RRAS VPN

Forums › IT Pro and developers › RRAS VPN

tatbaird

142 posts

Master Geek
+1 received by user: 8

#208920 5-Mar-2017 13:23

Hi,

We have demoted an SBS server and built a new 2016 VM as the new DC. The SBS box (physical) still has the RRAS role installed and it is working fine for VPN clients. We are looking to blow away the SBS box of course and repurpose it as a backup server. To that end we want the new server to handle VPNs, Anyway I have installed the RRAS role on the new VM and it seems to be running. It will not accept connections though. Internal DNS has been changed to reflect the new server and connecting to the PPTP VPN internally works straight away as you would expect. There have been no changes made to the Mikrotik routerfirewall, as I said if I re-enable the service on the old server it works OK. Windows firewall is off. Any NAT rule on the firewall just points to the site network. Flat, no VLANs, 1 subnet. There is no specific entry on the Mikrotik that I can see, but maybe I have missed something. It can't be external DNS because there is nothing different there.

Cheers

gbwelly

1263 posts

Uber Geek
+1 received by user: 776

#1730410 5-Mar-2017 15:19

"Any NAT rule on the firewall just points to the site network"

Surely the gre and tcp ports would need to be mapped on the nat device to the specific ip address of the new pptp server?

Or is the VM on the same IP address as the old pptp server? If so check the local firewall on the VM as if it's on the domain profile for example it will accept connections when you are testing on the local LAN, but not from the internet.

tatbaird

142 posts

Master Geek
+1 received by user: 8

#1730427 5-Mar-2017 15:52

Thanks, I can't see anywhere on the Mikrotik to change that. Under service ports pptp is blank and no gre entry at all. There are entries for 1723 in the NAT translation table tho

Well let me just quote the late-great Colonel Sanders, who said "Im too drunk to taste this chicken." -Ricky Bobby

chevrolux

4962 posts

Uber Geek
+1 received by user: 2638
Inactive user

#1730433 5-Mar-2017 16:01

On the Mikrotik you will want a dstnat rule forwarding tcp 1723, and another rule forwarding GRE to your server IP too.
Unless the new server has the same IP as the old server they won't be heading to the right place at the moment which seems consistent with what you are saying that connecting to the old server works.

tatbaird

142 posts

Master Geek
+1 received by user: 8

#1730473 5-Mar-2017 17:24

Yes, thanks for the input lads. I found about 20 static NAT rules all pointing to the old IP. Pretty noob omission in the end.

Thanks

Well let me just quote the late-great Colonel Sanders, who said "Im too drunk to taste this chicken." -Ricky Bobby

toyonut

1508 posts

Uber Geek
+1 received by user: 211

#1732845 8-Mar-2017 09:08

If you are not using 443 (https) inbound already, you could also take advantage of a more modern VPN and set up SSLVpn instead of pptp. It is more secure and doesn't require as many firewall ports opened up. It is also usable from some networks where they heavily block outbound ports except for http and https.

Try Vultr using this link and get us both some credit:

http://www.vultr.com/?ref=7033587-3B