum of 30 hops

  1     3 ms    14 ms     6 ms  192.168.85.1
  2    92 ms     4 ms     3 ms  183178116001.ctinets.com [183.178.116.1]
  3    13 ms    37 ms    17 ms  061092090129.ctinets.com [61.92.90.129]
  4    14 ms     6 ms    17 ms  014199254241.ctinets.com [14.199.254.241]
  5    64 ms     4 ms    12 ms  014136129118.ctinets.com [14.136.129.118]
  6   323 ms    10 ms     7 ms  chinamobileintl1-lacp-10G.hkix.net [202.40.160.2
15]
  7     8 ms     6 ms    14 ms  211.136.1.114
  8    14 ms     9 ms    13 ms  223.118.2.205
  9    13 ms    21 ms    14 ms  223.118.10.1
10    10 ms   163 ms    28 ms  221.176.24.229
11   179 ms    19 ms    54 ms  221.176.18.113
12    23 ms     *      519 ms  221.176.19.70
13    13 ms    22 ms    17 ms  120.196.0.2
14   937 ms  1841 ms  3090 ms  120.196.2.166
15     *        *        *     Request timed out.

頁: [1]

Powered by Discuz! Archiver 7.2  © 2001-2009 Comsenz Inc.