Hello, ive a routerboard 450G at HQ, using for vpn server (pptp)
it has about 50 users, and they had no problem until now.

In a branch office, i changed the linux router, with a mikrotik (450G again). it does not do so much, just dhcp, and NAT for internet access.

But i noticed that, from that branch office, only one user can connect to HQ pptp service.

That does not happen, if the gateway of the client is not mikrotik.

any ideas on that ?

Looks like NAT problem, maybe you will establish PPTP directly from mikrotik ?

This is so strange that you say "only one user can connect to HQ pptp service".
You did not tell enough about your configuration. BTW, check your Conf. with http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP

Are you blocking in forward chain any traffic somehow ?

Hello, ive a routerboard 450G at HQ, using for vpn server (pptp)
it has about 50 users, and they had no problem until now.

In a branch office, i changed the linux router, with a mikrotik (450G again). it does not do so much, just dhcp, and NAT for internet access.

But i noticed that, from that branch office, only one user can connect to HQ pptp service.

That does not happen, if the gateway of the client is not mikrotik.

any ideas on that ?

This is an issue with PPTP and and NAT, or more specifically GRE tunnels and NAT.

PPTP is comprised of 2 connections, a TCP control channel (1723) and a GRE data channel.
TCP NAT uses 4 identifiers to track a unique connection, Source port, source IP, destination port, destination IP.

Lets say for example, two PC's behind a nat router both connect to the same server over TCP. As the packets pass through the router, Snat (masquerade) changes the source IP to that of the NAT router. Even though the Source IP (WAN), Destination IP (remote server), and destination port (Service port, ie. 80, 443) are the same, the Source port is different, so two independent connections are tracked. When both packet return, Conntrack uses the now destination port (previously source port) to determine which packets get directed to which private IP.

The problem with GRE is it lacks port definitions, so conntrack can only use source and destination IP. When multiple PC's make multiple GRE connections to the same destination IP, conntrack has no way to differentiate between sessions. Now GRE does have a unique connection identifier (Key field), but few NAT implementations know how to use it.

The reason your linux router worked was as of kernel 2.6.14, a netfilter patch became available to use the GRE key in addition to source and destination ports. These are the ip_nat_pptp and ip_conntrack_pptp modules. Perhaps we could ask MikroTik nicely and see if they can implement this feature in NAT and conntrack.

The only real workaround is moving to L2TP, which uses UDP in the place of GRE.

All that aside, have you looked into a site-to-site VPN? The big advantage is you can route specific traffic over the VPN, and use the local endpoint internet for other internet traffic (akin to Cisco's split-tunnel VPN). This may not be desired depending on your application, but in typical deployments it provides better performance when all of the remote user's web browsing traffic doesn't have to go through the VPN.

Hello, ive a routerboard 450G at HQ, using for vpn server (pptp)
it has about 50 users, and they had no problem until now.

In a branch office, i changed the linux router, with a mikrotik (450G again). it does not do so much, just dhcp, and NAT for internet access.

But i noticed that, from that branch office, only one user can connect to HQ pptp service.

That does not happen, if the gateway of the client is not mikrotik.

any ideas on that ?

This is an issue with PPTP and and NAT, or more specifically GRE tunnels and NAT.

PPTP is comprised of 2 connections, a TCP control channel (1723) and a GRE data channel.
TCP NAT uses 4 identifiers to track a unique connection, Source port, source IP, destination port, destination IP.

Lets say for example, two PC's behind a nat router both connect to the same server over TCP. As the packets pass through the router, Snat (masquerade) changes the source IP to that of the NAT router. Even though the Source IP (WAN), Destination IP (remote server), and destination port (Service port, ie. 80, 443) are the same, the Source port is different, so two independent connections are tracked. When both packet return, Conntrack uses the now destination port (previously source port) to determine which packets get directed to which private IP.

The problem with GRE is it lacks port definitions, so conntrack can only use source and destination IP. When multiple PC's make multiple GRE connections to the same destination IP, conntrack has no way to differentiate between sessions. Now GRE does have a unique connection identifier (Key field), but few NAT implementations know how to use it.

The reason your linux router worked was as of kernel 2.6.14, a netfilter patch became available to use the GRE key in addition to source and destination ports. These are the ip_nat_pptp and ip_conntrack_pptp modules. Perhaps we could ask MikroTik nicely and see if they can implement this feature in NAT and conntrack.

The only real workaround is moving to L2TP, which uses UDP in the place of GRE.

All that aside, have you looked into a site-to-site VPN? The big advantage is you can route specific traffic over the VPN, and use the local endpoint internet for other internet traffic (akin to Cisco's split-tunnel VPN). This may not be desired depending on your application, but in typical deployments it provides better performance when all of the remote user's web browsing traffic doesn't have to go through the VPN.

Thanks for the detailed information!

Yes, ive moved to site-site tunnel with l2tp as a workaround btw.

How do we ask mikrotik for a feature request ? using forums/bugtracker if exists ?

How do we ask mikrotik for a feature request ? using forums/bugtracker if exists ?

I created a Feature Request here:
http://forum.mikrotik.com/viewtopic.php?f=1&t=56780

In fact there is a that feature already

It is called NAT helper

In fact in my network i have two sessions of PPTP behind nat,

L2TP/IPSec has similar problems.... of not allowing more than one connection from beind NAT to a Mikrotik VPN.

no solution in sight yet