Hi …
follow this
you will find PPTP configuration example between MikroTik PPTP server and Windows client here,
http://www.mikrotik.com/docs/ros/2.9/interface/pptp
PPTP uses TCP port 1723 and protocol 47 traffic (GRE), firewall should not drop respective traffic.
Special helper exists for PPTP traffic over NAT in MikroTik RouterOS, to enable it:
‘ip firewall service-port set pptp disabled=no’.
post the config from your router.
Terminal vt102 detected, using multiline input mode
[admin@RouTer] > interface
[admin@RouTer] interface> pr
Flags: X - disabled, D - dynamic, R - running
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
2 R pptp-in1 pptp-in 0 0 1400
3 pptp-in2 pptp-in 0 0
[admin@RouTer] interface> /
[admin@RouTer] > ip firewall filter
[admin@RouTer] ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; NETBIOS block
chain=forward protocol=tcp dst-port=135 action=drop
1 ;;; To deny acces to the router via Telnet (protocol TCP, port 23), type >
following command:
chain=input protocol=tcp dst-port=23 action=drop
2 X ;;; To only allow not more than 5 simultaneous connections from each of t>
clients, do the following:
chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32
action=drop
3 ;;; Drop Invalid connections
chain=input connection-state=invalid action=drop
4 ;;; Allow Established connections
chain=input connection-state=established action=accept
5 ;;; Allow UDP
chain=input protocol=udp action=accept
6 ;;; Allow ICMP
chain=input protocol=icmp action=accept
7 ;;; Allow access to router from known network
chain=input src-address=192.168.1.0/24 action=accept
8 ;;; Drop anything else
chain=input action=drop
9 ;;; drop invalid connections
chain=forward protocol=tcp connection-state=invalid action=drop
10 ;;; allow already established connections
chain=forward connection-state=established action=accept
11 ;;; allow related connections
chain=forward connection-state=related action=accept
12 chain=forward src-address=0.0.0.0/8 action=drop
13 chain=forward dst-address=0.0.0.0/8 action=drop
14 chain=forward src-address=127.0.0.0/8 action=drop
15 chain=forward dst-address=127.0.0.0/8 action=drop
16 chain=forward src-address=224.0.0.0/3 action=drop
17 chain=forward dst-address=224.0.0.0/3 action=drop
18 chain=forward protocol=tcp action=jump jump-target=tcp
19 chain=forward protocol=udp action=jump jump-target=udp
20 chain=forward protocol=icmp action=jump jump-target=icmp
21 ;;; deny TFTP
chain=tcp protocol=tcp dst-port=69 action=drop
22 ;;; deny RPC portmapper
chain=tcp protocol=tcp dst-port=111 action=drop
23 ;;; deny RPC portmapper
chain=tcp protocol=tcp dst-port=135 action=drop
24 ;;; deny NBT
chain=tcp protocol=tcp dst-port=137-139 action=drop
25 ;;; deny cifs
chain=tcp protocol=tcp dst-port=445 action=drop
26 ;;; deny NFS
chain=tcp protocol=tcp dst-port=2049 action=drop
27 ;;; deny NetBus
chain=tcp protocol=tcp dst-port=12345-12346 action=drop
28 ;;; deny NetBus
chain=tcp protocol=tcp dst-port=20034 action=drop
29 ;;; deny BackOriffice
chain=tcp protocol=tcp dst-port=3133 action=drop
30 ;;; deny DHCP
chain=tcp protocol=tcp dst-port=67-68 action=drop
