Page 1 of 1

PPTP connections cannot access local subnet

Posted: Tue May 08, 2007 10:19 pm
by isaac509
Hello -

I followed the PPTP instructions posted on the Wiki, and I have a successful connection from a WinXP client to the Mikrotik. I can route traffic to the Internet, and I can successfully ping the local address of the Mikrotik (

However, I cannot access any of the other addresses in the subnet. Some previous help on this forum refer to proxy-arp, and I believe that I have that turned on:

Flags: X - disabled, R - running
0 R WAN 1500 00:40:F4:B8:45:43 enabled
1 R ether2 1500 00:40:F4:B8:45:42 enabled
2 R LAN 1500 00:40:F4:B8:45:41 enabled
[admin@MikroTik] interface ethernet> /interface bridge
[admin@MikroTik] interface bridge> print
Flags: X - disabled, R - running
0 R name="lan" mtu=1500 arp=proxy-arp mac-address=00:40:F4:B8:45:43 stp=no
priority=32768 ageing-time=5m forward-delay=15s
garbage-collection-interval=4s hello-time=2s max-message-age=20s
[admin@MikroTik] interface bridge>

(ether2 is not connected to anything)

The WinXP box seems to know the correct route:

C:\Documents and Settings\isaac>tracert

Tracing route to over a maximum of 30 hops

1 13 ms 13 ms 13 ms

Trace complete.

C:\Documents and Settings\isaac>tracert

Tracing route to over a maximum of 30 hops

1 15 ms 14 ms 13 ms
2 * * * Request timed out.
3 *

I fear that I'm running into a problem with the interface names, or missing somethign obvious. I have triple checked the config as posted in the Wiki and I do not believe I have any typo errors.

Any advice would be appreciated, thank you!

- Isaac

Posted: Wed May 09, 2007 8:26 am
by usrox
I have similar problems and i use NAT to reach the local network

chain=srcnat out-interface=eth-local
src-address=10.xx.xx.82-10.xx.xx.85 action=src-nat
to-addresses=10.xx.xx.80 to-ports=0-65535

chain=srcnat out-interface=eth-gateway
src-address=10.xx.xx.82-10.xx.xx.85 action=src-nat
to-addresses=[public-ip] to-ports=0-65535

(10.xx.xx.82-10.xx.xx.85 -> vpn client ip)

Posted: Wed May 09, 2007 10:23 am
by winxp2000
OK usrox:

As you know you make a PPTP to a network

But I do not known what tpye Ip you got from MT

You can run the command in Winxp command windows as follow:


may be you will find the ip and subnet as


Ok the problem is here

The solution just change the VPN client ip to other net segment

Such as 192.168.112.X

And make a new NAT rule for it

Posted: Wed May 09, 2007 1:50 pm
by usrox
My vpn ip-client (ip-pool) are the same segment with my local-networks 10.xx.xx.82-10.xx.xx.85, I just add 2 NAT rules like my post before and it works perfectly.

NAT rules did not work

Posted: Thu May 10, 2007 10:26 pm
by isaac509
USRox, I was very excited to see your response, but this did not work :(

Here is my config:

[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=WAN action=masquerade

1 chain=srcnat out-interface=LAN src-address=
action=src-nat to-addresses=

2 chain=srcnat out-interface=WAN src-address=
action=src-nat to-addresses= to-ports=0-65535

.. where is my PPTP range, and is my WAN IP address.

Did I miss something?


- Isaac

Posted: Fri May 11, 2007 7:26 am
by usrox
From your first rule Try change to-addresses= with something like to-addresses= <-- local ip on your local interface


Posted: Sat May 12, 2007 4:32 am
by isaac509

So, I tried modifying the rule as USRox recommended, but I wasn't getting it - When USRox said 'local IP on local interface' I didn't understand that he meant 'some unused ip that is not in your PPTP pool'.

A guy in our NOC explained it to me: PPTP can get tricky, because even though your PPTP pool can be in your local LAN subnet, it has no layer 2 connection to that subnet. Therefore, ARP requests for 'local' addresses don't go anywhere even though it might be assumed that they could due to the fact that everybody is on the same subnet.

There are two ways around that - You can either NAT your VPN traffic through a local address that is otherwise unused to establish a layer3->layer 2 bridge, or, you can turn on proxy-ARP on the LAN and WAN interfaces.

I tried proxy-ARP and everything started working, even without the NAT rules. :D

I will note that one of the FAQ entries I encountered on this site early on implied this, but the actual Forum post was a 404 so I charged off in a different direction.

I hope this explanation makes sense and is not factually incorrect.

My next challenge is to establish working IPSec tunnels to a few Netgear FVS318 routers elsewhere on the network. I have sessions up but no traffic is passing yet.

Thanks to everybody who considered this, especially USRox for trying to show me the answer.

I'm really happy with the Mikrotik, it's flexible, reasonably easy to configure and once I get this IPSec problem out of the way I'll be able to retire my Pix 501's and Netgear FVS318's!


- Isaac

.. and now that I think about it...

Posted: Sat May 12, 2007 4:49 am
by isaac509
'winxp2000' was on the right track as well.

I surmise that changing the PPTP pool to a different logical subnet from the local would probably esablish the same layer3->layer2 bridge, but I'm not going to try it because things are working properly now.


- Isaac