So I’m helping a friend replace a stupid linksys router with a RB2011UAS-2Hnd-IN. They have a windows SBS server and two users who connect to that server through vpn. We set everything up with all the port forwards to the server including 1723. I think the port forward is fine because the other port forwards are fine. Since the vpn connection won’t work, I think I have to do something to forward gre too.

I’ve only used the web interface so far, so I’m looking for how to do it from the web interface.

I tried using nat like I would a port forward and just chose 47 for the protocal and left out the ports. That didn’t help.
Here’s how I have it set:
went to: ip, firewall, nat
set:
chain:dstnat, protocal:gre, in-interface:ether1-gateway, action:dst-nat, to addres: server

I tried to mess with the mangle menu from something someone else said, but that didn’t help either.

Under service ports pptp is enabled.

Can anyone help me pass gre through or suggest where else my issue might be? Thanks in advance!

Could you post /export compact?

http://forum.mikrotik.com/t/vpn-pass-through-rb750-to-local-windows-vpn-server/62250/1

feb/05/2013 11:27:00 by RouterOS 5.20

software id = 0X2S-BQ0D

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no l2mtu=1598 name=bridge-local \ protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=\ indoors ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=\ XXXXXX wireless-protocol=any
/interface ethernet
set 0 name=sfp1-gateway
set 1 name=ether1-gateway
set 6 name=ether6-master-local
set 7 master-port=ether6-master-local name=ether7-slave-local
set 8 master-port=ether6-master-local name=ether8-slave-local
set 9 master-port=ether6-master-local name=ether9-slave-local
set 10 master-port=ether6-master-local name=ether10-slave-local
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\ tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm \ wpa-pre-shared-key=XXXXXXXX wpa2-pre-shared-key=XXXXXXXX
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.16.1/24 comment="default configuration" interface=wlan1
/ip dhcp-client
add comment="default configuration" disabled=no interface=sfp1-gateway
add comment="default configuration" disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.16.0/24 comment="default configuration" dns-server=\ 192.168.16.2 gateway=192.168.16.1 /ip dns set allow-remote-requests=yes
/ip dns
static add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\ sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=\ ether1-gateway
/ip firewall mangle
add chain=forward disabled=yes in-interface=ether1-gateway protocol=gre
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\ yes out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \ out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway \ protocol=tcp to-addresses=192.168.16.3 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1-gateway \ protocol=tcp to-addresses=192.168.16.3 to-ports=443
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether1-gateway \ protocol=tcp to-addresses=192.168.16.3 to-ports=25
add action=dst-nat chain=dstnat dst-port=110 in-interface=ether1-gateway \ protocol=tcp to-addresses=192.168.16.3 to-ports=110
add action=dst-nat chain=dstnat dst-port=1723 in-interface=ether1-gateway \ protocol=tcp to-addresses=192.168.16.3 to-ports=1723
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-gateway \ protocol=tcp to-addresses=192.168.16.3 to-ports=3389
add action=dst-nat chain=dstnat dst-port=4125 in-interface=ether1-gateway \ protocol=tcp to-addresses=192.168.16.3 to-ports=4125
add action=dst-nat chain=dstnat dst-port=1723 in-interface=ether1-gateway \ protocol=udp to-addresses=192.168.16.3 to-ports=1723
add action=dst-nat chain=dstnat in-interface=ether1-gateway protocol=gre \ to-addresses=192.168.16.3
/ip neighbor discovery
set sfp1-gateway disabled=yes
set ether1-gateway disabled=yes
set wlan1 disabled=yes
/system clock
set time-zone-name=XXXX
/tool mac-server
add disabled=no interface=ether2
add disabled=no interface=ether3
add disabled=no interface=ether4
add disabled=no interface=ether5
add disabled=no interface=ether6-master-local
add disabled=no interface=ether7-slave-local
add disabled=no interface=ether8-slave-local
add disabled=no interface=ether9-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=wlan1 add interface=bridge-local [admin@MikroTik] >

I saw that when searching. I see you said to add:
“/ip firewall filter
add action=dst-nat chain=dstnat disabled=yes in-interface=ether1 protocol=gre
to-addresses=192.168.1.99
add action=dst-nat chain=dstnat disabled=yes dst-port=1723 in-interface=ether1
protocol=tcp to-addresses=192.168.1.99”

I have these already in my router:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1723 in-interface=ether1-gateway \ protocol=udp to-addresses=192.168.16.3 to-ports=1723
add action=dst-nat chain=dstnat in-interface=ether1-gateway protocol=gre \ to-addresses=192.168.16.3

Are my two lines the same as yours? I see yours are under firewall filter. Does that make a difference? I don’t see an option for action=dst-nat under /ip firewall filter.

Your masquerade rules specifies the out-interface to your SFP port. Then on your dst-nat rules you specify your in-interface as ether1. If your WAN port is your SFP port then your dst-nat rules need to be using in-interface=ether1

I think you’re looking at a disabled masquerade rule. I have a disabled sfp1 one and an enabled ether1.
add action=masquerade chain=srcnat comment=“default configuration” disabled=\ yes out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment=“default configuration” \ out-interface=ether1-gateway

So are my nat rules ok using ether1-gatway as the in-interface?

Yea, my bad. I was looking at the disabled rule. Yes, your rules look fine.