Dear all,
SSTP Client is connected and reachable in Mikrotik Router. But I couldn't able to ping on my LAN / LAN desktop
help, please
Kind regards

What are you trying to do?
Reach Router SSTP service remotely?
Reach your own SSTP Server on the LAN remotely
Reach your own SSTP server on the LAN from the LAN?

What are you trying to do?
Reach Router SSTP service remotely?
Reach your own SSTP Server on the LAN remotely
Reach your own SSTP server on the LAN from the LAN?

Yes, I want to Access the SSTP Client Router with the SSTP remote IP. But not able to Access Router of remote site (which is my SSTP Client) not able to ping on desktop.

What you said makes no sense.......

Either you want to connect to the SSTP that is an available service on the router or not.

If not, then you must be running an SSTP server on a device on a LAN subnet of the router, or NOT.

What is the purpose of the SSTP connection. What requirement does it fulful. Which users needs to use it and for what purpose.

What you said makes no sense.......

Either you want to connect to the SSTP that is an available service on the router or not.

If not, then you must be running an SSTP server on a device on a LAN subnet of the router, or NOT.

What is the purpose of the SSTP connection. What requirement does it fulful. Which users needs to use it and for what purpose.

i have R1 which is sstp server
R2 client sstp remote ip 172.16.0.96
R3 client sstp remote ip 172.16.0.97

i want to winbox access R2 with remote ip 172.16.0.96
i want to winbox access R3 with remote ip 172.16.0.97
but couldn't.
both R2 and R3 reachable in R1 terminal but not reachable on LAN.

hope u understand.

I assume that "not reachable from LAN" means, that you cannot ping R2 or R3 from a workstation connected to R1 and (probably) this workstation shares the same network range with R2 and R3.

If that's the case, you probably forgot to set the "proxy-arp" on the local LAN interface on R1 - as described in the manual: https://wiki.mikrotik.com/wiki/Manual:I ... ote_Client - so the the connection fails, because IP cannot be translated to destination MAC address as ARP request stays without any response (because those sstp interfaces does not have L2 connectivity to the rest of your LAN).

PS: the new version of documentation does not contain this info> https://help.mikrotik.com/docs/display/ROS/SSTP I wonder why...

You need a NAT rules for traffic from LAN IP's to the SSTP server's address (action=masquerdade with 172.16.0.0/24 as src). Otherwise the far-end routers (SSTP clients) will have no idea how to send packet to your LAN (e.g. say your main LAN is 10.10.10.0/24, so unless that was a /ip/route to 172.16.0.1 (SSTP Server).

You might also have firewall filter that's blocking this is, but the above may the first problem. If you post your config, I'm sure @anav's firewall eyes will spot the problem.

If that's the case, you probably forgot to set the "proxy-arp" on the local LAN interface on R1
[...]
PS: the new version of documentation does not contain this info> https://help.mikrotik.com/docs/display/ROS/SSTP I wonder why...

FWIW proxy-arp may also work too. But I suspect Mikrotik is trying to steer folks to Layer3 routing to solve, vs "arp tricks".

You need a NAT rules for traffic from LAN IP's to the SSTP server's address (action=masquerdade with 172.16.0.0/24 as src). Otherwise the far-end routers (SSTP clients) will have no idea how to send packet to your LAN (e.g. say your main LAN is 10.10.10.0/24, so unless that was a /ip/route to 172.16.0.1 (SSTP Server).

You might also have firewall filter that's blocking this is, but the above may the first problem. If you post your config, I'm sure @anav's firewall eyes will spot the problem.

