Hi,

I have just set up 2 Mikrotik RB750 HexLite Both Version 6.34.2 one as VPN PPTP Server at HeadOffice (HO) and the other one as VPN PPTP Client dialer at Remote Site (RS).

The Layout looks like this:

HO Computers (192.168.2.0/24) <-------> Mikrotik HO (VPN Server Local Address 192.168.10.1) <===VPN PPTP Tunneling====> Mikrotik Remote Site (VPN Client Local Address 192.168.10.2) <--------> Remote Site Computers (192.168.0.0/24)

The Problem:

All the computers at Remote Site (192.168.0.0/24) can successfully ping and connected (RDC, File Sharing) to all computers at Head Office (192.168.2.0/24).
However, Computers at Head Office cannot ping or connect to computers at Remote Site. Ping from 192.168.2.0/24 to 192.168.0.0/24 always timed out. Computers at HO can ping successfully to Remote Site Mikrotik VPN Address though (ping from 192.168.2.0/24 to 192.168.10.2 replies).
When I did tracert from command prompt of a computer from HO side to a computer at RS site, it looked like this:
tracert 192.168.0.75
reply from 192.168.2.1 (HO Mikrotik LAN IP Address)
reply from 192.168.10.2 (RS Mikrotik VPN IP Address)
request timed out
request timed out

What I have done:
1. I have set both HO & RS Mikrotik Ethernet Master Local Interface ARP to proxy-arp
2. I have done the routing at both HO & RS Mikrotik
HO Routing: 192.168.0.0/24 192.168.10.2 1
RS Routing: 192.168.2.0/24 192.168.10.1 1
3. I have added the srcnat masquerade NAT rule for the pptp interface both at HO & RS sites

Kind of at loss of how to enable the computers at Server side to be able to ping/connect to computers at Client side, while the other way round from client to server everything works just well.

Any help will be greatly appreciated

Based on what you typed it sounds more like there is a firewall filter rule in place on the remote end that is dropping non-established connections. I would start there.

May I please ask a question.

What Microtik OS version are you running?

Also it is my understanding that a Proxy ARP should not be required. Proxy ARP's can and can cause lots of other issues on your network. My understanding is that a Proxy ARP should only be required if you use the same subnet in two locations on your network. (Example local and remote computers are 192.168.20.0/24 at both ends). - Maybe someone can answer this for me?


If you look at the example: http://wiki.mikrotik.com/wiki/Manual:IP/ARP it clearly shows proxy ARP being used for a subnet overlap.

If you are running 6.32 or later, we have noticed the same issue as you... We have seen the issue (without proxy ARP) that across a VPN (both L2TP and PPTP) we can ONLY ping interfaces on the router that creates the connection. Although this is insecure we have frond using native GRE this issue goes away.

We have tried playing with routing etc but still no resolution to the issue. I have another posting on the forum re L2TP but believe this problem is the same as mime.

We also have a customer on 6.30 and the same issue does not exist. We have even tested to the point of having a VPN created on a 6.30 router working fine, then upgraded to current "bugfix" OS and broke the VPN.

Not much help but will keep you posted.

Thanks

LogicalNZ
alan.scott@logicalsolutions.co.nz

Thanks a lot for you kind replies Revelation & Alan.

Revelation, I have turned off all firewall drop/block in all my modems & routers & mikrotik, but the result is still the same.

Alan,

I am using Version 6.34.2 for both HO & RS Mikrotik.
May be I'm having the same problem with yours.
I have changed the ARP setting to "Enabled" instead of "Proxy ARP" the result is still the same.
Would you please elaborate more on the native GRE thing you mentioned? What can I do regarding that?

Thanks a lot in advance.

Firstly GRE by default is NOT encrypted. I'm only using as I have no choice. I have my distributor working on this issue and once resolved I will be changing off GRE.

Under the interface menu option in winbox you will see a GRE tab. All you have to do is give it your far end and local end ip addresses.then configure a static route. That's it... You now have a fully working site to site tunnel.

Your router is on the same os I have that I have the issue with

Make sure you have arp-proxy set on the internal interface (server side)

Regards
Ian