Can’t ping local host when login using pptp vpn

Mark2012 · November 8, 2012, 12:07pm

Hi,
I have on my mikrotik create a pptp server like describe on http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP I can connect with the vpn client. Also I can ping the mikrotik router. But I can’t ping any host on the local network. I have enabled proxy-arp on the local interface as described in the manual.

Has anyone any idea what I’m donning wrong. I’m using version 5.21 on RB450G

[admin@MikroTik] /ppp secret> print detail
Flags: X - disabled 
 0   name="user1" service=any caller-id="" password="test" profile=VPN-profile 
     routes="" limit-bytes-in=0 limit-bytes-out=0 
[admin@MikroTik] /ppp secret>

[admin@MikroTik] /ppp profile> print
Flags: * - default 
 0 * name="default" remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default 
     use-compression=default use-vj-compression=default use-encryption=default 
     only-one=default change-tcp-mss=yes 

 1   name="VPN-profile" local-address=172.26.12.117 remote-address=VPN-pool 
     remote-ipv6-prefix-pool=(unknown) use-ipv6=yes use-mpls=default 
     use-compression=default use-vj-compression=default use-encryption=yes 
     only-one=default change-tcp-mss=yes dns-server=172.26.12.29,172.26.12.92 

 2 * name="default-encryption" remote-ipv6-prefix-pool=none use-ipv6=yes 
     use-mpls=default use-compression=default use-vj-compression=default 
     use-encryption=yes only-one=default change-tcp-mss=yes 
[admin@MikroTik] /ppp profile> 


[admin@MikroTik] /ip pool> print
 # NAME                                           RANGES                         
 0 default-dhcp                                   192.168.88.10-192.168.88.254   
 1 VPN-pool                                       172.26.12.200-172.26.12.250    
[admin@MikroTik] /ip pool> 


[admin@MikroTik] /interface pptp-server server> print
            enabled: yes
            max-mtu: 1460
            max-mru: 1460
               mrru: disabled
     authentication: mschap1,mschap2
  keepalive-timeout: 30
    default-profile: default-encryption
[admin@MikroTik] /interface pptp-server server> 


[admin@MikroTik] /interface ethernet> print
Flags: X - disabled, R - running, S - slave 
 #    NAME          MTU MAC-ADDRESS       ARP        MASTER-PORT      SWITCH     
 0 R  ether1-g...  1500 00:0C:42:BD:8E:01 enabled    none             switch1    
 1 R  ether2-l...  1500 00:0C:42:BD:8E:02 proxy-arp  none             switch1    
 2    ether3-l...  1500 00:0C:42:BD:8E:03 enabled    none             switch1    
 3    ether4-l...  1500 00:0C:42:BD:8E:04 enabled    none             switch1    
 4    ether5-l...  1500 00:0C:42:BD:8E:05 enabled    none             switch1    
[admin@MikroTik] /interface ethernet>

cbrown · November 8, 2012, 3:33pm

Can you put /export compact instead?

Mark2012 · November 9, 2012, 2:40pm

My export file
export.rsc (16.5 KB)

Mark2012 · November 19, 2012, 12:20pm

No one any idea what’s wrong?

CelticComms · November 19, 2012, 3:46pm

What IP settings are you getting assigned on the PPTP client - IP, & gateway?

What IP are you trying to ping and what interface is that device on?

Mark2012 · November 19, 2012, 6:43pm

I have a network 172.26.12.0/24 where the mikrotik is the default gateway (172.26.12.117).

The PPTP client get the following ipconfig:
ip-address: 172.26.12.250
subnet: 255.255.255.255
default-gateway: 172.26.12.250

From this client I can ping the mikrotik (172.26.12.117) but nothing else in the 172.26.12.0/24 network. And from the network I can’t ping the pptp client 172.26.12.250.

It looks like I miss some routing…
But I don’t see it.

[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.178.1             1
 1 ADC  172.26.12.0/24     172.26.12.117   bridge                    0
 2 ADC  172.26.12.250/32   172.26.12.117   <pptp-user1>              0
 3 ADC  192.168.178.0/24   192.168.178.201 ether1-gateway            0
[admin@MikroTik] /ip route>

I hope this will give a little bit more information.

CelticComms · November 19, 2012, 10:10pm

Try making a dedicated PPP interface for this user and then check your forwarding rules to make sure that you are actually allowing the traffic - the PPP interface needs to be able to open new connections to that local subnet range.

Seems you have proxy-arp selected already which is the usual suspect…

Mark2012 · November 23, 2012, 10:05am

How make I a dedicated PPP interface fort his user? I don’t see how I can do this. Can you maybe explain this?

CelticComms · November 25, 2012, 10:25pm

Add an interface under Interfaces with type = “PPTP Server”. Enter the relevant user as the “User” for this interface.

Mark2012 · November 27, 2012, 7:29am

Strange things happens….

I have add the interface described as above. After this it works. But the strange thing, when I removed this interface it still keeps on working. To be sure I have rebooted and after that is still works.

I don’t know why. I don’t see what is changed. Probably I have done something wrong? I don’t know what but it works now. Thanks everybody for the help.

caesaram85 · November 28, 2012, 5:45pm

Hi people,

I’m really frustrated, i can’t get it work, the pptp client connects but can’t gain access to network hosts at all, i’m just able to ping the gateway.

After follow the wiki http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP,
enabling “proxy-arp” on the BRIDGE interface that points to the network, still can’t get a tracert “LOCAL_IP”, it just get to the gateway.

Here is my config in routerOS v5.12 attached, hope someone could please help me =(
iproute.txt (950 Bytes)
ipfirewallmangle.txt (2.42 KB)
iface_pptp-server.txt (281 Bytes)
i’ve create a dedicated PPTP-SERVER for the user but without luck

INFO UPDATE:

Mikrotik routerOS v5.22

The problem with routerOS PPTP Server:
It appears when using more than 1 WAN interface and PCC load balance (as my config). If i disable 1 wan pptp works ok (but i can’t work here with just 1 wan).

Another big problem:
When dst-nat tcp 1723 through mikrotik firewall to inner RRAS pptp server it works fine but the connection get dropped automatically 3 minutes after you get connected. It sounds freak but it really happens. I’ve noticed in “IP > Firewall > Connections” filtering by connection type pptp, when you get connected it shows with TCP State “CLOSE” automatically, not established as allways but can’t change that and don’t know why it happens.

I’m stucked!!! Both pptp ways locked my boss is getting me sick!!