thanks for your reply
please see my configuration
I have posted


/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=no mtu=1500 name=\
Bridge1_VLAN vlan-filtering=yes
add dhcp-snooping=yes mtu=1500 name="Bridge2_Head office" priority=0x1000
add dhcp-snooping=yes mtu=1500 name="Bridge3_Farm house"
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN-1
set [ find default-name=ether2 ] name=ether2_WAN-2
set [ find default-name=ether3 ] name=ether3_WAN-3
set [ find default-name=ether4 ] name=ether4_WAN-4
set [ find default-name=ether5 ] name=ether5_WAN-5
set [ find default-name=ether6 ] name=ether6_Trunk
set [ find default-name=ether7 ] name="ether7_WAN PTCL"
set [ find default-name=ether8 ] name="ether8_WAN Head office"
set [ find default-name=ether9 ] name="ether9_WAN Farm house"
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] name="ether13_LAN Farm house"
set [ find default-name=ether14 ] name="ether14_LAN Farm house"
set [ find default-name=ether15 ] name="ether15_LAN Head office"
set [ find default-name=ether16 ] name="ether16_LAN Head office"
/interface pppoe-client
add disabled=no interface="ether9_WAN Farm house" name="PPPoE_Farm house" \
user=tahir1212
/interface eoip
add local-address=203.223.173.66 mac-address=02:8D:ED:1E:50:BF name=\
"EoIP Tunnel_Air Avenue" remote-address=182.176.86.181 tunnel-id=11458
add local-address=172.16.0.1 mac-address=02:6D:1C:E9:08:5A name=\
"EoIP Tunnel_IT Tower" remote-address=172.16.0.96 tunnel-id=12458
add local-address=172.16.0.1 mac-address=02:FC:41:78:94:F4 name=\
"EoIP Tunnel_Midland" remote-address=172.16.0.97 tunnel-id=13458
/interface list
add name="WAN PrimeNet List"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=Speed regexp="^.+(speedtest).*\\\$"
/ip pool
add name="dhcp_pool Head Office" ranges=172.16.3.1-172.16.3.254
add name="dhcp_pool Farm House" ranges=192.168.100.10-192.168.100.250
/ip dhcp-server
add address-pool="dhcp_pool Head Office" interface="Bridge2_Head office" \
name=dhcp1
add address-pool="dhcp_pool Farm House" interface="Bridge3_Farm house" name=\
dhcp2

/routing table
add disabled=no fib name="to_Internal Network"
add disabled=no fib name=kamran
add disabled=no fib name="to_PPPoE Farm house"
#error exporting "/interface/bridge/host" (timeout)
/interface bridge port
add bridge=Bridge1_VLAN frame-types=admit-only-untagged-and-priority-tagged \
interface=ether1_WAN-1 pvid=101
add bridge=Bridge1_VLAN frame-types=admit-only-untagged-and-priority-tagged \
interface=ether2_WAN-2 pvid=102
add bridge=Bridge1_VLAN frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3_WAN-3 pvid=103
add bridge=Bridge1_VLAN frame-types=admit-only-untagged-and-priority-tagged \
interface=ether4_WAN-4 pvid=104
add bridge=Bridge1_VLAN frame-types=admit-only-untagged-and-priority-tagged \
interface=ether5_WAN-5 pvid=105
add bridge=Bridge1_VLAN frame-types=admit-only-vlan-tagged interface=\
ether6_Trunk
add bridge="Bridge2_Head office" interface="ether16_LAN Head office" trusted=\
yes
add bridge="Bridge2_Head office" interface="ether15_LAN Head office"
add bridge="Bridge2_Head office" interface="EoIP Tunnel_Air Avenue"
add bridge="Bridge2_Head office" interface="EoIP Tunnel_IT Tower"
add bridge="Bridge2_Head office" interface="EoIP Tunnel_Midland"
add bridge="Bridge3_Farm house" interface="ether14_LAN Farm house"
add bridge="Bridge3_Farm house" interface="ether13_LAN Farm house" trusted=\
yes
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=Bridge1_VLAN tagged=ether6_Trunk vlan-ids=101
add bridge=Bridge1_VLAN tagged=ether6_Trunk vlan-ids=102
add bridge=Bridge1_VLAN tagged=ether6_Trunk vlan-ids=103
add bridge=Bridge1_VLAN tagged=ether6_Trunk vlan-ids=104
add bridge=Bridge1_VLAN tagged=ether6_Trunk vlan-ids=105
/interface l2tp-server server
set one-session-per-host=yes
/interface list member
add interface="ether8_WAN Head office" list="WAN PrimeNet List"
add interface="ether9_WAN Farm house" list="WAN PrimeNet List"
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=172.16.0.1/16 comment="Headoffice LAN" interface=\
"Bridge2_Head office" network=172.16.0.0
add address=192.168.0.1/24 comment="Headoffice LAN" interface=\
"Bridge2_Head office" network=192.168.0.0
add address=192.168.210.2/30 comment="WAN PTCL" interface="ether7_WAN PTCL" \
network=192.168.210.0
add address=203.223.173.67 comment="Port Forward Kamran Arif" interface=\
"ether8_WAN Head office" network=203.223.173.64
add address=203.223.173.68 comment="Port Forward FreePBX" interface=\
"ether8_WAN Head office" network=203.223.173.64
add address=192.168.100.1/24 comment="Farmhouse LAN" interface=\
"Bridge3_Farm house" network=192.168.100.0
add address=203.223.173.66/28 comment="WAN PrimeNet" interface=\
"ether8_WAN Head office" network=203.223.173.64
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server alert
add disabled=no interface="Bridge2_Head office" valid-server=\
DC:2C:6E:8A:84:7C

