Can MikroTik SSTP VPN server, sending routers as DHCP option, to Windows client, affect metrics?

libove · May 22, 2026, 11:03am

This may be specifically a Windows problem, unless there's a way for a MikroTik SSTP VPN server to give a VPN client a hint about raising/lowering the metric of a route that the MikroTik SSTP VPN server provides to its VPN clients via it's own DHCP server's Options.

I have three MikroTik routers, one in each of three geographically different places. Each place has its own RFC 1918 address space - 192.168.255.0/24, 192.168.254.0/24, and 192.168.253.0/24. Each place is on its own, unrelated, fibre optic Internet service. (So, from any one of the three MikroTik LANs' point of view, the other two MikroTik LANs are "across the Internet", with no related local routes).

I have SSTP VPN servers on each of the MikroTik routers (RouterOS 7.22).

These SSTP VPNs are used in two ways:

Two of the MikroTik routers (192.168.254.3, 192.168.253.3) each maintain a pegged-up VPN connection over the Internet to the third MikroTik router (192.168.255.5).
Windows clients may make temporary connections to any of the three MikroTik routers.

The MikroTik SSTP VPN servers assign IP addresses via the MikroTiks' own DHCP servers.

The MikroTik DHCP servers have an Option Set which includes Option 0x18 (classless routes).
The Option on the router 192.168.255.5 includes routes, through itself, to the other two networks.

This works fine, except for one circumstance:

On a Windows client, on the local LAN with the MikroTik router 192.168.254.3, the normal route (provided by the MikroTik router 192.168.254.3 DHCP server) to get to 192.168.255.0/24 is via the 192.168.254.3 router.

But, when that Windows client makes a direct SSTP VPN connection over the Internet to the MikroTik 192.168.255.5 router, the Windows client ends up with two identical-metric routes to 192.168.255.0/24 - routing table excerpt:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
192.168.255.0    255.255.255.0    192.168.254.3   192.168.254.25     26
192.168.255.0    255.255.255.0  192.168.255.125   192.168.255.99     26

The route via 192.168.254.3 is the Windows client's normal route, provided to it by its local MikroTik DHCP server.

The route via 192.168.255.125 is the route supplied via the remote MikroTik 192.168.255.5 SSTP VPN server's DHCP server (well, magically supplied by the MikroTik SSTP VPN, from an address pool listed in the Profile that applies to the SSTP VPN client connection; I don't actually see exactly how DHCP is involved, if it is at all. But I'll continue in the rest of this post to refer to the SSTP VPN clients getting a "DHCP" supplied address from the MikroTik SSTP VPN server, just to be consistently incorrect at least...).

The problem is that both routes end up with Metric 26. I thought that any time a Windows VPN client connection was made, that routes provided by the VPN server would take priority (end up with a lower metric) than any similar existing route, unless that would conflict with reaching the VPN server itself.

You may ask, "Why have a Windows box on MikroTik2's LAN make a direct VPN connection to MikroTik1's LAN, instead of riding over the pegged-up VPN link between these two MikroTik routers?" And you'd have a point .. except for a quirk of port and link speeds; the 192.168.255.5 MikroTik router has gigabit ports, and its Internet connection is 500Mb/s+ fibre; whereas all of the ports on the 192.168.254.3 MikroTik router are 100Mbit. The rest of the 192.168.254.0/24 LAN is gigabit ports. This is just an artefact of the age of the 192.168.254.3 MikroTik device. So, it's actually much faster for a Windows client on the 192.168.254.0/24 network to make a direct VPN connection, over its local 1Gb/s network, out its 500Mb/s+ Internet connection, to the 192.168.255.5 MikroTik router's VPN server, than to ride the pegged-up VPN link betweek the two MikroTik routers.

For routine purposes, the pegged-up link (which can move data at around 7MB/s) works fine. For moving quite large files, however, it's faster to temporarily make a direct VPN connection from the Windows client on the 192.168.254.0/24 network to the 192.168.255.5 MikroTik router's VPN server (bypassing the 100Mb/s interface limit on the 192.168.254.3 router).

