Wesley Levels's Blog

Configuring your RouterOS based router (did this on a Mikrotik 450G)

For monitoring a remote Small Business Server (2003) I used the built-in PPTP server from SBS. This way my monitoring packets are encrypted, and I don’t have to built an IPSEC tunnel.

My Nagios server runs behind a Mikrotik 450G with RouterOS. I wanted to let my Mikrotik log in as PPTP Client and forward traffic between the remote SBS and my Nagios server behind my Mikrotik.
This can be done by doing the following:

Adding/Configuring PPTP Client interface:

CLI:

• Start Winbox and connect to your Mikrotik;
• Go to New Terminal;
• Navigate to the pptp-client menu by entering the following at the command-line

# interface pptp-client

• Enter the following command to add a PPTP-Client interface;

# add name="Connection Name" connect-to=123.234.143.243 ...
user=Username password=Password disabled=no

• Enter the following command to check your newly created PPTP-Client interface;

# print

• If everything went as it supposed to go, you can see your connection with an R” “status (after the connection ID). This means the interface is running, so it is connected;

GUI:

• Start Winbox and connect to your Mikrotik;
• Go to Interfaces;
• Add a new interface and choose PPTP Client interface;
• Configure the new interface with its own name and configure the Dial Out tab with the IP of the PPTP server and the username you use for dialing in;
• After pressing Apply, you should see the status in the bottom right corner of the interface window. When the status is connected, your PPTP connection is successful.

Now we have to make a default route to the internal PPTP server range:

CLI:

• Navigate to the IP route menu by entering the following at the command-line (note the  / telling the console it needs to look in the root for the ip menu instead of the current /interface pptp-client menu);

# /ip route

• Enter the following command to create a default route for connecting to your PPTP-server (note the fake subnet I used, replace it with the internal subnet of the PPTP-server);

# add dst-address=123.234.143.0/24 gateway="Connection Name" ...
disabled=no

GUI:

• Go to IP – Routes;
• Add a static route, using the internal range of the PPTP server as the distant address (something like 192.168.1.0/24) and choose the right gateway. This is the interface that you just created, the PPTP client interface;
• When pressing Apply, you will see that the status of the route will be confirmed next to the gateway-box you just choose your PPTP client interface. It will tell you it is reachable (when everything goes like planned) 

The last thing you need to do is masquerade the traffic to the PPTP server, because you want the Mikrotik to act as the PPTP client and be able to talk the the PPTP server from the clients behind your Mikrotik. By masquerading every packet will be sent out as if it was the Mikrotik who sent the packet.

Masquerading the traffic to the PPTP Server

CLI:

• Enter the following command to navigate to the NAT menu;

# /ip firewall nat

• Create the masquerade rule for your PPTP-Client connection by entering the following command (note, it’s not needed to enable the route, it will be enabled by default):

# add chain=srcnat out-interface="Connection Name" ...
action=masquerade

GUI:

• Go to IP – Firewall;
• Choose the NAT tab;
• Add a new rule in the srcnat chain, as action it needs to masquerade, and the Out. Interface needs to be the PPTP-client interface.

Now you will be able to communicate from any client behind the Mikrotik with the PPTP-server.