I have 2 RB750, Trying to route Site to Site SSTP.
SSTP Connect OK between routers and I can ping from Terminal in router1 to computers behind router2
But not From a computer on LAN side Router1 to Computers on LAN router2.
I.e. The tunnel is working OK But not Routing/firewall/NAT.
I think the problem is either NAT-rule or Firewall-rule. Below is my config.

Router2 is the Server Connected direct to Internet.
Router1 is behind a NAT/Firewall.

Router1:
/IP Routing
0 A S 0.0.0.0/0 10.110.110.3 1
1 ADC 172.35.0.1/32 172.35.0.2 sstp-out1 0
2 ADC 10.110.110.0/24 10.110.110.14 ether1-gateway 0
3 ADC 192.168.88.0/24 192.168.88.1 ether2-master-l... 0
4 A S 192.168.89.0/24 172.35.0.1 2

/IP Firewall NAT
0 A S 0.0.0.0/0 10.110.110.3 1
1 ADC 172.35.0.1/32 172.35.0.2 sstp-out1 0
2 ADC 10.110.110.0/24 10.110.110.14 ether1-gateway 0
3 ADC 192.168.88.0/24 192.168.88.1 ether2-master-l... 0
4 A S 192.168.89.0/24 172.35.0.1 2

/Ip Firewall Filter
;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=established

2 ;;; default configuration
chain=input action=accept connection-state=related

3 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

Router2:
IP Firewall Nat
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=ether1-gateway

IP Firewall Filter
0 chain=input action=accept protocol=tcp in-interface=ether1-gateway
dst-port=443

1 chain=input action=accept protocol=gre in-interface=ether1-gateway

2 chain=input action=accept protocol=tcp in-interface=ether1-gateway
dst-port=1194

3 ;;; default configuration
chain=input action=accept protocol=icmp

4 ;;; default configuration
chain=input action=accept connection-state=established

5 ;;; default configuration
chain=input action=accept connection-state=related

6 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

IP Route
0 ADS 0.0.0.0/0 85.224.1.129 0
1 ADC 85.224.1.128/25 85.224.1.141 ether1-gateway 0
2 ADC 172.35.0.2/32 172.35.0.1 <sstp-vpn> 0
3 ADS 192.168.88.0/24 172.35.0.2 1
4 ADC 192.168.89.0/24 192.168.89.1 ether2-master-l... 0

I have probably missed something fundamental, but can't figure out what!
Can anybody help me ?

Bump

It's a firewall rule. Try adding a "log" action, identical to your drop rules, just before the drop rules, then try your tests again and check the logs. You should see where the packets are getting last and be able to add a rule to compensate.

If you're still stuck, send the relevant portions of the logs during your test.

-zeb

Hi thanks for reply, I have tried to log.
If I ping from a computer behind router1 to 192.168.88.1 I can se that the signal reaches Router2,
but If I do the reverse, Ping from a computer behind Router2 to 192.168.89.1 then the signal never reaches router1.

Could this be a routing problem in the SSTP Server ?

SSTP doesn't do any routing, it's simply a VPN pipe. We've been using SSTP from site-to-site, as you've described, without any issues.

Your issue is either a rule problem, or a routes problem. Your routes look ok, so I suspect it's a rule problem and the logs should indicate what's being dropped and why to give you a better idea of what's going on and what you need to open up.

-zeb

I've solved it.
The problem is IP Routing.
I changed the local network on router1 to 192.168.110.0/24
and then all started to work OK!
I have reset my routers to default and tested again.
If I have local networks of 192.168.89.0/24 ( on the router with SSTP Server )
And 192.168.88.0/24 on the "client" router then it just won't work.
BUG ?

just a quick question.
do you need to have certificates if you are trying to connect 2 mikrotiks over sstp?

Certificates are optional if you're connecting between Mikrotik's using SSTP.