(Obviously, buying a sub-€100 newer, gigabit interface MikroTik would solve this. And I'll do that. But this is still an interesting networking question).

So, how do I get the 192.168.255.5 MikroTik router('s SSTP VPN server, I suppose via its DHCP server) to advise the 192.168.254.0/24 LAN Windows client "Make sure that the new temporary VPN-provided route to 192.168.255.0/24 through me has a higher priority/ lower metric than any conflicting route that you may have otherwise already had"?

thanks,

[ edit 2026-05-22 14:51EU CET, add comment about my uncertainty about the relationship between the MikroTik SSTP VPN server and {not?}DHCP as the source of SSTP clients' IP addresses ]

TheCat12 · May 23, 2026, 6:00pm

From what I read around your question, the VPN route gets added by Windows and has nothing to do with Mikrotik, therefore cannot be controlled by it. Only solution I can think of is to manually set the metrics on the Windows machine via Powershell with the Add-VpnConnectionRoute command and split tunneling

libove · May 24, 2026, 3:59am

Thanks @TheCat12. I agree, it's mostly- or entirely- a Windows thing. The one possibility would be if there is any way that a MikroTik SSTP VPN server could include a hint about whether the VPN client's metric calculation for the routes pushed to the client should be relatively higher or relatively lower compared to existing routes in the client's routing table.

But, searching more about available DHCP options ... that doesn't exist. It is completely a client thing.

I had actually used the Windows-specific Add-VpnConnectionRoute cmdlet in the past, and had forgotten about its existing; thank you for the reminder. I'll play with that and see if I can get the result that I'm looking for.

thanks, regards,

tdw · May 24, 2026, 4:00pm

DHCP is not involved at all in the address assignment process for PPP-based VPNs (L2TP, PPTP, SSTP) - this is handled by Internet Protocol Control Protocol (IPCP), one of the Network Control Protocols (NCP). There is no mechanism to push routing information to clients.

Microsoft fudged things with their VPN clients and server, the Routing and Remote Access Service (RRAS). Having established a tunnel the client sends a DHCPINFORM requesting Option 249, the RRAS server responds with a route list.

The only VPN type where RouterOS responds this request mechanism is bare IKEv2, it builds the response from the subnet list in the split-include parameter of a mode-config item.

5nik · May 24, 2026, 8:38pm

I see there several options:

Don't push route 192.168.255.0/24 for ethernet clients. They have default gateway from the same router too, don't they?
Split the route for VPN client into two: 192.168.255.0/25 and 192.168.255.128/25 and push these to VPN clients.
Configure metric of the client VPN adapter (you can try to set 10 or lower). But be carefull, this can affects DNS resolving (windows prefer DNS from interface with lower metric).

BTW, which workaround you are using to send DHCP info request/responds from/into VPN? I'm using pushing routes (and other params) to VPN clients too.

5nik · May 24, 2026, 8:59pm

The only VPN type where RouterOS responds this request mechanism is bare IKEv2, it builds the response from the subnet list in the split-include parameter of a mode-config item.

You have partialy right. RouterOS doesn't allow binding DHCP server to ppp interface, but DHCP itself is able to response to DHCPINFORM requests. So if you reroute requests from/into ppp interfaces to DHCP, it works.

So yes, RouterOS doesn't support it in straight line, but there is functional workaround.

BTW, I already suggested to Mikrotik this functionality in the past, but without success. But I was succesfull with DHCP behavior modification to allow this workaround (ROS 7.21; dhcpv4-server - respond with hlen 0 when htype is 8;). Before this, I had to use external DHCP server on Windows to push additional parrams to ppp VPN clients, because Windows clients didn't accept response from RouterOS's DHCP server.

libove · May 26, 2026, 7:45am

The default route on the 192.168.254.0/24 network is actually directly to the Internet gateway (192.168.254.7), to avoid pushing all traffic through this particular, older slower MikroTik router (an RB941Ui-2HnD with only 100Mbit Ethernet ports). So, the LAN clients actually don't route by default through the MikroTik, which is why I have the MikroTik's DHCP server push option 121 to tell LAN clients how to get through the MikroTik and its pegged-up VPN to the other MikroTik LANs across the Internet.

