Basic static routes and PPTP question

Posted: Sun May 18, 2014 9:06 am
by jeremyh

I have a network, set up basically as per the diagram below.

I have set up PPTP* connections so that traffic may flow between sites (with 'Main Branch' running as PPTP server). The goal is to have hosts on each subnet able to talk to hosts on any other subnet, reliably and with optimal efficiency.

However, I have gone wrong somewhere. The links perform poorly (MTU/MRRU problem?), are unreliable, and have weird side-effects.. Like ARP entries for clients at Site A are 'leaking' over to the Main Branch (something to do with proxy-arp?), where the DHCP server there must still have a lease, so the client comes up with IP address conflict until the PPTP bridge is disabled/router is rebooted, even though the DHCP servers are giving leases on different subnets. Sometimes the static routes to other sites won't work at all, then will suddenly come good. It's all very erratic.

Sometimes when I am at Site B and when I ping the gateway (, traffic goes out through the PPTP interface to the main branch, then back through, and takes ~50ms!

Long story short, something's gone wrong and I need to re-do all this properly.

Three questions:

1) Do I need my bridge interface (on both routers?) set to proxy-arp for this setup?

2) Do I need a NAT rule on the Site A/Site B routers to masquerade NAT the VPN interface?

3) What is the best way to add the static routes on the Site A/Site B routers? should 'gateway' be the PPP interface or the remote/local IP address? Should I be using distance?

Please help! I'm really stuck with this and have been tinkering for too many weekends!

*(Intending to change to IPSec L2TP later)

Posted: Mon May 19, 2014 11:30 pm
by scotthammersley
If all three routers are MikroTik, then all you need is a simple tunnel, no proxy-arp and no bridging. Route the traffic just like the VPN was an Ethernet cable (i.e add dst=x.x.x.x/x gateway=(the IP address on the other side of the tunnel). You will need routes in all three routers for all of the subnets. If you need help, please feel free to give us a call :-)