Page 1 of 1

How to Block PPTP Traffic

Posted: Thu Jul 25, 2013 3:29 pm
by luckysunny
hello ,

i am facing a problem these days that many free vpn(pptp) provider put their ads on it & They eat bandwidth also . so i want to block these pptp traffic through my mikrotik . means i don't want my user can connect to any pptp. need your help guys

Re: How to Block PPTP Traffic

Posted: Thu Jul 25, 2013 3:31 pm
by ners
Block destination port TCP 1723 in the forward chain, or better block protocol type 47 (GRE) which is used by PPTP. That way you will also block PPTP services on non-standard ports.

Re: How to Block PPTP Traffic

Posted: Thu Jul 25, 2013 3:35 pm
by luckysunny
this will effect other traffic or not ? if i block pptp port
Block destination port TCP 1723 in the forward chain, or better block protocol type 47 (GRE) which is used by PPTP. That way you will also block PPTP services on non-standard ports.

Re: How to Block PPTP Traffic

Posted: Thu Jul 25, 2013 3:46 pm
by ners

ros code

/ip firewall filter add chain=forward protocol=gre action=reject reject-with=icmp-protocol-unreachable
Should block GRE protocol which is used by PPTP for data transfer, no other traffic should be affected.

Re: How to Block PPTP Traffic

Posted: Thu Jul 25, 2013 3:48 pm
by luckysunny
let i will try this one .. thanks for ur kind reply

ros code

/ip firewall filter add chain=forward protocol=gre action=reject reject-with=icmp-protocol-unreachable
Should block GRE protocol which is used by PPTP for data transfer, no other traffic should be affected.

Re: How to Block PPTP Traffic

Posted: Mon Jun 10, 2019 5:23 am
by rarenakal

ros code

/ip firewall filter add chain=forward protocol=gre action=reject reject-with=icmp-protocol-unreachable
Should block GRE protocol which is used by PPTP for data transfer, no other traffic should be affected.
didn't work on my router.
it should be like this:

/ip firewall filter add chain=input protocol=gre action=drop

thanks. #CMIIW

Re: How to Block PPTP Traffic

Posted: Mon Jun 10, 2019 11:52 am
by sindy
didn't work on my router.
it should be like this:
That's a misunderstanding. The OP wanted to block PPTP to be transited by his Mikrotik, and that rule works for that task.

Your rule blocks incoming GRE connections to your Mikrotik itself, which is a different task (and to block PPTP connections to your Mikrotik itself, not enabling /interface pptp-server server is sufficient, you don't need any rule for that).

In general blocking GRE kills not only PPTP but also other protocols using GRE, which may be fine for the OP's purposes but in general it is a bad idea.