Hello all
We're having some problems with using Mikrotik to route PPTP connections from wifi clients.
Our setup looks like this:
outside network which needs to be accessed through VPN <--> subnet containing PPTP VPN server <--> wifi link plugging into external interface of Mikrotik router <--> Mikrotik Router <--> Atheros card running in AP mode <--> subnet with wifi clients wanting to connect to PPTP VPN
Almost everything is working great. Wifi clients (all running Windows XP SP2) get their IPs from DHCP and can ping each other and the router.
If we run a PPTP client on the router itself, let it connect to the PPTP VPN server and then enable NAT through this PPTP interface, clients can see the outside network. However, for admin reasons, we want each client to make its own PPTP connection to the VPN server.
Enabling NAT through router's external interface allows clients to establish a TCP connection to the PPTP server (note this server isn't running on the Mikrotik box itself) using Windows XP's built-in VPN networking. This seems to indicate that TCP packets on port 1723 are getting passed through NAT. In Windows XP netstat we can see the connection is established. However, at this point the VPN connection hangs where it says "Verifying username and password" and after about a minute it returns error 721. Googling around, this seems to indicate that the GRE part of the PPTP connection isn't working. We've tried with many Windows XP clients any various recent Mikrotik versions, but GRE doesn't seem to be getting through.
We also tried disabling NAT through the external interface and doing an equivalent forwarding using source NAT and destination NAT. Here we can see the counters for the rule that rewrites TCP packets on port 1723 being incremented, but the counters for the GRE packets never get incremented, so it seems like they're not even making it from the Windows XP clients to the filters.
Has anybody else had success in establishing a PPTP through a Mikrotik router with NAT (note, the PPTP server isn't on the router, but on the network "behind" the NAT, as seen from the client's side)? Any thoughts on what could be wrong?
Thanks.
Cheers,
Albert