31 ;;; deny TFTP
chain=udp protocol=udp dst-port=69 action=drop
32 ;;; deny PRC portmapper
chain=udp protocol=udp dst-port=111 action=drop
33 ;;; deny PRC portmapper
chain=udp protocol=udp dst-port=135 action=drop
34 ;;; deny NBT
chain=udp protocol=udp dst-port=137-139 action=drop
35 ;;; deny NFS
chain=udp protocol=udp dst-port=2049 action=drop
36 ;;; deny BackOriffice
chain=udp protocol=udp dst-port=3133 action=drop
37 ;;; drop invalid connections
chain=icmp protocol=icmp icmp-options=0:0 action=accept
38 ;;; allow established connections
chain=icmp protocol=icmp icmp-options=3:0 action=accept
39 ;;; allow already established connections
chain=icmp protocol=icmp icmp-options=3:1 action=accept
40 ;;; allow source quench
chain=icmp protocol=icmp icmp-options=4:0 action=accept
41 ;;; allow echo request
chain=icmp protocol=icmp icmp-options=8:0 action=accept
42 ;;; allow time exceed
chain=icmp protocol=icmp icmp-options=11:0 action=accept
43 ;;; allow parameter bad
chain=icmp protocol=icmp icmp-options=12:0 action=accept
44 ;;; deny all other types
chain=icmp action=drop
45 chain=input in-interface=pptp-in1 action=accept
46 chain=output out-interface=pptp-in1 action=accept
47 chain=input src-address=192.168.1.0/24 action=accept
[admin@RouTer] ip firewall filter>
[admin@RouTer] > ip firewall nat
[admin@RouTer] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=ether2 action=masquerade
1 chain=dstnat in-interface=ether2 dst-address=62.x.x.x protocol=tcp
dst-port=0-65535 action=dst-nat to-addresses=192.168.1.10
to-ports=0-65535
2 chain=dstnat in-interface=ether2 dst-address=62.x.x.x protocol=udp
dst-port=0-65535 action=dst-nat to-addresses=192.168.1.10
to-ports=0-65535
3 chain=dstnat in-interface=ether2 dst-address=62.x.x.x protocol=gre
dst-port=0-65535 action=dst-nat to-addresses=192.168.1.10
to-ports=0-65535
4 chain=dstnat in-interface=pptp-in1 src-address=192.168.1.0/24
action=dst-nat to-addresses=192.168.1.10 to-ports=0-65535
5 chain=srcnat out-interface=pptp-in1 src-address=192.168.1.0/24
action=src-nat to-addresses=62.x.x.x to-ports=0-65535
[admin@RouTer] ip firewall nat>
this definetly looks like windows issue 
what does router have to do with sharing permissions ???
everything works on linux for me using pptpconfig whre you can set whtever settngs you wish. and as i said - everythin happens on clients side… so - windows to go
m0n0wall do this like that → see the pic
Come On Pals
I need M$ Windows Netwoking via Mikrotik VPN
give some advices !!!
don’t you have to do some kind of EoIP to transparently interconnect your networks?
I try this - and i will tell You what happens
i have a network
172.16.43.0/24<->MT ip 85.x.x.x<->internet<->RemoteOffice ip 192.168.1.52
now - i mast connect to a pc \172.16.43.3\c$ using M$ vpn PPTP from 192.168.1.52
Come on - give a simple solution
MikroTik PPTP-server<—>Windows PPTP-client, PPTP server configuration example here,
http://www.mikrotik.com/docs/ros/2.9/interface/pptp.content#5.29.6.2
Set appropriate configuration to the Windows PC and connect to 85.x.x.x, it should work fine.
