How to setup PPTP VPN with Mikrotik RB450

RouterOS Beginner Basics
1

What is missing from the following instructions to setup a Mikrotik RB450 as a VPN router?

I placed the cable modem in bridge mode, the Mirkotik RB450 is reachable over the internet via Winbox.exe, I can successfully establish a Windows PPTP VPN, but I am unable to reach any of the target network devices hosted on the LAN I am accessing remotely via the VPN. However, when I go to the Mikrotik Tools and do an IP scan, it is able to “see” the target network devices (assigned static IPs on the LAN) I am not able to reach via the PPTP VPN… HELP! I know just enough to be dangerous, apparently!

Login to the Mikrotik 450 via Winbox.exe, Side menu:

Interfaces
 Double-click ether1 to enter ether1 properties

  • Rename ether1 “ether1 – Local”
     Double-click ether5 to enter ether5 properties
  • Rename ether5 “ether5 – Internet”

IP > Addresses
 Add (+) Local IP address (double-click existing IP to edit if existing)

  • Assign to “ether1 – Local”
     Add (+) Public IP address
  • Assign to “ether5 – Internet”

IP > Routes
 Double-click “AS 0.0.0.0” to enter properties

  • Leave Dst. Address: 0.0.0.0/0
  • Edit Gateway: Enter Public Gateway
  • Type: unicast
     Confirm “Local” Route
  • Dst. Address: Add local IP range (i.e. xx.xx.xx.x/24)
  • Gateway: ether1- Local
  • Type: unicast
     Pref. Source: Local Gateway (xx.xx.xx.1)
  • Confirm “Public” Route
  • Dst. Address: Add Public Static IP and Subnet (i.e. xx.xx.xxx.xx/28)
  • Gateway: ether5- Internet
  • Type: unicast
  • Pref. Source: Public Gateway (xx.xx.xxx.xx)

IP > Pool
 Add Pool (rename dhcp_pool1)

  • Addresses (local IP address range: xx.xx.xx.2-xx.xx.xx.12)

IP > Firewall > NAT Tab > Add (+)
 General Tab

  • Src. Address: (don’t check mark) Local IP Range (xx.xx.xx.0/24)
  • Out. Interface: (don’t check mark) ether5 – Internet
     Action Tab
  • Action: masquerade

IP > SNMP Server
 SNMP Settings (Enabled: Checkbox selected)
 Double-click existing

  • Confirm Address: 0.0.0.0/0
  • Read Access (checkbox selected)

System > NTP Client
 Enabled (checkbox selected)
 Mode: unicast

  • Primary NTP Server: xx.xxx.xxx.xxx
  • Secondary NTP Server: yy.yy.yyy.yy
  • OK
     Password =
     Identity =

PPP
 PPTP Server: Enabled (checkbox selected)
 ADD (+) PPTP Server (OK)
 Profiles Tab

  • Double-click default encryption
    o Local Address: (local gateway: xx.xx.xx.1)
    o Remote Address: (dhcp_pool1)
    o Use Compression: yes
    o Use VJ Compression: yes
    o Use Encryption: yes
    o Change TCP MSS: yes
     Secrets Tab
  • Add (+)
    o Name: xyz
    o Password: 123
    o Profile: Default Encryption
  • Add (+)
    o Name: Client
    o Password: $@!
    o Profile: Default Encryption
2

At this point (when pptp client is successfully connected) if you will try to ping any workstation form the laptop, ping will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up proxy-arp on local interface

Execute the following command from the terminal:

/interface ethernet set [find name=ether1] arp=proxy-arp

Details: http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP#Connecting_Remote_Client

3

Thanks, that did the trick!

Interface List > eth1 Local > Properties > General Tab > ARP: proxy-arp

Thanks again! :smiley: