Hi,
I want to set up the pptp server on Router OS 5.22. I have done the following:
Enabled the PPTP server
Set the PPTP IP Pool
Set the PPTP Profile
Set the PPTP Secret
Enabled the PPTP service port
Added the two firewall rules for pptp and gre
I can connect to the PPTP server from inside my LAN but when trying to connect through WAN i see packets counting on the pptp firewall rule but not on the gre rule and I can’t connect.
disable all rule filter and check the log.
Set up ‘proxy-arp’ on local/LAN interface instead of ‘enabled’.
HTH,
On every LAN interface? Because I have many LAN interfaces.
I checked the log with the firewall rules enabled & disabled but nothing to do with pptp has come up in the log, although I enabled pptp logging.
The ARP setting wouldn’t stop the PPTP connection from being made.
Are the two relevant filters set up as input filters allowing:
TCP to port 1723 from the WAN interface?
GRE (protocol 47) from the WAN interface?
This is my firewall conf:
/ip firewall filter
add action=accept chain=input disabled=no protocol=icmp
add action=accept chain=input connection-state=new disabled=no dst-port=1723 in-interface=OTEnet6x protocol=tcp
add action=accept chain=input disabled=yes dst-port=1194 protocol=tcp
add action=accept chain=input disabled=no in-interface=OTEnet6x protocol=gre
add action=accept chain=input connection-state=established disabled=no
add action=drop chain=input connection-state=invalid disabled=no
add action=accept chain=input connection-state=related disabled=no
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no ports=1723
The pptp service port is written with red letters in the terminal, do you know why?
The service port entry should not be needed to have PPTP running directly on RouterOS.
Can you try removing the new connection-state qualification on this rule:
add action=accept chain=input connection-state=new disabled=no dst-port=1723 in-interface=OTEnet6x protocol=tcp
I removed the new connection state from the rule but no luck.
Does the WAN port have a public IP on it?
Yes it has. My setup is as follow:
eth8 connected with adsl modem in RFC1483 Bridge mode.
PPPoE client interface set on eth8.
Something is wrong with this routerboard/configuration. I set up another routerboard at another location with similar configuration(firewall rules etc) and was able to connect to the VPN server.
Also, at the new routerboard I can connect at Webfig, SSH, etc through WAN interface, but at the old routerboard not. And all this with the routerboards having same firewall rules.
Howdy,
MTU issue?
I have had cases where I need to adjust the MTU from 1460 down to 1430 before it connects.
Just a suggestion.
Dave.
Nope, no luck with MTU change.
I’m having the same problem on my end. Tried all of the above as well. The difference is I had mine working for a week, then suddenly stopped. I have a co-worker with identical config other than public ip and his works fine. Same versions and everything.
I finally resolved this on my end. The problem was that I specified port 1723 in ip>firewall>services for pptp. this was causing it to block gre for some reason. I enabled pptp service but left port blank and it fixed the problem.
Finally I found the problem. I selected the add default route on my pppoe client interface, I hadn’t done that because of many different pppoe client interfaces and using mangle & static routing rules. Everything works fine now.