Hi everyone!
I want ask for help.

This is what i have:
3 mikrotik routers on three locations.
i've configured one Mikrotik as PPTP Server, and other two as clients.
Both of these two client are connecting successfully to Mikrotik server.
the problem is that those clients can't ping each other.

Can anyone see in configurations where did i go wrong.
Thanks.

1st client

# apr/08/2020 10:52:04 by RouterOS 6.40.8
# software id = FEL4-KWJ3
#
# model = 951-2n
# serial number = 40D002D66A24
/interface bridge
add admin-mac=D4:CA:6D:A3:87:19 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
MikroTik-A3871D wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface pptp-client
add connect-to=****.dyndns.biz disabled=no name=pptp-out2 user=*****
/ip neighbor discovery
set ether1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.87.10-192.168.87.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.87.1/24 comment=defconf interface=bridge network=\
192.168.87.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=192.168.87.0/24 comment=defconf gateway=192.168.87.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=192.168.89.0/24
/ip route
add distance=1 dst-address=192.168.78.0/24 gateway=pptp-out2
add distance=1 dst-address=192.168.86.0/24 gateway=pptp-out2
add distance=1 dst-address=192.168.99.0/24 gateway=192.168.89.100 pref-src=\
192.168.89.100
/system clock
set time-zone-name=Europe/*****
/system identity
set name=Client
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

Server conf

# apr/08/2020 11:07:46 by RouterOS 6.46.4
# software id = F82E-MQ1K
#
# model = RB750Gr3
# serial number = 8AFF0B624E5B
/interface bridge
add admin-mac=C4:AD:34:35:E8:B4 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1/WAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.86.100-192.168.86.200
add name=vpn ranges=192.168.89.100-192.168.89.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=bridge dns-server=1.1.1.1,192.168.78.254 interface-list=all \
local-address=192.168.89.100 name=Josip remote-address=192.168.89.101
add bridge=bridge interface-list=all local-address=192.168.89.102 name=Ivan \
remote-address=192.168.89.103
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1/WAN list=WAN
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.86.111/24 interface=bridge network=192.168.86.0
add address=192.168.78.111/24 interface=ether1/WAN network=192.168.78.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1/WAN
/ip dhcp-server network
add address=192.168.86.0/24 comment=defconf dns-server=192.168.78.254 \
gateway=192.168.86.111
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,192.168.78.254
/ip dns static
add address=192.168.86.111 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip route
add distance=1 gateway=192.168.78.254
/ppp secret
add name=vpn
add local-address=192.168.89.100 name=Josip profile=Josip remote-address=\
192.168.89.101 routes="192.168.87.0/24,192.168.79.0/24, 192.168.89.101" \
service=pptp
add local-address=192.168.89.102 name=Ivan profile=Ivan remote-address=\
192.168.89.103 routes="192.168.85.0/24, 192.168.99.0/24, 192.168.89.103" \
service=pptp
/system clock
set time-zone-name=Europe/***
/system identity
set name=Server
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

For now i have only these two.

What is the idea behind setting interface-list=all in ppp profile? That simply doesn't work, RouterOS complains that you cannot add a member to a pre-defined list (which makes sense) and the connection ends - at least when you use that profile for L2TP connections, but as the problem is stil the same, it won't work even if the PPTP connection eventually doesn't fall.

So do /ppp profile unset interface-list [find interface-list=all] and try again.

Other than that, you don't need one local address per each /ppp secret item at server side.

Question - why PPTP, which is anything but secure and has other drawbacks too?

Yup I agree at least use L2TP unless security and privacy just don't matter.

I’m sorry for being late.
Ok i configured PPTP just for training myself. Want to learn networking. I’m working in IT company, so for purposes of the company I want to master one by one.
And idea behind setting interface-list=all in ppp profile is “don’t know”. For days I’m wandering around and cannot ping other(third) router.
Thank and I’ll inform you of the situation, when I try this conf.

Josip.

If I get you right, even with that "don't know" thingy in the /ppp profile used, the /interface pptp-client does come up on the client routers, so you can ping the server from each client? If so, PPTP handles the profiles in a different way than L2TP and doesn't mind that setting.

In any case, the default setting of /interface pptp-client interfaces is add-default-route=no and your export doesn't show add-default-route=yes, hence no route via that interface is added as it comes up, so you can only ping the remote-address (which is the address of the other end of the tunnel) as the route to that address is added automatically as the client interface goes up.

So you have two possibilities:

• set add-default-route at /interface pptp-client to yes, which will make all the traffic of the client be routed to the server; this is sometimes desirable and sometimes not. If it is, don't forget you need to add a static route towards the server IP address to the client configuation, otherwise the connection will be going up and down as the default route added as the interface goes up will override the existing default route (or not, it depends on some extra factors we may come back to later on, but in that case it won't work).
• manually add a route to a destination subnet which includes the address the server assigns to the other client: /ip route add dst-address=192.168.89.0/24 gateway=pptp-out2. This route will only become active while the interface is up.
• you might add and remove the route using the on-up and on-down scripts in the /ppp profile, but that would be an overkill for the moment.

Of course you have to do this at both clients.

To add to what @sindy said, you can change the distances of your default routers, 2 for the route to your ISPs Gateway and 1 for the PPTP Gateway... So every time the PPTP comes up the default Route of the PPTP will be used...
In the case above you must masquerade your PPTP interface on your Clients, since this will be the out interface...
OR
Instead of selecting the "add default route" from your PPTP client, you can add the default Route manually, give it a Routing Mark name and then create a Policy Routing Rule to match the src/dst addresses you want to be using that particul PPTP Interface as their defualt Gateway... Don't forget the action "lookup only in table" and as Table name the Routing mark created earlier...

In case you do not need to forward the whole traffic on your Server, only routes are needed from client1 to server and server to client1 and the same for your second Client...

Also there is no need to add the Bridge itself inside the PPP Profile unless you want to Perform BCP, which in that case all the Clients and the Server itself must have the Bridge added in the PPTP profile as well...

Hello, Everything is up and working.

So, to tell you the problem, third router(2nd client) didn't had routes to my client router.
so this is it.
i just wrote manually routes in third router and instantly i could ping all six subnets.

Because where i live situation is like this.
everybody has internet connections like ADSL, so you are behind router, and you cannot put that router in bridge mode.
so port forwading is option to make your VPN connection.
and i'm just testing now how all things are working.
obviously, i won't use PPTP but it was a starting point.
just to get familiar with operations.
i'll post this configuration that is working now.
yes and one more question why is 192.0.0.0/8 route came automatically in route list?

Am happy you solved the problem...