Hi!
Previusly we had a simple cheap ADSL Router.
Then me moved to Mikrotik.
I’ve created simple src-nat rule to share the connection. Everything is working - only the VPN clients behind the MT give error #619 when trying to connect to VPNs outside the office.. What’s wrong? With the simple cheap ADSL router everything was working fine (without QoS).
I don’t drop any traffic in the firewall…
help-- my collegues are killing me 
tried also to reduce the MTU size, now my computers MTU is 1200 bytes.
try turning your MTU back up to 1480 (on the Mikrotik PPPoE interface), set your computers MTU’s back to default 1500, and add the following mangle rule…
/ ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1360 comment="" disabled=no
mea culpa…
I had to enable the pptp and gre service ports in the ip firewall menu…
But IMHO this name “service port” doesn’t mean that if this is disabled then drops the packets…
That’s strange, I use PPTP VPN’s and have those service ports disabled.. Isn’t that for the MT itself? We’re you trying to establish the VPN from the MT router? or a software VPN client behind the router?
::EDIT::
connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port
unless you have some firewall rule that matches the connection type I don’t see where this would come into play.. but whatever works for you!
/ip firewall service-port helpers are needed for NAT traversal.
yes i realised… this GRE protocol doesn’t use the ‘port’, what’s needed by NAT so without helper it won’t go..
I think that this is the same situation, that behind NAT to be able to use active FTP ftp helper is also needed: ip_conntrack_ftp and others by linux…