The suggestion to split the 192.168.255.0/24 into two /25s is a great idea. That seems more likely to work without adverse side-effects than forcing a VPN route metric in Windows. I'll do that.

You asked about which workaround I'm using to send DHCP requests to/from the MikroTik SSTP VPN. I don't know . It "just works". Per an earlier response in this thread, I guess it's the DHCPINFORM that the Windows SSTP client sends after connecting, which the MikroTik forwards internally to its DHCP server? Or, actually, I now realize that the DHCP option set 121 is NOT being sent, and I think what I'm doing is using the explicit Routes option in the PPP secret configuration for the user as which the SSTP VPN is connected.

thanks, everyone.

-Jay

5nik wrote:

I see there several options:

Don't push route 192.168.255.0/24 for ethernet clients. They have default gateway from the same router too, don't they?
Split the route for VPN client into two: 192.168.255.0/25 and 192.168.255.128/25 and push these to VPN clients.
Configure metric of the client VPN adapter (you can try to set 10 or lower). But be carefull, this can affects DNS resolving (windows prefer DNS from interface with lower metric).

BTW, which workaround you are using to send DHCP info request/responds from/into VPN? I'm using pushing routes (and other params) to VPN clients too.

libove · May 26, 2026, 7:56am

[2nd edit] No, of course it's not the explicit Routes option in the PPP secret, since those are routes to instantiate on the server when that PPP secret connects, NOT to push to the client

So, it seems that I'm not pushing routes at all, and that it has always been static or Windows Add-VpnConnectionRoute that I had done (and forgotten) in the past...

[edit] Ugh. I'll leave the below for historical demonstration of my ongoing loss of mental acuity....

As I just updated above, I realized that the DHCP option 121 is NOT being pushed to the SSTP VPN clients. My routes are coming from the explicit Routes option in the PPP secret configuration as which the SSTP VPN is connected. Which explains why the option 121 /25 network isn't showing up, and the duplicate /24 is showing up.

--- original:

Um. Oooo-kay .... I just looked at the DHCP option 121 on the 192.168.255.5 router, and there's another mystery here. The option 121 content is:

0x18c0a8fec0a8ff051ac0a8ff40c0a8ff0518c0a8fdc0a8ff05180a0000c0a8ff05

Breaking that down, the relevant entry is:

1a c0a8ff40 c0a8ff05

That should tell the VPN clients to install a route, while the SSTP VPN is connected, to 192.168.255.64/26 via the MikroTik SSTP VPN server. (Per RFC3442, for the numbr of significant bits - in this case, 0x1A / 26 bits) four octets are expected. So, it's not that I have the whole option 121 malformatted (and, indeed, the following routes are respected, so the basic formatting is okay).

(So, without realizing it, I already did do what 5nik had suggested, using more-specific routes, to cause them to take priority even at the same route metric).

But, it's actually causing the SSTP VPN client to configure a /24 route.

Um? :scratches_head

5nik · May 26, 2026, 8:21am

Unfortunately it looks, that your router doesn't push routes to your VPN clients. The route 192.168.255.0/24 is automatically set by windows, because it is base on IP class (Class C) of VPN. BTW, it is possible to disable it:

DHCP server bound to the LAN interface doesn't respond to DHCPINFO coming from PPP (VPN) interfaces (even if VPN share same IP subnet via arp-proxy), a workaround is needed (This is why I asked you which workaround you are using).
You can prove this by wireshark on Windows clients or packet sniffing on router, you won't see any DHCP response from router during VPN dialing.

libove · May 26, 2026, 8:57am

5nik is of course correct. Apparently I had set up some combination of Windows-specific VPN-specific routes, and static routes, and forgotten ...

Thank you for the note about disabling Windows VPN client class-based route addition. That really shouldn't be a default....!