PPTP forward port not working

tomeng · August 9, 2012, 3:13am

Dear All,

I have pptp server (192.168.9.5) behind Mikrotik, than i turn port forwarding like below

13 ;;; Test PPTP forwad
chain=dstnat action=dst-nat to-addresses=192.168.9.5 to-ports=1723 protocol=tcp dst-address=203.189.135.253 dst-port=1723
14 chain=dstnat action=dst-nat to-addresses=192.168.9.5 to-ports=47 protocol=tcp dst-address=203.189.135.253 dst-port=47
15 chain=dstnat action=dst-nat to-addresses=192.168.9.5 protocol=gre dst-address=203.189.135.253

But it’s not working, please help to correct!

Best Regards,

docmarius · August 9, 2012, 5:12am

Your rules 14 and 15 are wrong.

You have to dst-nat port 1723 and forward protocol 47, not dst-nat port and protocol 47:

/ip firewall nat add action=dst-nat chain=dstnat dst-port=1723 in-interface=Ext-IF protocol=tcp to-addresses=192.168.9.5
/ip firewall filter add action=accept chain=forward in-interface=Ext-IF protocol=gre
/ip firewall filter add action=accept chain=forward out-interface=Ext-IF src-address=192.168.9.5

tomeng · August 9, 2012, 8:49am

Hi docmarius,

I have done with your setting is still not working.

PPTP is working on port 1723 and tunnel gre, so we can only forward port 1723 and can not forward protocol=gre. that why not working

any idea

peson · August 9, 2012, 9:29am

Check the order of your NAT rules and your forward filter set.

tomeng · August 9, 2012, 9:45am

here are my setting:

[tomeng@gw01] > ip firewall filter print

0 chain=forward action=accept src-address=192.168.9.5
out-interface=vl19-pub-gw

1 chain=forward action=accept protocol=gre in-interface=vl19-pub-gw

[tomeng@gw01] > ip firewall nat print

13 ;;; Test PPTP
chain=dstnat action=dst-nat to-addresses=192.168.9.5 to-ports=1723
protocol=tcp dst-address=203.189.135.253 in-interface=vl19-pub-gw
dst-port=1723

I see the fowarding port is correct, but tunel could not establish

peson · August 9, 2012, 10:46am

Your forward filter shows only src-address=192.168.9.5, what’s after #1?
The nat rule shows only #13, what’s in front of it?
Please send a full printout.

tomeng · August 10, 2012, 1:46am

I think filter firewall it 's not cause problem, while connecting I disable it, but still not work

the problem as i mention is protocol=gre could not forwad

I have log in my server, it said tunnel fail could not establish.

psamsig · August 10, 2012, 4:02am

There is no need for making a NAT rule for GRE, the PPTP helper takes care of that, and as long you use standard port 1723, the helper will kick in automatically.

I just tested a similar senario, with a MikroTik router acting as PPTP server behind yet a MikroTik router with the NAT rule, and with a third MikroTik as client.