VPN with dynamic filters not working

RouterOS General
1

Hi,

I’m trying to set up a pptp VPN server on my mikrotik router (RB2011UiAS-2HnD-IN using firmware V6.18), read and tried a lot of examples to do this, but it is still not working as it supposed to work. So I was hoping that you guys could help me..

Situation (how I would like to see it function):
Some VPN users (using the “profile-pptp-fysio” profile) can only connect to one terminal server (192.168.10.54). Other VPN users (using the “profile-pptp” profile) should be able to connect to the whole 192.168.10.x range.

So I created the profiles, created some users/secrets using these profiles, added some dynamic filters, created a VPN pool (192.168.11.100 - 192.168.11.199), opened some ports and added the jump (to PPP) and dynamic filter/chain rules.
But with the following settings, the users can connect, the 2 dynamic filters are created on the bottom of the firewall page, but there is no traffic going throug these filters what so ever.. What am I doing wrong?

The priority is to have the “profile-pptp-fysio” profile users connected limited with only access to the terminal server (thats why only the filters for this profile are created).

ppp profiles

Flags: * - default
 0 * name="default" use-mpls=default use-compression=default
     use-vj-compression=default use-encryption=default only-one=default
     change-tcp-mss=yes address-list=""

 1   name="profile-PPPoE-KPN" use-mpls=default use-compression=default
     use-vj-compression=default use-encryption=default only-one=default
     change-tcp-mss=yes address-list=""

 2   name="profile-pptp" local-address=192.168.11.1 remote-address=pool_VPN
     use-mpls=default use-compression=default use-vj-compression=default
     use-encryption=no only-one=default change-tcp-mss=default
     incoming-filter=ppp.filter.in outgoing-filter=ppp.filter.out
     address-list="" dns-server=192.168.10.1

 3   name="profile-pptp-fysio" local-address=192.168.11.1
     remote-address=pool_VPN use-mpls=default use-compression=default
     use-vj-compression=default use-encryption=no only-one=default
     change-tcp-mss=default incoming-filter=ppp.fysio.filter.in
     outgoing-filter=ppp.fysio.filter.out address-list=""
     dns-server=192.168.10.1

 4 * name="default-encryption" use-mpls=default use-compression=default

ip firewall filter

Flags: X - disabled, I - invalid, D - dynamic
 0 X ;;; ICMP (ping)
     chain=icmp action=accept protocol=icmp icmp-options=0:0-255

 1 X chain=icmp action=accept protocol=icmp icmp-options=3:0-255

 2 X chain=icmp action=accept protocol=icmp icmp-options=4:0-255

 3 X chain=icmp action=accept protocol=icmp icmp-options=8:0-255

 4 X chain=icmp action=accept protocol=icmp icmp-options=11:0-255

 5 X chain=icmp action=accept protocol=icmp icmp-options=12:0-255

 6 X chain=icmp action=drop

 7   ;;; accept ping
     chain=input action=accept protocol=icmp

 8   ;;; FTP bruteforce prevention to the router
     chain=input action=drop protocol=tcp src-address-list=ftp_blacklist
     dst-port=21

 9   ;;; Router protection drop invalid
     chain=input action=drop connection-state=invalid

10   ;;; accept related
     chain=input action=accept connection-state=related

11   ;;; accept established
     chain=input action=accept connection-state=established

12   ;;; allow network access except from PPPoE_KPN
     chain=input action=accept src-address=192.168.10.0/24
     in-interface=!pppoe-KPN

13   ;;; allow network access except from PPPoE_KPN
     chain=input action=accept src-address=192.168.124.0/24
     in-interface=!pppoe-KPN

14  ;;; Mikrotik VPN accept TCP 1723
     chain=input action=accept protocol=tcp dst-port=1723

15  ;;; Mikrotik VPN accept GRE
     chain=input action=accept protocol=gre

16   ;;; drop all other input
     chain=input action=drop

17   ;;; fysio VPN accept connections to fysioserver
     chain=ppp.fysio.filter.in action=accept dst-address=192.168.10.54

18   ;;; fysio VPN block all other incoming connections
     chain=ppp.fysio.filter.in action=drop

19   ;;; fysio VPN block all outgoing connections
     chain=ppp.fysio.filter.out action=drop

20   ;;; accept established
     chain=forward action=accept connection-state=established

21   ;;; accept related
     chain=forward action=accept connection-state=related

22   ;;; drop invalid connections
     chain=forward action=drop connection-state=invalid

23   ;;; Block fysioserver network access
     chain=forward action=drop src-address=192.168.10.54

24   ;;; VPN access fysio server
     chain=forward action=accept src-address=192.168.11.0/24

25   ;;; block network access from the fysioserver
     chain=forward action=drop src-address=192.168.10.54
     out-interface=!pppoe-KPN

26 X  ;;; Forward GRE protocol
     chain=forward action=accept protocol=gre in-interface=pppoe-KPN

27  X ;;; Fysio Server
     chain=forward action=accept src-address=192.168.124.2
     out-interface=pppoe-KPN

28   ;;; PPP chains - in and out
     chain=forward action=jump jump-target=ppp

ip firewall nat

Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Allow internet on LAN
     chain=srcnat action=masquerade to-addresses=0.0.0.0
     out-interface=pppoe-KPN

 1  ;;; Mikrotik VPN
     chain=dstnat action=accept protocol=tcp dst-port=1723

 2  chain=dstnat action=accept protocol=gre

edit: added softwareversion of the router