I have an mikrotik configured with PPTP VPN.
vpn clients connect but can not ping or access files from each other.
I need my vpn client to access my nass shared folder with ip 192.168.2.231 port 5000
Can someone help with configuration?
I have in my lan configured in ether1 WAN and Ether 2 Lan with 2 networks 192.168.1.0 and 192.168.2.0 with dhcp with no dhcp.
/ip address
add address=192.168.2.1/24 comment=“added by setup” interface=ether2 network=
192.168.2.0
add address=172.x.x.x/24 interface=ether1 network=172.x.x.x
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1
/ip firewall filter
add chain=forward disabled=yes dst-port=80 protocol=tcp
add chain=input dst-port=1723 protocol=tcp
add chain=input disabled=yes dst-address=192.168.2.231 dst-port=5000 protocol=
tcp
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=172.x.x.x dst-port=80 protocol=
tcp to-addresses=192.168.2.211 to-ports=80
add action=masquerade chain=srcnat out-interface=ether1 to-addresses=0.0.0.0
add chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.2.0/24
to-addresses=0.0.0.0
add chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.1.0/24
to-addresses=0.0.0.0
add action=dst-nat chain=dstnat disabled=yes in-interface=*F00046 protocol=tcp
to-addresses=192.168.2.231
First of all, if 172.x.x.x is a public IP address and there is no other firewall between your Mikrotik and the internet, chances are high that your Mikrotik is by now a part of a botnet because our firewall rules provide no protection to the Mikrotik itself nor to the devices on its LAN and there have been many vulnerabilities discovered in the past few months. So if it is the case, it would be best to netinstall your machine (as some malware seems to be able to survive a normal upgrade) and build your configuration from scratch, modifying the default firewall only by adding those permissive rules you really need (such as the action=dst-nat one in /ip firewall nat) before proceeding any further. See my supercharged introduction in how the firewall filter actually works if you are not sure.
To the issue you have encountered, as you have shown only the part of your configuration which you assume to be responsible for it (and it is not), I can only guess that you assign addresses from the DHCP pool you use for devices on LAN subnet also to the PPTP clients, which makes the PPTP clients unreachable for the devices on LAN. The reason is that the LAN devices send ARP requests asking “who has this IP” because they think they are on the same subnet, and the PPTP clients never get these ARP requests because they are actually not on their own interfaces not bridged (and not bridgeable) with the LAN. There are two ways how to solve this - either you set arp=proxy-arp on the bridge interface which groups the LAN ports, which makes Mikrotik respond with its own MAC address to ARP requests for IP addresses which belong to any connected subnet except the one from which the ARP request comes, so it gets the packets for these addresses from the LAN devices and can route it to the actual recipient, or you use an /ip pool not overlapping any LAN subnet to assign addresses to PPTP clients.
Regarding why the PPTP clients cannot talk to each other, the common reason is that firewalls on the clients themselves drop the incoming traffic, including ping from outside their local subnets.
Last point, PPTP is nowadays a security hole by itself, think about use of IKEv2 which, after the latest developments at Mikrotik side, became the most convenient VPN at least for Windows clients because it allows the server to tell the client to route only the subnets you want via the VPN and keep the rest of the traffic on the normal connection. With iOS and Android it is not that advanced but still much more secure than PPTP.