Hi all,
I have configured 3 wan load balancing via PCC method. DHCP is enabled for local systems. I need to establish a VPN which can connect my local network and it's connected devices through any external network. So I have configured PPTP server and setup as below, but the issue is while connecting from external network I can ping my router IP 172.28.1.21 but unable to ping the connected local systems 172.28.1.50,172.28.1.70 etc. I also need to block all torrents please help me do the needful, I already done some config as below also if there is any wrong are unusable config please suggest.
Need urgent solution on this.
Thank you in advance.

My router config is is as following:

[hassan-Network] > export hide-sensitive

apr/17/2018 12:08:40 by RouterOS 6.41.4

software id = 4BDL-PGB2

model = CCR1016-12G

/interface ethernet
set [ find default-name=ether1 ] comment="ether1(Local Network)" name=LAN
set [ find default-name=ether2 ] comment="ether2" name=WAN1
set [ find default-name=ether3 ] comment="ether3" name=WAN2
set [ find default-name=ether4 ] comment="ether4" name=WAN3
/interface pptp-server
add name=pptp-VPN user=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=torrentsites regexp="^.(get|GET).+(torrent|\r
\n\r
\nthepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|\r
\n\r
\ntorrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|\r
\n\r
\nentertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|\r
\n\r
\nflixflux|seedpeer|fenopy|gpirate|commonbits).$"
add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\x13bittorrent protocol|azver\x01$|get /scrape\
?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7Ptorrent|\r
\n\r
\nthepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|\r
\n\r
\ntorrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|\r
\n\r
\nentertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|\r
\n\r
\nflixflux|seedpeer|fenopy|gpirate|commonbits\)[RP]"
/ip pool
add name=local dhcp ranges=172.28.1.22-172.28.3.254
add name="VPN pool" ranges=192.168.0.10-192.168.0.50
/ip dhcp-server
add address-pool=local dhcp disabled=no interface=LAN lease-time=1w name=dhcp1
/ppp profile
add local-address="VPN pool" name=VPN-Profile remote-address="VPN pool"
/queue simple
add max-limit=10M/5M name="cafe" target=172.28.1.30/32
add max-limit=10M/10M name="tem speed" target=172.28.2.26/32,172.28.1.176/32
/queue type
add kind=pcq name=2Mbps-Download pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=2M pcq-src-address6-mask=
64
add kind=pcq name=2Mps-Upload pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=2M pcq-src-address6-mask=64
add kind=pcq name=5Mbps-Download pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=5M pcq-src-address6-mask=
64
add kind=pcq name=5Mbps-Upload pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=5M pcq-src-address6-mask=64
add kind=pcq name=10Mbps-Download pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=10M
pcq-src-address6-mask=64
add kind=pcq name=10Mbps-Upload pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=10 pcq-src-address6-mask=64
add kind=pcq name=20Mbps-Download pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=20M
pcq-src-address6-mask=64
add kind=pcq name=20Mbps-Upload pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=20M pcq-src-address6-mask=
64
add kind=pcq name=3.5Mbps-Download pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=3500k
pcq-src-address6-mask=64
add kind=pcq name=305Mbps-Upload pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=3500k
pcq-src-address6-mask=64
/queue simple
add name="Admin" queue=20Mbps-Upload/20Mbps-Download target=172.28.1.22/32,172.28.1.72/32
add name="local users" queue=2Mps-Upload/2Mbps-Download target=172.28.0.0/16
/interface pptp-server server
set default-profile=default enabled=yes
/ip address
add address=172.28.1.21/16 interface=LAN network=172.28.0.0
add address=203.x.x.x/29 interface=WAN1 network=203.x.x.x
add address=203.x.x.x/29 interface=WAN2 network=203.x.x.x
add address=202.x.x.x/29 interface=WAN3 network=202.x.x.x
/ip dhcp-server lease
add address=172.28.1.22 comment=Hassan mac-address=EC:A8:6B:2A:F5:B7
add address=172.28.1.72 client-id=1:0:19:99:dd:e:2d comment="Sufiyan Admin" mac-address=00:19:99:DD:0E:2D
add address=172.28.1.30 client-id=1:3c:33:0:93:c8:f9 comment="Kickstart cafe AP" mac-address=3C:33:00:93:C8:F9 server=
