Multiple VPN connections from different IPs

Hello!
Only one user can connect to VPN at a time. Each user has a different location across the country (they are not in the same local network)
I’ve read that people have problems with multiple connections being behind the NAT. But this is not the case.

RB951G-2HnD 6.49.6
PPTP server
Each user has its own secret
‘Only one’ set to No
L2TP has the same problem
I can post the config if needed

Users:
With different IPs across the country
Windows 10

Problem:
Only one user can connect at a time
If one is already connected another gets the message
‘The connection was closed by the remote computer’

Am I missing something?
How to set up PPTP (or L2TP) server to accept simultaneous connections from different IPs?

Thanks

If the clients are not behind the same public IP address it should just work. Use /export hide-sensitive for RoS v6 or just /export for RoS v7, copy the output, remove any other sensitive or personal information (such as serial number, static public IP addresses, credentials in scripts), and post in a code block (the icon above the text box when posting on the forum).

And just don’t use PPTP, the MSCHAPv2 authentication and MPPE (RC4) encryption have known longstanding insecurities.

Here you are

# jul/23/2022 00:50:40 by RouterOS 6.49.6
# software id = AEBV-9S9D
#
# model = 951G-2HnD
# serial number = serial
/interface bridge
add admin-mac=MAC arp=proxy-arp auto-mac=no mtu=1500 name=\
    bridge1
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    band=2ghz-b/g/n channel-width=20/40mhz-Ce country=latvia disabled=no \
    distance=indoors frequency=auto hw-protection-mode=rts-cts mode=ap-bridge \
    ssid=radio1 station-roaming=enabled tx-power=20 tx-power-mode=\
    all-rates-fixed wds-default-bridge=bridge1 wireless-protocol=802.11 \
    wmm-support=enabled wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] comment=ether2 name=LAN1 speed=100Mbps
set [ find default-name=ether3 ] comment=ether3 name=LAN2 speed=100Mbps
set [ find default-name=ether4 ] comment=ether4 name=LAN3 speed=100Mbps
set [ find default-name=ether5 ] comment=ether5 name=LAN4 speed=100Mbps
set [ find default-name=ether1 ] comment=ether1 name=WAN1 speed=100Mbps
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip ipsec policy group
set [ find default=yes ] name=group1
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des name=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-256-ctr,aes-128-cbc,3des
/ip pool
add name=pool_dhcp ranges=192.168.1.100-192.168.1.119
add name=pool_router ranges=192.168.1.1
add name=pool_pptp ranges=192.168.1.200-192.168.1.219
add name=pool_local ranges=192.168.1.0/24
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
add name=pool_l2tp ranges=192.168.1.220-192.168.1.239
/ip dhcp-server
add address-pool=pool_dhcp authoritative=after-2sec-delay disabled=no \
    interface=bridge1 lease-time=3d name=dhcp_server
/ppp profile
set *0 only-one=no
add change-tcp-mss=yes dns-server=192.168.1.1 local-address=pool_router name=\
    pptp_profile only-one=no remote-address=pool_pptp use-encryption=yes
add change-tcp-mss=yes dns-server=192.168.1.1 local-address=pool_router name=\
    l2tp_profile only-one=no remote-address=pool_l2tp use-encryption=yes
set *FFFFFFFE only-one=no
/interface bridge port
add bridge=bridge1 interface=LAN1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=LAN2
add bridge=bridge1 interface=LAN3
add bridge=bridge1 interface=LAN4
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=l2tp_profile enabled=yes \
    use-ipsec=required
/interface list member
add interface=LAN1 list=discover
add interface=LAN2 list=discover
add interface=LAN3 list=discover
add interface=LAN4 list=discover
add interface=wlan1 list=discover
add interface=bridge1 list=discover
/interface pptp-server server
set default-profile=pptp_profile enabled=yes
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip dhcp-client
add disabled=no interface=WAN1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=WAN1 protocol=udp
add action=accept chain=input comment=\
    "Allows all traffic! Normally should be disabled!" disabled=yes
add action=accept chain=forward disabled=yes
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment=Ports dst-port=1723 in-interface=WAN1 \
    protocol=tcp
add action=accept chain=forward dst-port=1723 in-interface=WAN1 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=25565 in-interface=WAN1 protocol=tcp
add action=accept chain=forward dst-port=25565 in-interface=WAN1 protocol=tcp
add action=accept chain=input dst-port=25565 in-interface=WAN1 protocol=udp
add action=accept chain=forward dst-port=25565 in-interface=WAN1 protocol=udp
add action=accept chain=input comment=L2TP dst-port=1701,500,4500 \
    in-interface=WAN1 protocol=udp
add action=accept chain=forward dst-port=1701,500,4500 in-interface=WAN1 \
    protocol=udp
add action=accept chain=input in-interface=WAN1 protocol=ipsec-esp
add action=accept chain=forward in-interface=WAN1 protocol=ipsec-esp
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment="Accept established connections" \
    connection-state=established
add action=accept chain=forward connection-state=established
add action=drop chain=input comment="All other drop" in-interface=WAN1
add action=drop chain=forward in-interface=WAN1
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!192.168.1.0/24 out-interface=\
    WAN1 to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-address=!192.168.1.0/24 dst-port=25565 \
    in-interface=WAN1 protocol=tcp to-addresses=192.168.1.6 to-ports=25565
add action=dst-nat chain=dstnat dst-address=!192.168.1.0/24 dst-port=25565 \
    in-interface=WAN1 protocol=udp to-addresses=192.198.1.6 to-ports=25565
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/ip smb
set interfaces=bridge1
/ip smb shares
add directory=/usb1 name=share1
/ip smb users
add name=[user] read-only=no
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=[user] profile=pptp_profile service=pptp
add disabled=yes name=gm profile=pptp_profile service=pptp
add disabled=yes name=multi profile=pptp_profile service=pptp
add disabled=yes name=l2tpuser profile=l2tp_profile service=l2tp
add name=[user].l2tp profile=l2tp_profile service=l2tp
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=WAN1 upstream=yes
add interface=bridge1
/system clock
set time-zone-autodetect=no
/system clock manual
set time-zone=+03:00
/system identity
set name=WRT
/system leds
set 0 interface=wlan1
/system logging
add topics=l2tp
/system ntp client
set enabled=yes primary-ntp=NTPIP1 secondary-ntp=NTPIP2

