Page 1 of 1

PPTP connection drops when user has Linksys wireless router

Posted: Tue Jul 08, 2008 12:15 am
by jonnchapman
I have a Mikrotik router that NAT's a Microsoft RRAS server at each of my offices. I recently upgraded the OS on 2 of the Mikrotik routers to 3.6 from 2.9 and began seeing the following problem: Users who have Linksys wireless routers at home can no longer maintain a VPN connection through the routers with the 3.x OS. I updated each router to 3.10 and double checked all of the configurations and still no luck. I have a Mikrotik at home and have no problems with the VPN but all users with Linksys can no longer VPN through any of the 3.x routers. One of my engineers has a Linksys router but uses a Linux OS rather than the shipped Linksys OS and his works ok so I suspect that somehting with the PPTP pass through on the Linksys is to blame.

Is there anything I can do on the Mikrotik OS to let users with Linksys routers at home use the VPN?

Re: PPTP connection drops when user has Linksys wireless router

Posted: Tue Jul 08, 2008 3:20 pm
by sergejs
Check that you have PPTP enabled in 'ip firewall service-ports'.
Do you have bridge on the router, where PPTP is not going trough.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Tue Jul 08, 2008 7:55 pm
by jonnchapman
There is no bridge, it is configured as a router. Here is a print of the firewall service-ports:

# NAME PORTS
0 ftp 21
1 tftp 69
2 irc 6667
3 h323
4 sip
5 pptp

Re: PPTP connection drops when user has Linksys wireless router

Posted: Wed Jul 09, 2008 3:36 pm
by sergejs
If you do not have any firewall rules I don't see the reason, why MikroTik router can block PPTP.
PPTP passthrough is working flawlessly in all V3.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Mon Dec 22, 2008 7:55 pm
by bluecrow76
I have had similar issues with PPTP passthrough since the introduction of V3, regardless of minor revision. I haven't been able to nail down the cause, but I will have 20 people in an organization and 18 of them will all work fine but two will not. We will perform firmware updates on their current router and the problem will still persist.

The only solution I have found has been to setup RAS authenticated PPTP server on the Mikrotik. This introduces other issues, but at least things work.

The moment I revert back to V2 of RouterOS the problems go away.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Mon Dec 22, 2008 8:58 pm
by jonnchapman
I have not figured this out yet; I have been sending the users with the problem to a router running version 2. I have considered adding Radius and using the PPTP server on the router. If you find a solution I sure would like to know.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Tue Dec 23, 2008 2:17 pm
by sergejs
Perhaps check for the latest firmware on Lynksys router. We didn't receive any similar reports about PPTP passthrough and v3 routers.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Tue Dec 23, 2008 8:33 pm
by jonnchapman
We have checked for the latest firmware on the Linksys routers but it did not make a difference. We have several clients with Mikrotik routers and various use configurations and the only thing that has solved the problem at any of the locations is to move the Mikrotik routers back to version 2.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Tue Dec 30, 2008 3:13 pm
by sergejs
So, we need to check whether such setup is working,
PPTP-Client ---> MikroTik Router NAT ---> PPTP-server.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Tue Dec 30, 2008 7:05 pm
by jonnchapman
The typical setup that fails is:

PPTP client is behind Linksysy router (we have tried various models with various firmware versions, the Linksys router works with Linux OS installed instead of Linksys OS)

Our router is Mikrotik version 3 OS using NAT to pass 1723 to our PPTP server

Our PPTP server is a Windows 2003 server with RRAS (all latest Microsoft updates are applied)

Re: PPTP connection drops when user has Linksys wireless router

Posted: Mon Jan 05, 2009 4:38 pm
by sergejs
PPTP additionally to 1723 TCP port uses GRE protocol, you need to NAT GRE (protocol 47) as well.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Mon Jan 05, 2009 5:54 pm
by dankerr
The typical setup that fails is:

PPTP client is behind Linksysy router (we have tried various models with various firmware versions, the Linksys router works with Linux OS installed instead of Linksys OS)

