Hello all
We're having some problems with using Mikrotik to route PPTP connections from wifi clients.
Our setup looks like this:
outside network which needs to be accessed through VPN <--> subnet containing PPTP VPN server <--> wifi link plugging into external interface of Mikrotik router <--> Mikrotik Router <--> Atheros card running in AP mode <--> subnet with wifi clients wanting to connect to PPTP VPN
Almost everything is working great. Wifi clients (all running Windows XP SP2) get their IPs from DHCP and can ping each other and the router.
If we run a PPTP client on the router itself, let it connect to the PPTP VPN server and then enable NAT through this PPTP interface, clients can see the outside network. However, for admin reasons, we want each client to make its own PPTP connection to the VPN server.
Enabling NAT through router's external interface allows clients to establish a TCP connection to the PPTP server (note this server isn't running on the Mikrotik box itself) using Windows XP's built-in VPN networking. This seems to indicate that TCP packets on port 1723 are getting passed through NAT. In Windows XP netstat we can see the connection is established. However, at this point the VPN connection hangs where it says "Verifying username and password" and after about a minute it returns error 721. Googling around, this seems to indicate that the GRE part of the PPTP connection isn't working. We've tried with many Windows XP clients any various recent Mikrotik versions, but GRE doesn't seem to be getting through.
We also tried disabling NAT through the external interface and doing an equivalent forwarding using source NAT and destination NAT. Here we can see the counters for the rule that rewrites TCP packets on port 1723 being incremented, but the counters for the GRE packets never get incremented, so it seems like they're not even making it from the Windows XP clients to the filters.
Has anybody else had success in establishing a PPTP through a Mikrotik router with NAT (note, the PPTP server isn't on the router, but on the network "behind" the NAT, as seen from the client's side)? Any thoughts on what could be wrong?
Thanks.
Cheers,
Albert
I should also mention that if we take out the Mikrotik router and replace it with a Windows XP machine that has 2 network interfaces and does NAT through Internet Connection Sharing, the Windows XP clients can connect through NAT to the PPTP sevrer without problems. This really makes it look like a Mikrotik/GRE issue.
Hey Sam
Thanks very much. You got me on the right track. My router was letting port 1723 TCP through, as well as protocol 47 GRE, but I had to enable the NAT
traversal and then everything started working.
For future reference, go to:
/ip firewall service-port
and enable gre (option 5) and then pptp (option 6).
Symptoms that these aren't enabled when using Windows XP SP2 as a client behind the router is that PPTP connections through the router hang at the "Verifying username and password" stage.
Thanks very much. You got me on the right track. My router was letting port 1723 TCP through, as well as protocol 47 GRE, but I had to enable the NAT
traversal and then everything started working.
For future reference, go to:
/ip firewall service-port
and enable gre (option 5) and then pptp (option 6).
Symptoms that these aren't enabled when using Windows XP SP2 as a client behind the router is that PPTP connections through the router hang at the "Verifying username and password" stage.
Re:
can you provide me the sample of nat rule for pptp connection?Hey Sam
Thanks very much. You got me on the right track. My router was letting port 1723 TCP through, as well as protocol 47 GRE, but I had to enable the NAT
traversal and then everything started working.
For future reference, go to:
/ip firewall service-port
and enable gre (option 5) and then pptp (option 6).
Symptoms that these aren't enabled when using Windows XP SP2 as a client behind the router is that PPTP connections through the router hang at the "Verifying username and password" stage.
Re:
>Hey Sam,
>Thanks very much. You got me on the right track. My router was letting port 1723 TCP through, as well as protocol 47 GRE, but I had to enable the NAT
>traversal and then everything started working.
>
>For future reference, go to:
>
>/ip firewall service-port
>
>and enable gre (option 5) and then pptp (option 6).
>
>Symptoms that these aren't enabled when using Windows XP SP2 as a client behind the router is that PPTP connections through the router hang at the "Verifying >username and password" stage.
Yo, I cant find helper for GRE. Using RouterOS 3.30... Help?
Patrik
>Thanks very much. You got me on the right track. My router was letting port 1723 TCP through, as well as protocol 47 GRE, but I had to enable the NAT
>traversal and then everything started working.
>
>For future reference, go to:
>
>/ip firewall service-port
>
>and enable gre (option 5) and then pptp (option 6).
>
>Symptoms that these aren't enabled when using Windows XP SP2 as a client behind the router is that PPTP connections through the router hang at the "Verifying >username and password" stage.
Yo, I cant find helper for GRE. Using RouterOS 3.30... Help?
Patrik
Re: Mikrotik RouterOS not routing PPTP GRE through NAT
it's all in 'pptp' helper now - look at post's date =)
Re: Mikrotik RouterOS not routing PPTP GRE through NAT
[quote="Chupaka"]it's all in 'pptp' helper now - look at post's date =)[/quote]
Too bad for me
Cause PPTP wont do proper NAT traversal. What am I missing. I NAPT GRE and NAPT TCP 1723. Hoover Dam! 
Too bad for me
Cause PPTP wont do proper NAT traversal. What am I missing. I NAPT GRE and NAPT TCP 1723. Hoover Dam!