I setup PPTP on my 750G using the below steps and can successfully connect and reach the LAN address of the router from my remote Windows client. However, I am unable to see/reach/ping any other devices on the LAN. What can cause this?
Note that I have had this problem on several recently purchased 750Gs, as where in the past I never had this issue. I wonder if this is related to some change in the RouterOS software? I am running version RouterOS v6.42.12 .
This is only necessary if you assign to the PPTP clients IP addresses from within the subnet used on the LAN, and it’s actually reverse - without this, the local devices wouldn’t send the packets for the PPTP clients to the Mikrotik (because they assume they are in their LAN subnet, so instead of using the gateway, they directly send an ARP request, expecting the device to respond it).
If the above is your case, but ether2 is a member (slave) port of a bridge, then you have to set arp=proxy-arp on the bridge, not on the ether2 (even if the whole LAN is physically connected via ether2).
This is the change between RouterOS before 6.41 and the newer ones; in the older versions, one of the member ports of the bridge (the “master” port) bore all the properties of the bridge.
For the record, this is not enough, you need to you have the pptp helper enabled in /ip firewall service-port as well (unless the firewall was completely of, which would make the above rule redundant too). But as you can ping the router itself, this is OK in your case.
Other than that:
why do you use PPTP with its illusion of security, if the same embedded Windows VPN client can use L2TP/IPsec with equal simplicity of configuration (you just add the IPsec secret and enable use of IPsec in the server configuration, the rest is the same), leaving aside that still the same embedded VPN client can use IKEv2 with certificate authentication, and if you use it, RouterOS can push the routing table to the Windows so you don’t need to configure it manually if you want the Windows to use the VPN only for traffic to your internal network?
what makes you sit on 6.42.12 given that 6.45.8 is the current long-term stable version?
If the above is your case, but ether2 is a member (slave) port of a bridge, then you have to set arp=proxy-arp on the bridge, not on the ether2 (even if the whole LAN is physically connected via ether2).
All ports and interfaces are configured per the default setting. Given that, can you please tell me what command I need to run from the terminal to get the correct setting to resolve my issue?
A “default setting” obtained by “reset to defaults” with the currently installed RouterOS version may differ from one obtained by “reset to defaults” with an older RouterOS version followed by one or more RouterOS upgrades. So “default setting” is not a useful information, even if I remembered what the default setting of 6.42.12 itself was.
So just follow the hint in my automatic signature below, to show your actual configuration, without revealing any sensitive information. hide-sensitive prevents passwords from being exported but doesn’t remove usernames, so remove them manually if it bothers you.