Dear all

please help with setting PPTP connection to my home network behind my mikrotik router.

Connection works fine from LAN, log shows following
00:22:12 pptp,info TCP connection established from 192.168.88.137
00:22:13 pptp,ppp,info,account rk logged in, 192.168.88.6
00:22:13 pptp,ppp,info : authenticated
00:22:13 pptp,ppp,info : connected

Connection from internet does not work, just TCP connection is established, nothing more
00:31:46 pptp,info TCP connection established from 37.48.32.174

I tried few thing to imagine whats wrong …

• Disabling all FW rules does not help
• Connecting to ssh from internet to my mikrotik works fine, so my mikrotik can be accessed from internet

Here are some basics

• My mikrotik HW: RB750Gr3, RouterOS updated to RouterOS 6.37.3
• I’m connected to ISP via PPPOE - THIS seems to me important and probably can cause my problem. Maybe some ROUTE or NAT setting related to pppoe-out interface is missing …
• My public IP: 178.17.8.87 (ether1)
• My LAN network: 192.168.88.0/24
• Interface list follows

Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS

0 R ether1 ether 1500 1596 2026 6C:3B:6B:8C:D0:7A
1 R ether2-master ether 1500 1596 2026 6C:3B:6B:8C:D0:7B
2 RS ether3 ether 1500 1596 2026 6C:3B:6B:8C:D0:7C
3 RS ether4 ether 1500 1596 2026 6C:3B:6B:8C:D0:7D
4 S ether5 ether 1500 1596 2026 6C:3B:6B:8C:D0:7E
5 R pppoe-out1 pppoe-out 1480

Thanks a lot

Radim.

Hi,

Have you tried to open “pptp” port ( 1723 ) into your firewall ? When you initiate pptp connection from outside ( presuming from Windows after you have set up a VPN connection ) do you have any error ? ( i mean in connecting window it remains on “opening port…” or shows an error messagge ?)

/ip firewall filter
add action=accept chain=input comment="Accept PPTP from outside" dst-port=1723 in-interface=\
    pppoe-out1 log=yes log-prefix=my-pptp protocol=tcp

Here is a simple PPTP how to:
http://wiki.mikrotik.com/wiki/PPTPServer

kind regards,

Thanks for reply.

Yes I read all the tutorials and port 1723 is “accepted” by the same filter as you mentioned. Even if I disable all firewall filters, nothing changes.

Windows and Linux clients says more or less the same … Connecting, Authenticating user … and at that point it stops after approx 10/15 seconds with error. PPTP connection initiated from LAN site succeed immediately, so something seems to be wrong with traffic from outside (pppoe-out interface).

Hi,

I guess that as long as it hangs on “Authenticating user…” most likely is on microtik something. You could temporary allow connection from outside on winbox port service, connecting first via winbox then watching log while you are attempting to connect via pptp.

I have two rb750gr3 configured with pptp access, nat, dhcp server.. etc. If you didn’t succed to get it done i could post a sample configuration that it works for me.

kind regards,

I have set several PPTP servers up and most I connect with are pppoe so that should not be an issue for you.

I use this whenever I set one up (to jog the memory)
http://wiki.mikrotik.com/wiki/PPTP_Server_With_Profile

Unfortunatelly it is still not solved, I checked configuration once again and it is OK and according to all guides.

I’m posting part of my log from linux client, important to me seems to be … LCP: timeout sending Config-Requests … maybe someone help …

 ...
Jan  1 00:57:42 radim-LENOVO-Ideapad-U165 pptp[11651]: nm-pptp-service-11624 log[ctrlp_disp:pptp_ctrl.c:815]: Client connection established.
Jan  1 00:57:43 radim-LENOVO-Ideapad-U165 pptp[11651]: nm-pptp-service-11624 log[ctrlp_rep:pptp_ctrl.c:259]: Sent control packet type is 7 'Outgoing-Call-Request'
Jan  1 00:57:43 radim-LENOVO-Ideapad-U165 pptp[11651]: nm-pptp-service-11624 log[ctrlp_disp:pptp_ctrl.c:900]: Received Outgoing Call Reply.
Jan  1 00:57:43 radim-LENOVO-Ideapad-U165 pptp[11651]: nm-pptp-service-11624 log[ctrlp_disp:pptp_ctrl.c:939]: Outgoing call established (call ID 50963, peer's call ID 33).
Jan  1 00:58:13 radim-LENOVO-Ideapad-U165 pppd[11632]: LCP: timeout sending Config-Requests
Jan  1 00:58:13 radim-LENOVO-Ideapad-U165 NetworkManager[704]: LCP: timeout sending Config-Requests
Jan  1 00:58:13 radim-LENOVO-Ideapad-U165 NetworkManager[704]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect'
Jan  1 00:58:13 radim-LENOVO-Ideapad-U165 NetworkManager[704]: Connection terminated.
Jan  1 00:58:13 radim-LENOVO-Ideapad-U165 pppd[11632]: Connection terminated.
...