/ip dhcp-server network
add address=172.16.0.0/16 gateway=172.16.0.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes cache-size=10000KiB servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=mail.urbandevelopersgroup.com list="Email Server"
/ip firewall filter
add action=accept chain=input comment="Router Access Remotely" dst-port=\
4477,4478 protocol=tcp
add action=drop chain=input comment="Block Attack" dst-port=\
25,53,87,512-515,543,544,7547,8080 protocol=tcp
add action=drop chain=input comment="Block Attack" dst-port=\
53,80,87,161,162,1900,4520-4524,8080 protocol=udp
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"Port Scanners to Address List " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-FIN/SYN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-RST/SYN scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-FIN/PSH/URG scan" protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-NMAP NULL scan" protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping Port Scanners" \
src-address-list="Port Scanners"
add action=accept chain=forward disabled=yes dst-address=8.8.8.8 \
out-interface="ether8_WAN Head office"
add action=drop chain=forward disabled=yes dst-address=8.8.8.8 out-interface=\
"ether7_WAN PTCL"
add action=accept chain=forward disabled=yes dst-address=8.8.4.4 \
out-interface="ether7_WAN PTCL"
add action=drop chain=forward disabled=yes dst-address=8.8.4.4 out-interface=\
"ether8_WAN Head office"
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Internal network" \
dst-address=192.168.0.0/24 new-routing-mark="to_Internal Network" \
passthrough=yes src-address=172.16.0.0/16
add action=mark-routing chain=prerouting comment="Internal network" \
dst-address=192.168.100.0/24 new-routing-mark="to_Internal Network" \
passthrough=yes src-address=172.16.0.0/16
add action=mark-connection chain=prerouting comment="SAP RDP" dst-address=\
116.203.172.113 dst-port=7745 new-connection-mark="SAP RDP_Conn" \
passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark="SAP RDP_Conn" \
new-packet-mark="SAP RDP_Pkt" passthrough=yes
add action=mark-connection chain=prerouting comment="PMS WEB" dst-address=\
116.203.172.113 dst-port=8095,8099,44501 new-connection-mark=\
"PMS WEB_Conn" passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark="PMS WEB_Conn" \
new-packet-mark="PMS WEB_Pkt" passthrough=yes
add action=mark-connection chain=prerouting comment="Email Server" \
dst-address-list="Email Server" new-connection-mark=Email_Conn \
passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Email_Conn \
new-packet-mark=Email_Pkt passthrough=yes
add action=mark-connection chain=prerouting comment=Speed layer7-protocol=\
Speed new-connection-mark=Speed_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Speed_Conn \
new-packet-mark=Speed_Pkt passthrough=yes
add action=accept chain=prerouting comment="Farmhouse => Head office" \
src-address=192.168.100.0/24
add action=mark-routing chain=prerouting new-routing-mark=\
"to_PPPoE Farm house" passthrough=yes src-address=192.168.100.0/24
add action=mark-routing chain=prerouting new-routing-mark=\
"to_PPPoE Farm house" passthrough=yes src-address=172.16.0.107
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade Local Network" \
src-address=172.16.0.0/16
add action=masquerade chain=srcnat comment="Masquerade Local Network" \
src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Masquerade Local Network" \
src-address=192.168.100.0/24
add action=dst-nat chain=dstnat comment="Port Forward Kamran Arif" \
dst-address=203.223.173.67 dst-port=4480 protocol=tcp to-addresses=\
172.16.0.102 to-ports=3389
add action=dst-nat chain=dstnat comment="Port Forward Wavetec" disabled=yes \