Its WORKING …
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment=“Drop Invalid
connections” disabled=no
add chain=input connection-state=established action=accept comment=“Allow
Established connections” disabled=no
add chain=input protocol=udp action=accept comment=“Allow UDP” disabled=no
add chain=input protocol=icmp action=accept comment=“Allow ICMP” disabled=no
add chain=input action=accept comment=“Allow access to router from known
network - change on 10 10 2006” disabled=no
add chain=input action=drop comment=“Drop anything else” disabled=no
add chain=forward protocol=tcp connection-state=invalid action=drop
comment=“drop invalid connections” disabled=no
add chain=forward connection-state=established action=accept comment=“allow
already established connections” disabled=no
add chain=forward connection-state=related action=accept comment=“allow
related connections” disabled=no
add chain=forward src-address=0.0.0.0/8 action=drop comment=“” disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment=“” disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment=“” disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment=“” disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment=“” disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment=“” disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment=“”
disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment=“”
disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment=“”
disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment=“deny TFTP”
disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment=“deny RPC
portmapper” disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment=“deny RPC
portmapper” disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment=“deny NBT”
disabled=yes
add chain=tcp protocol=tcp dst-port=445 action=drop comment=“deny cifs”
disabled=yes
add chain=tcp protocol=tcp dst-port=2049 action=drop comment=“deny NFS”
disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=“deny
NetBus” disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment=“deny NetBus”
disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment=“deny
BackOriffice” disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment=“deny DHCP”
disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment=“deny TFTP”
disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment=“deny PRC
portmapper” disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment=“deny PRC
portmapper” disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment=“deny NBT”
disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment=“deny NFS”
disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment=“deny
BackOriffice” disabled=no
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment=“drop
invalid connections” disabled=no
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment=“allow
established connections” disabled=no
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment=“allow
already established connections” disabled=no
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment=“allow
source quench” disabled=no
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment=“allow
echo request” disabled=no
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment=“allow
time exceed” disabled=no
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment=“allow
parameter bad” disabled=no
add chain=icmp action=drop comment=“deny all other types” disabled=no
add chain=forward protocol=tcp dst-port=135 action=drop comment=“” disabled=no
add chain=input protocol=tcp dst-port=23 action=drop comment=“To deny acces to
the router via Telnet (protocol TCP, port 23), type the following
command:” disabled=no
add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop
comment=“To only allow not more than 5 simultaneous connections from each
of the clients, do the following:” disabled=yes
add chain=forward src-address=172.16.43.4 protocol=tcp dst-port=8000-9000
action=drop comment=“online radio block” disabled=no
add chain=forward src-address=172.16.43.5 protocol=tcp dst-port=8000-9000
action=drop comment=“online radio block” disabled=no
add chain=forward src-address=172.16.43.6 protocol=tcp dst-port=8000-9000
action=drop comment=“online radio block” disabled=no
add chain=forward src-address=172.16.43.7 protocol=tcp dst-port=8000-9000
action=drop comment=“online radio block” disabled=no
add chain=forward src-address=172.16.43.8 protocol=tcp dst-port=8000-9000