Our router is Mikrotik version 3 OS using NAT to pass 1723 to our PPTP server

Our PPTP server is a Windows 2003 server with RRAS (all latest Microsoft updates are applied)
There are known issues with the newer Linksys and PPTP vpn connections (do a google). It's hit or miss if it's going to work, I've seen the issue with MikroTik PPTP server, Microsoft RAS and a Firebox PPTP connection. I've also seen the same client work behind one Linksys and not another with the same configuration. In some cases enabling UPnP on the Linksys and affected client fixes the issue.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Mon Jan 05, 2009 9:21 pm
by jonnchapman
I have searched the web extensivley and found lots of hits but nothing has solved the problem except to rollback to Mikrotik version 2.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Tue Jan 06, 2009 5:52 am
by jp
I would make sure connection tracking is on in your MT. We've seen pptp and ipsec stop working or never start if connection tracking isn't enabled. pptp is a connection oriented link, and ipsec needs it because it causes fragmentation.

I would update right to the latest MT OS for testing; you'd probably be fine doing that for a simple wired router.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Tue Jan 06, 2009 8:59 am
by dankerr
I would make sure connection tracking is on in your MT. We've seen pptp and ipsec stop working or never start if connection tracking isn't enabled. pptp is a connection oriented link, and ipsec needs it because it causes fragmentation.

I would update right to the latest MT OS for testing; you'd probably be fine doing that for a simple wired router.
ROS v3.17 works just fine running PPTP on Mikrotik or with NAT to Microsoft RAS. We run it both ways without issue on x86 systems and RB1000. That is if NAT for both GRE and TCP 1723 are configured properly. Adding rules to allow all "related" and "establed" connections will help too (connection tracking needs to be enabled).

Re: PPTP connection drops when user has Linksys wireless router

Posted: Tue Jan 06, 2009 10:50 pm
by jonnchapman
I am using version 3.17 with NAT to a Microsoft 2003 RRAS server and I have tried with and with out GRE. Perhaps I need some help with your advice "That is if NAT for both GRE and TCP 1723 are configured properly. Adding rules to allow all "related" and "establed" connections will help too (connection tracking needs to be enabled)." If you can provide an example of those configurations I would sure appreciate it.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Tue Jan 06, 2009 11:29 pm
by dankerr
I am using version 3.17 with NAT to a Microsoft 2003 RRAS server and I have tried with and with out GRE. Perhaps I need some help with your advice "That is if NAT for both GRE and TCP 1723 are configured properly. Adding rules to allow all "related" and "establed" connections will help too (connection tracking needs to be enabled)." If you can provide an example of those configurations I would sure appreciate it.

/ip firewall filter
add action=accept chain=forward comment="Allow established connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="Allow related connections" \
connection-state=related disabled=no
add action=accept chain=input comment="Allow established connections" \
connection-state=established disabled=no
add action=accept chain=input comment="Allow related connections" \
connection-state=related disabled=no
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT INcoming GRE - PPTP VPN" \
disabled=no in-interface=ether0-Public protocol=gre to-addresses=\
172.16.1.2
add action=dst-nat chain=dstnat comment=\
"NAT INcoming Port 1723 TCP - PPTP VPN" disabled=no dst-port=1723 \
in-interface=ether0-Public protocol=tcp to-addresses=172.16.1.2 \
to-ports=1723

Re: PPTP connection drops when user has Linksys wireless router

Posted: Sat Jan 24, 2009 4:25 am
by jonnchapman
Well I finally found some time to get back to this; I added the forward filter rules and tested again with the same results. I also updated the Mikrotik OS to 3.19.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Tue Mar 17, 2009 11:49 pm
by altere
Wondering if anyone has resolved this as we are having the same issue. Customers connecting to a VPN get disconnected within a matter of a few minutes or less. We will be upgrading to 3.22 later this evening to see if this resolves the problem.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Wed Mar 18, 2009 3:21 pm
by normis
enable PPTP debug logs and see what it says there
system logging add topics=pptp,debug action=memory 

Re: PPTP connection drops when user has Linksys wireless router

Posted: Wed Mar 18, 2009 5:10 pm
by enk
try to test your linksys router with native linux pptpd.
We have found similar problem with Zyxel P330W, when encryption enabled. But with linux pptpd this problem exists too.

