Mikrotik as PPTP server (won't) work

scele · September 1, 2010, 1:07pm

PC - local LAN address (192.168.1.0/24)
Ether2 - local LAN address
Ether1 - public static IP address (work as DHCP client, but always gets same IP address from internet provider)

Situation is very simple, but I can’t figure it out. I have enabled PPTP server on my RB750, entered secrets, profile and so one. When I try to dial up VPN connection from my local LAN (from PC) to Ether2 IP address, everything is OK.

But VPN won’t work from “outside”, from my home for example, to Ether1 port (public IP address).

I have tried everything, reset to default settings, changed RouterOS version…nothing.

Please help! I sure missed something, but what?

mrz · September 1, 2010, 1:10pm

Check the firewall. Default configuration has drop rule in input chain, so everything that comes via public interface is dropped.

scele · September 1, 2010, 1:34pm

TNX TNX TNX TNX a hundred times. It works when I disable drop rule.

Is it OK to put another rule, before drop rule:

“chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=1723”

to open just port 1723 for incoming VPN connections?

Thanks again!

fewi · September 1, 2010, 1:40pm

Yes, but remember to also permit GRE. PPTP’s control channel is tcp/1723, the data channel is GRE.

Alternatively allow tcp/1723 and traffic with a connection-state of ‘related’, but then you are at the mercy of the helper that classifies the data channel as such with some amount of increase of security as you’re not permitting rogue GRE traffic that could potentially (but rather unlikely) be malicious.