dhcp1
/ip dhcp-server network
add address=172.28.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=172.28.1.21
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
add action=drop chain=forward comment=torrentsites disabled=yes layer7-protocol=torrentsites src-address=172.28.0.0/16
add action=drop chain=forward comment=dropDNS disabled=yes dst-port=53 layer7-protocol=torrentsites protocol=udp
src-address=172.28.0.0/16
add action=drop chain=forward comment=keyword_drop content=torrent disabled=yes src-address=172.28.0.0/16
add action=drop chain=forward comment=trackers_drop content=tracker disabled=yes src-address=172.28.0.0/16
add action=drop chain=forward comment=get_peers_drop content=getpeers disabled=yes src-address=172.28.0.0/16
add action=drop chain=forward comment=info_hash_drop content=info_hash disabled=yes src-address=172.28.0.0/16
add action=drop chain=forward comment=announce_peers_drop content=announce_peers disabled=yes src-address=172.28.0.0/16
add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward disabled=yes
layer7-protocol=layer7-bittorrent-exp src-address=172.28.0.0/16 src-address-list=!allow-bit
add action=drop chain=forward disabled=yes dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp
src-address-list=Torrent-Conn
add action=drop chain=forward disabled=yes dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp
src-address-list=Torrent-Conn
/ip firewall mangle
add action=accept chain=prerouting dst-address=203.x.x.x/29 in-interface=LAN
add action=accept chain=prerouting dst-address=203.x.x.x/29 in-interface=LAN
add action=accept chain=prerouting dst-address=202.x.x.x/29 in-interface=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN1 new-connection-mark=WAN1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2_conn
passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN3 new-connection-mark=WAN3_conn
passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=LAN
new-connection-mark=WAN1_conn per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=LAN
new-connection-mark=WAN2_conn per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=LAN
new-connection-mark=WAN3_conn per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=LAN new-routing-mark=to_WAN1
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=LAN new-routing-mark=to_WAN2
add action=mark-routing chain=prerouting connection-mark=WAN3_conn in-interface=LAN new-routing-mark=to_WAN3
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2
add action=mark-routing chain=output connection-mark=WAN3_conn new-routing-mark=to_WAN3
add action=mark-routing chain=prerouting comment="Hassan Admin to WAN-1 " new-routing-mark=to_WAN1 passthrough=yes
src-address=172.28.1.22
add action=mark-routing chain=prerouting comment="Sufiyan Admin to WAN-1" new-routing-mark=to_WAN1 passthrough=yes
src-address=172.28.1.72
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3
/ip route
add check-gateway=ping distance=1 gateway=203.x.x.x routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=203.x.x.x routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=202.x.x.x routing-mark=to_WAN3
add check-gateway=ping distance=1 gateway=203.x.x.x
add check-gateway=ping distance=2 gateway=203.x.x.x
add check-gateway=ping distance=3 gateway=202.x.x.x.
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/lcd
set backlight-timeout=never
/ppp secret
add name=hassan profile=VPN-Profile service=pptp

Looking forward for solution.

How is the routing table of the remote station?

Basically I am connecting windows machine from external network, it is getting IP from VPN pool while connecting VPN. Then it can ping to the router IP address but cannot ping to local systems that connected with router and got DHCP lease from local dhcp. Remote device(win machine) is directly connected to a router.

I am facing the same issue, I blocked my torrents as first of all Identify the traffic you wish to allow, allow it using the stateful firewall features built into your edge equipment, and deny everything else. BitTorrent clients typically do not listen on well-known ports, so allowing say web traffic (TCP port 80 and 443) would effectively prevent torrent traffic from flowing. I hope it helps you.

Thanks & regards
https://www.asussupportnumber.com/asus-customer-support/

Did you enable “Use remote gateway” in VPN client config on Windows?