MikroTik

Running 2.9.43 on small form factor computer for a while with vpn setup pptp and laptop to connect.

Until one day ago was working fine, and it just stopped working. I have taken all firewall rules out except nat/masquerade and reset the pptp server back up. Does not even register anyone is calling the vpn. Have tried from different locations and different laptops and ISP connections. I can winbox to the box but can not seem to make work. Have tried using torch to verify connection, but nothing.

Did notice that firewall service ports gre and pptp are blank with no ports and disabled, but ever when enabled blank and/or with 1723 and 47 as ports, it still does not want to work. The prevalent error received is 678 or no response.

One thing that was a symptom was that it took about three tries to make the connection four days ago, but then yesterday stopped working.

Any help would be greatly appreciated. I would upgrade the ROS to 3.x but I would have to do it remotely and do not have anyway to get into the box locally for a couple of weeks.

I thank you in advance.

Service Port should show pptp enabled with the port column blank.

47 is a protocol, not a port. Do you see any traffic on tcp/1723 hit the router? Can you use telnet to connect to port 1723 on the router?

Kind regards

Andrew

Andrew,
Thank you.
I do not see any 1723 traffic hit the router and it will not connect telnet 1723. W

What should I do next?

Upgraded the ROS to 2.9.51 and still no vpn connections. I can not see any 1723 traffic hit the router and I have tried telnet which also does not seem to work. I wonder is there a way to see where the 1723 traffic is being blocked or dying?

Layer 4 Traceroute will do this. http://en.wikipedia.org/wiki/Layer_Four_Trace

Kind regards

Andrew

Thanks Andrew.

Have Path Analyzer Pro and it seems to go all the way through on 1723. Is there something that I should look for that would prevent the vpn from working? I guess I am asking how to read the graph.

I'm not familiar with Path Analyzer Pro.

Kind regards

Andrew

Andrew,

Thanks I can get through on the 1723 using the pro scanner and I have tried on two different locations. Now I went to a third in a different state and everything seems to be up and running even with the new ROS, really strange. It does say I have some latencies, but I wonder if the content filter or a newly installed firewall is blocking these ports.

Anyone that knows of a tool that they can share with me on this, to find out what is blocked would be great.

As well as tcp/1723 you also require GRE (protocol 41).

Andrew

You need these rules if you have a drop filter rule.

;;; Allow PPTP incoming 1723
chain=input action=accept dst-port=1723 protocol=tcp

;;; Allow PPTP incoming GRE
chain=input action=accept dst-port=1723 protocol=gre