And just don’t use PPTP, the MSCHAPv2 authentication and MPPE (RC4) encryption have known longstanding insecurities.
Thanks and I agree.

Probably due to using using local-address=pool_router in the PPP profiles - as the pool only contains one address the pool is them empty for subsequent connections. Use local-address=192.168.1.1 instead.

Pools should not overlap, it would be wise to delete pool_router, pool_local and dhcp_pool1

Replacing pool_router to the exact IP address solved the problem. Thank you very much!
Noted your other suggestions too. I appreciate it.

I used pool_router as a kind of variable. Comes from a programming background. I don’t like “magic numbers” )
(Curious whether RouterOS allows the creation and using variables)

Pools are as the name suggests are a pool / list of addresses. When an item is allocated from the pool it cannot be used by anything else until released.

There are address lists and interface lists which can be used in place of hard-coded addresses or interfaces, but only in certain places such as firewall rules. There isn’t a generic variable object which can be used anywhere in RouterOS.

I would use a lightly different wording - you can use generic variables in scripts, and you can use scripts to add/remove/modify configuration items, but configuration items themselves cannot refer to generic variables.

In the specific case of /ppp secret items, you can let each of them to refer to another pool that contains just a single address, but it is in fact a two-stage reference - the /ppp secret item links several properties to a username, so there is little point in using an alias for just one of them.