Errors when establishing a PPTP tunnel

RouterOS General
1

I am trying to establish a PPTP tunnel from one Mikrotik box to another. I’ve done this before on other boxes and it’s worked fine.

However when I try it now, on the PPTP server I get the following log entry:


16:54:18 pptp,info TCP connection established from 67.177.xxx.xxx
16:54:18 pptp,ppp,info : waiting for call…
16:54:18 firewall,info DROP INPUT input: in:WAN out:(none), src-mac 00:13:1a:f6:
63:00, proto 47, 67.177.xxx.xxx->216.xxx.xxx.xxx, len 26
16:54:19 firewall,info DROP INPUT input: in:WAN out:(none), src-mac 00:13:1a:f6:
63:00, proto 47, 67.177.xxx.xxx->216.xxx.xxx.xxx, len 39
16:54:20 firewall,info DROP INPUT input: in:WAN out:(none), src-mac 00:13:1a:f6:
63:00, proto 47, 67.177.xxx.xxx->216.xxx.xxx.xxx, len 39
16:54:22 firewall,info DROP INPUT input: in:WAN out:(none), src-mac 00:13:1a:f6:
63:00, proto 47, 67.177.xxx.xxx->216.xxx.xxx.xxx, len 39
16:54:24 pptp,ppp,info : terminating…
16:54:24 pptp,ppp,info : disconnected


As soon as I enable the client PPTP interface, the above logs repeat themselves. On the client I see the interface make a connection, but then it drops again.

I have port 1723 open on the Mikrotik server.

Do I have a rule incorrect perhaps?


Thanks

2

PPTP isn’t just tcp/1723 - that’s just the control channel. The actual data of the tunnel runs over GRE, which is IP protocol 47. Look at your firewall logs in the snippet you posted:

16:54:22 firewall,info DROP INPUT input: in:WAN out:(none), src-mac 00:13:1a:f6:63:00, proto 47, 67.177.xxx.xxx->216.xxx.xxx.xxx, len 39

You’re dropping protocol 47, which means you’re dropping the GRE portion of the tunnel. Permit IP protocol 47 in your input chain and you should be fine.

3

Awesome! That did it. I thought it was telling me something but I wasn’t familiar with Protocol 47, and in the protocol list, when creating a new rule, it doesn’t say 47 until AFTER you select GRE.

So a new rule allowing GRE (ie. protocol 47) did the trick.

I don’t think I’ve ever had to do that before on my Mikrotik routers, interesting.

In any case, thanks again.