Can't VPN into MikroTik from the web

saffer · May 15, 2014, 11:07am

Hi guys!

I've been reading this forum for some time now and I usually found the answer to my mikrotik questions but not this time. I'm stuck and I would greatly appreciate any help.

Here is the situation.
I have a small office (LAN) that uses a RB751G-2HnD as router. The RB is connected to the internet via a PPPeE modem. I want to connect to the workplace from home via VPN. I have set up the PPTP server following various guides but I always get stuck when connecting. This is what I get in the log:

TCP connection established from ********* (my home external IP)
pptp-0 waiting for call....

And it's stuck there.

I allowed tcp 1723 on the firewall and also gre protocol. Below you will find the export of my firewall settings.
I'm thinking the problem may be with the PPPoE connection somehow? I'm stumped. Again, it works when connecting from the LAN.
If you need anything else (configuration) please let me know.

Thank you very much in advance.

Edit
Now I have also tried with SSTP and I got the same results. It works from the same LAN, not from anywhere else.

may/15/2014 13:04:08 by RouterOS 5.26

software id = PR67-VFPB

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration"
connection-state=related disabled=no
add action=accept chain=input comment="default configuration"
connection-state=established disabled=no
add action=accept chain=input disabled=no limit=50,5 protocol=icmp
add action=accept chain=input disabled=no protocol=gre
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input disabled=no protocol=udp
add action=accept chain=input disabled=no src-address=192.168.3.0/24
add action=log chain=input disabled=no in-interface=T-ONLINE log-prefix=""
add action=drop chain=input comment="default configuration" disabled=no
in-interface=T-ONLINE
add action=drop chain=input comment="default configuration" connection-state=
invalid disabled=no
add action=drop chain=input disabled=no limit=50,5 protocol=icmp
/ip firewall mangle
add action=accept chain=forward disabled=no dst-port=1723 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=
no out-interface=T-ONLINE src-address=192.168.3.0/24 to-addresses=0.0.0.0
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=
T-ONLINE protocol=tcp to-addresses=192.168.3.149 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-port=8088 in-interface=
T-ONLINE protocol=tcp to-addresses=192.168.3.130 to-ports=80
add action=dst-nat chain=dstnat disabled=no dst-port=6036 in-interface=
T-ONLINE protocol=tcp to-addresses=192.168.3.130 to-ports=6036
add action=masquerade chain=srcnat disabled=no out-interface=T-ONLINE
src-address=172.16.0.0/24
add action=masquerade chain=srcnat disabled=no out-interface=T-ONLINE
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061 sip-direct-media=yes
set pptp disabled=no ports=1723