Dear all,

let me refresh this thread because my problem is still not solved

So the facts are below

• PPTP on mikrotik site configured and double checked according to guides. On my previous mikrotik HW I already used PPTP, so I’m familiar with a way how it works
• connection from both windows and linux clients work well when initiated from LAN side
• when connection is established from internet to my public IP, only “TCP connection established” appears in log, next steps like authentication of user is not executed, client connection fails
• My mikrotik public IP is accessible from internet with no problem - Winbox and SSH connects successfuly
• My detailed linux log shows “LCP: timeout sending Config-Requests” when connection fails
• It seems that the problem relates somehow to GRE when accessed from outside. However firewall allows GRE. Event when all firewall rules are disabled, it not helps

Please help.

The problem you are having is related to the transport of GRE packets over your connection.
Your TCP port 1723 connection is OK, but after that PPTP is using the GRE protocol (protocol 47)
to exchange the actual traffic. This is somehow not making it into your router. This is not immediately
caused by the use of PPPoE, but it can be caused by your modem or a firewall at the ISP you are using now.

Another complication: since about a week, hacked DVR recorders are sending GRE traffic over the internet
to random addresses. This may lead to some over-active ISP blocking all GRE traffic, and when your ISP
has done that it will make your use of PPTP impossible.

I checked with my ISP few days ago that they do not block GRE, they claims they do not block any of protocols. It seems to be right because winbox and ssh is connecting well.

I’m thinkig about downgrading the router to some or previos router OS version. The router is brand new and first thing i’ve done was upgrade to new firmware.

winbox and ssh do not use GRE.

I’m thinkig about downgrading the router to some or previos router OS version. The router is brand new and first thing i’ve done was upgrade to new firmware.

That is not going to help.
Start a Tools->Packet Sniffer for the GRE protocol (47) on your internet connection and see if it is really working.
Do you have some modem (cable, DSL) in front of the router? it may be blocking new incoming GRE traffic even when you have set the MikroTik to “DMZ host”.
That is a common problem, “DMZ Host” only working for TCP/UDP not other protocols, but replies to outgoing traffic being returned OK.

Answers

• I did not set DMZ on my mikrotik
• there is a wifi router (owned by my ISP) in front of my mikrotik, it is set to bridge mode
• GRE is visible on packet sniffer, see picture
  

Could that 47 traffic be outgoing traffic?
Maybe sniff for “rx” only…

Yes, you are probably right, there is no incomming traffix on GRE protocol. I’ll ask my ISP to check its wifi router setting if they are blocking GRE and let you know later. Thanks.

Sorry for additional post, but what seems to me confusing is that VPN traffing is comming to pppoe interface. I expected that it should come to ether1 instead. However, I cannot decide if it is OK or wrong, and if for example some route is missing from pppoe to eth1 etc.

Probably it OK, is it ?

You have to know that when you are running PPPoE on an ethernet interface, the ethernet interface itself is used like a tunnel only.
The PPPoE interface is the one that actually receives the traffic.
So any tracing, firewall settings, etc should be done only on the PPPoE interface.
When you like you can put a “drop” rule on all traffic on ether1 (input and forward) and you will see that it remains at 0.
The only exception is when you can manage your provider’s router via your MikroTik, that traffic will be via ether1.

The above also means that you need to change the default “drop all new traffic from ether1” rule in the MikroTik firewall set
to set the input interface to your PPPoE interface because that is where the internet traffic arrives.
(a common mistake is not to do that, and then the router is wide open to all internet attacks)

What I meant was: did you configure your ISP router to set your MikroTik as the DMZ host.
In popular consumer NAT router speak, the DMZ host is the host that receives all incoming traffic not matched with outgoing sessions.
However, in practice this often applies only to TCP and UDP traffic and not other protocols.

In your case, as you have set it to bridge mode, and further because you have put the task of PPPoE encapsulation
on the MikroTIk, there is little chance that the ISP router is the one blocking the GRE traffic.
However, there may be a firewall or even a CGNAT further into the ISP network that is doing this.

OK, I’ll check all those things with my ISP because personally I have no access to wifi router.

Dear all, I’m sending result of my problem with PPTP VPN. Eventually we found (ISP guys and me) that the problem is on my iphone. After upgrading to ios 10 Apple removes support of PPTP VPN protocol. It means not only discontinued support of VPN connection made directly from iphone to VPN server, but it seems that hotspot created on iphone somehow filters GRE protocol before handing it traffic over to mobile network.

Currently I configured L2TP server that is supported by Apple and is successfully transported via hotspot enabled on iphone and mobile network without limitations.

Thanks to You all for help.