I have setup a PPTP VPN using various online sources including the Mikrotik wiki and this older thread.
Even though i can ping and connect to every single pc on the Local network from the pptp vpn client, the local network cannot access my vpn client from its given ip and it is crucial for the database app running there to be able to callback my client software. The way i am testing the connection because running the whole software is alot time consuming is using the winbox to ping my client.
Here is my config. Any help will be appreciated.
/ip pool print
# NAME RANGES
0 dhcp_pool1 192.168.5.56-192.168.5.239
1 dhcp_poolvpn 192.168.5.48/29
/ppp profile print detail
0 * name="default" use-mpls=default use-compression=default
use-encryption=default only-one=default change-tcp-mss=yes
use-upnp=default address-list="" on-up="" on-down=""
1 name="pptp-vpn" local-address=192.168.5.1 remote-address=dhcp_poolvpn
use-mpls=default use-compression=default use-encryption=yes
only-one=default change-tcp-mss=default use-upnp=default address-list=""
dns-server=8.8.8.8 on-up="" on-down=""
2 * name="default-encryption" use-mpls=default use-compression=default
use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default
address-list="" on-up="" on-down=""
/ppp secret print detail
0 name="username" service=pptp caller-id="" password="password" profile=pptp-vpn routes=""
limit-bytes-in=0 limit-bytes-out=0
/interface pptp-server server print
enabled: yes
max-mtu: 1400
max-mru: 1400
mrru: disabled
authentication: mschap1,mschap2
keepalive-timeout: 30
default-profile: pptp-vpn
/ip firewall filter print detail
0 chain=input action=accept protocol=icmp in-interface=!ether1-INTERNET log=no log-prefix=""
1 chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""
2 chain=input action=accept protocol=gre log=no log-prefix=""
/ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1-INTERNET log=no log-prefix=""
1 chain=srcnat action=masquerade src-address=192.168.5.48/29 dst-address=!192.168.5.48/29 log=no log-prefix=""
/interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R ;;; GateWay xDSL IP 192.168.10.254
name="ether1-INTERNET" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=9498
5 RS ;;; LAN 192.168.5.0/24
name="ether6-LAN" default-name="ether6" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=9498
17 R name="bridge1" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1598 fast-path=yes
Interfaces > ether6-LAN
ARP: proxy-arp (newer versions of RouterOS also have an local-proxy-arp option but i have no idea what is better in this case)
I set proxy-arp on ether6-LAN, ether7-LANServer (there is only the server pc and relies on 192.168.5.12), ether1-INTERNET and Bridge1 and everything works fine without the masquerade.
It still does not solve the initial problem though.
I changed that and it works. I still cannot ping the vpn client from the Mikrotik router though.
Just for clarity the client connects with standard Windows 10 pptp vpn and is not behind another Mikrotik device. Don’t know if I should have any proxy or arp specific setting in Windows vpn connection
Have you tried setting the src-address on the mikrotik router to 192.168.5.1?
Windows PPTP client should get a route to 192.168.5.0 via the VPN, nothing else should be required.
That’s the point of using same network range on LAN and VPN + proxy-arp, no routing is necessary.
Check a router print on a windows computer with the VPN running… check windows firewall also, as that could be the reason of icmp requests not being replied.
BTW, PPTP is not secure. Using SSTP would be an enhancement, though only suitable for windows, linux and other routeros devices clients.
Setup will be mostly the same, but you’ll need to provide a server certificate, as otherwise windows SSTP won’t work. Let’sEncrypt works fine.
The problem was in windows firewall. I Opened both:
Routing and Remote Access (GRE-In)
Routing and Remote Access (PPTP-In)
File and Printer Sharing (Echo Request - ICMPv4-In)
and it now works just fine. At another time i may check which one specifically was the culprit although i suspect both.
I will keep Let’sEncrypt for another time in the future, thanks alot for that anyway.
Edit: after closer examination only “File and Printer Sharing (Echo Request - ICMPv4-In)” alone was the error. Even though it was enabled for both public and domain it was disabled for private in my case and that alone works just fine.