action=drop comment=“online radio block” disabled=no
add chain=forward src-address=172.16.43.9 protocol=tcp dst-port=8000-9000
action=drop comment=“online radio block” disabled=no
add chain=forward src-address=172.16.43.10 protocol=tcp dst-port=8000-9000
action=drop comment=“online radio block” disabled=no
add chain=forward src-address=172.16.43.11 protocol=tcp dst-port=8000-9000
action=drop comment=“online radio block” disabled=no
add chain=forward src-address=172.16.43.12 protocol=tcp dst-port=8000-9000
action=drop comment=“online radio block” disabled=no
add chain=forward src-address=172.16.43.13 protocol=tcp dst-port=8000-9000
action=drop comment=“online radio block” disabled=no
add chain=forward src-address=172.16.43.14 protocol=tcp dst-port=8000-9000
action=drop comment=“online radio block” disabled=no
add chain=forward src-address=172.16.43.15 protocol=tcp dst-port=8000-9000
action=drop comment=“online radio block” disabled=no
add chain=forward src-address=172.16.43.16 protocol=tcp dst-port=8000-9000
action=drop comment=“online radio block” disabled=no
add chain=forward src-address=172.16.43.0/24 dst-address=87.120.40.151
protocol=tcp dst-port=80 action=drop comment=“online radio block”
disabled=no
add chain=tcp in-interface=pptp-in1 protocol=tcp dst-port=137-139
action=passthrough comment=“deny NBT - mod1” disabled=no
add chain=tcp in-interface=pptp-in1 protocol=tcp dst-port=445
action=passthrough comment=“deny cifs - mod2” disabled=no
add chain=tcp in-interface=“pppoe-out1 - netsurf” protocol=tcp
dst-port=137-139 action=drop comment=“deny NBT - mod3” disabled=no
add chain=tcp in-interface=“pppoe-out1 - netsurf” protocol=tcp dst-port=445
action=drop comment=“deny cifs - mod4” disabled=no
/ ip firewall nat
add chain=srcnat out-interface=“pppoe-out1” action=masquerade
comment=“” disabled=no
add chain=dstnat in-interface=“pppoe-out1 - netsurf” dst-address=85.x.x.x
protocol=tcp dst-port=0-49999 action=dst-nat to-addresses=172.16.43.1
to-ports=0-49999 comment=“” disabled=no
add chain=dstnat in-interface=“pppoe-out1 - netsurf” dst-address=85.x.x.x
protocol=icmp dst-port=0-65535 action=dst-nat to-addresses=172.16.43.1
to-ports=0-65535 comment=“ping via WAN enabled” disabled=no
add chain=dstnat in-interface=“pppoe-out1 - netsurf” dst-address=85.x.x.x
protocol=gre dst-port=0-65535 action=dst-nat to-addresses=172.16.43.1
to-ports=0-65535 comment=“” disabled=no
add chain=dstnat in-interface=“pppoe-out1 - netsurf” dst-address=85.x.x.x
protocol=udp dst-port=515-65535 action=dst-nat to-addresses=172.16.43.1
to-ports=515-65535 comment=“” disabled=no
add chain=dstnat in-interface=“pppoe-out1” dst-address=85.x.x.x
protocol=igmp dst-port=0-65535 action=dst-nat to-addresses=172.16.43.1
to-ports=0-65535 comment=“” disabled=no
add chain=srcnat out-interface=“pppoe-out1”
src-address=172.16.43.0/24 protocol=igmp action=masquerade comment=“”
disabled=no
add chain=dstnat in-interface=“pppoe-out1” src-address=62.x.x.x
dst-address=85.x.x.x protocol=udp dst-port=514 action=dst-nat
to-addresses=172.x.x.x to-ports=514 comment=“syslog via 62.x.x.x
to 172.x.x.x” disabled=no
add chain=dstnat dst-address=10.0.0.217 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.0.4 to-ports=0-65535 comment=“exsamle
port forwarding” disabled=yes
add chain=dstnat in-interface=“pppoe-out1” dst-address=85.x.x.x
protocol=tcp dst-port=50000 action=dst-nat to-addresses=172.x.x.x
to-ports=50000 comment=“torrents port forwarding - tcp port 50000 for
172.x.x.x” disabled=no
add chain=dstnat in-interface=“pppoe-out1” dst-address=85.x.x.x
protocol=udp dst-port=50000 action=dst-nat to-addresses=172.x.x.x
to-ports=50000 comment=“torrents port forwarding - udp port 50000 for
172.x.x.x” disabled=no
add chain=dstnat in-interface=“pppoe-out1” dst-address=85.x.x.x
protocol=tcp dst-port=50001 action=dst-nat to-addresses=172.x.x.x
to-ports=50001 comment=“torrents port forwarding - TCP port 50000 for
172.x.x.x” disabled=no
add chain=dstnat in-interface=“pppoe-out1” dst-address=85.x.x.x
protocol=udp dst-port=50001 action=dst-nat to-addresses=172.x.x.x
to-ports=50001 comment=“torrents port forwarding - UDP port 50000 for
172.x.x.x” disabled=no
add chain=dstnat in-interface=“pppoe-out1” dst-address=85.x.x.x
protocol=tcp dst-port=50002-65535 action=dst-nat to-addresses=172.16.43.1
to-ports=50002-65535 comment=“” disabled=no
add chain=dstnat in-interface=“pppoe-out1” dst-address=85.x.x.x
protocol=udp dst-port=0-513 action=dst-nat to-addresses=172.16.43.1
to-ports=0-513 comment=“” disabled=no