PPTP Server on RB3011 (ROS 6.42.5 - arm) not working!

darry · June 29, 2018, 10:41am

Hello, I recently migrated router from RB2011 (ROS 6.5 - mibs) to RB3011 (6.42.5 - arm). Configuration is exactly the same with all the rules transferred 1 to 1. However I cannot manage to make PPTP server properly servicing connections. What worked flawlessly on RB2011 simply doesn’t work on RB3011.

Behavior is such, that VPN PPTP clients (different Windows 7/10 workstations) CAN connect and authenticate, but it seems there is no working routing (no access to remote VPN LAN or Internet). However router adds dynamic route for connected PPTP clients. Also dynamic mangle rules for changing MSS are not created on RB3011 despite selecting “change TCP MSS” in profile properties.

As I said configuration is EXACTLY the same as on old RB2011 which works. The only difference there is active fasttrack on RB3011, but switching it off doesn’t make any changes.

So anybody had successfully set up working PPTP server on RB3011 (6.42.5)? Are there any additional “tricks” to set up? Or there is simply a bug or something? I’m going mad with this . Thank you for help in advance!

darry · June 29, 2018, 11:07am

Heh. Already solved! There is default firewall rule on RB3011 “drop all from WAN not DSTNATed” - and it was the cause!

However I have no idea why VPN connection is treated as dst-nated?

The lesson learned is NEVER USE DEFAULTS on Mikrotik!

nescafe2002 · June 29, 2018, 11:34am

Did you really disable the entire firewall because of a missing allow rule for “all ppp”?

Zwe · June 29, 2018, 12:39pm

I think you must be re-check your firewall rule.

darry · June 29, 2018, 12:43pm

Of course not. I always make rules from scratch as per demand basis. Just didn’t notice such strange defaults in new setup. Have about 100+ rules and it is easy to omit some.

It is questionable for me what is purpose for such default rule. If port is not open (on input or forward chain), in my humble opinion, there is no need to introduce special rule for dropping “not dst-nated”. Such a rule can be misleading and can block any other router input-specific traffic. As in my case.

As I explained, there weren’t such defaults on RB2011.