Re: PPTP connection drops when user has Linksys wireless router

Posted: Sun Mar 22, 2009 2:43 am
by jonnchapman
normis; I have added the pptp debug logging, I will post back the results.

enk; I don't know what "native linux pptpd" is?

Re: PPTP connection drops when user has Linksys wireless router

Posted: Sun Mar 29, 2009 10:21 pm
by jonnchapman
macbeton; To reply to your post, I have already established that other (non-Linksys) firmware DOES resolve the problem, however I can't expect normal users who barley know what a router is to replace the shipped firmware on thier router with an open source firmaware to make it work with our Mikrotik routers. Your post is not helpful and inappropriate since you posted with an assumption that I had not alrady tried that.

Re: PPTP connection drops when user has Linksys wireless rou

Posted: Tue Jan 25, 2011 5:38 am
by pbcconsulting
Hello -

I can see that there's been little action on this thread for some time now - But I'm having a similar problem and I need some guidance... Here's the situation -

This is a Natted RB450G, with 2 x dstnat:

- PPTP (1723) to internal Microsoft RRAS server
- GRE to the same internal RRAS server

The firewall is set to accept input 1723 (TCP) as well as GRE.

I have 5 users connecting VPN:

- some can connect without any problems
- some connect but get disconnected after 1 or 2 minutes
- some simply cannot connect

And here's the catch:

The issue doesn't seem to be related to either a user's router or their ISP - why? Because if I replace this RB450G by a generic $79 Linksys with PPTP pass-thru enabled and forward of 1723, it works for everyone! :?

Any suggestion welcome -

Re: PPTP connection drops when user has Linksys wireless rou

Posted: Tue Jan 25, 2011 7:08 pm
by jonnchapman
Hello pbconsulting,

This topic has not had discussion in a while, it seems that Mikrotik is ignoring this issue. I did find two solutions, some might consider them to be workarounds rather than solutions but I think that solution one is a much better method of handling VPN.

1. Let the Mikrotik router be the VPN server. If you use an internal authentication system such as Active Directory, then setup RADIUS on the Mikrotik and IAS on the domain controller. I have found this to be better since I can use both local secrets on the Mikrotik and RADIUS simultaniously thus allowing me to connect even if RRAS is down.

2. Use any version of Mikrotik Router OS before 3.x, it was with 3.x that this problem surfaced. I still have 2.x routers out there that work just fine for basic configurations so the older version is not a problem.

I hope that helps...

Re: PPTP connection drops when user has Linksys wireless rou

Posted: Wed Feb 02, 2011 5:34 pm
by pbcconsulting
@jonnchapman

Hey John - Thanks for your reply.

I have created a new thread for this issue:

http://forum.mikrotik.com/viewtopic.php ... 08#p247908

Like you, I have come to the conclusion that I am better off having the RB450G do the PPTP server job and authenticate with RADIUS against IAS. :)

I identified (part of) the issue: Cisco-based firmware (such as linksys or PIX routers) located at the tunnel origin (such as end users's home routers). It seems the issue occurs from a certain inability of the part of Microtik routers (recent firmware) to correctly deal with GRE encapsulation initiating from such Cisco-based firmware? Or else the combination of double NAT with GRE encapsulation? I can't tell for sure... A very patient man at Microtik would need to test this with Wireshark ;-)

The issue doesn't happen with other common ISP routers that I have tested - thanks to my users (Netgear, DD-WRT, Verizon-branded ActionTec, SpeedTouch, etc...)

Cheers - Phil.

Re: PPTP connection drops when user has Linksys wireless rou

Posted: Tue Feb 26, 2013 9:33 pm
by sjoram
Just to advise that I seem to be having PPTP VPN on 2k3 server dropping after around 30-45mins of running OK using a RB750.