dst-address=203.223.173.67 dst-port=4480 protocol=tcp to-addresses=\
172.16.0.240 to-ports=3389
add action=dst-nat chain=dstnat comment="FreePBX SIP NAT" disabled=yes \
dst-address=203.223.173.68 dst-port=5060 in-interface=\
"ether8_WAN Head office" protocol=tcp to-addresses=172.16.0.66 to-ports=\
5060
add action=dst-nat chain=dstnat disabled=yes dst-address=203.223.173.68 \
dst-port=5060 in-interface="ether8_WAN Head office" protocol=udp \
to-addresses=172.16.0.66 to-ports=5060
add action=dst-nat chain=dstnat disabled=yes dst-address=203.223.173.68 \
dst-port=5061 in-interface="ether8_WAN Head office" protocol=tcp \
to-addresses=172.16.0.66 to-ports=5061
add action=dst-nat chain=dstnat disabled=yes dst-address=203.223.173.68 \
dst-port=5061 in-interface="ether8_WAN Head office" protocol=udp \
to-addresses=172.16.0.66 to-ports=5061
add action=dst-nat chain=dstnat disabled=yes dst-address=203.223.173.68 \
dst-port=5090 in-interface="ether8_WAN Head office" protocol=tcp \
to-addresses=172.16.0.66 to-ports=5090
add action=dst-nat chain=dstnat disabled=yes dst-address=203.223.173.68 \
dst-port=5090 in-interface="ether8_WAN Head office" protocol=udp \
to-addresses=172.16.0.66 to-ports=5090
add action=dst-nat chain=dstnat disabled=yes dst-address=203.223.173.68 \
dst-port=9000-9500 in-interface="ether8_WAN Head office" protocol=udp \
to-addresses=172.16.0.66 to-ports=9000-9500
add action=dst-nat chain=dstnat disabled=yes dst-address=203.223.173.68 \
dst-port=10000-20000 in-interface="ether8_WAN Head office" protocol=udp \
to-addresses=172.16.0.66 to-ports=10000-20000
add action=dst-nat chain=dstnat comment="Hair-Pin NAT" disabled=yes \
dst-address=203.223.173.68 to-addresses=172.16.0.66
/ip firewall raw
add action=drop chain=prerouting comment="Block Windows update" content=\
autodesk.com disabled=yes
add action=drop chain=prerouting comment="Block Windows update" content=\
update.microsoft.com disabled=yes
add action=drop chain=prerouting content=download.microsoft.com disabled=yes
add action=drop chain=prerouting content=.windowsupdate.com disabled=yes
add action=drop chain=prerouting content=ntservicepack.microsoft.com \
disabled=yes
add action=drop chain=prerouting content=stats.microsoft.com disabled=yes
add action=drop chain=prerouting content=wustat.windows.com disabled=yes
add action=drop chain=prerouting content=windowsupdate.microsoft.com \
disabled=yes
/ip route
add comment="PTCL Static Route" disabled=no distance=2 dst-address=0.0.0.0/0 \
gateway="192.168.210.1%ether7_WAN PTCL" pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
add comment="Farmhouse Static Route" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway="PPPoE_Farm house" pref-src="" routing-table=\
"to_PPPoE Farm house" scope=30 suppress-hw-offload=no target-scope=10
add comment="PrimeNet Static Route" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway="203.223.173.65%ether8_WAN Head office" pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="PTCL Static Route" disabled=no distance=2 dst-address=0.0.0.0/0 \
gateway="192.168.210.1%ether7_WAN PTCL" pref-src="" routing-table=\
"to_PPPoE Farm house" scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=4478
set ssh disabled=yes
set api disabled=yes
set winbox port=4477
set api-ssl disabled=yes
/ppp secret
add local-address=172.16.0.1 name=ittower profile=default-encryption \
remote-address=172.16.0.96 service=sstp
add local-address=172.16.0.1 name=midland profile=default-encryption \
remote-address=172.16.0.97 service=sstp
/system clock
set time-zone-name=Asia/Karachi
/system identity
set name="Central Park"
/system logging
set 2 disabled=yes
/system note
set show-at-login=no
/tool romon
set enabled=yes