Hi all,

Unsure where to go next for troubleshooting so I am hoping that one of you can help out here. We have been using RouterOS successfully at various events providing hotspot access to both event organisers and the public. We now and again had reports of VPN issues from behind the NAT. It seems that some connections work initially but drop after a while.
This seems to tie in with a 'first come only one served' behaviour when I check the connection tracker.
Basically multiple VPN connections fo the same type struggle to remain established concurrently.

I have searched the forums and there do not seem to be any reports similar to this post version 3.0 when the PPTP / GRE helper was changed. Am I correct in assuming GRE is now implied by the PPTP helper? (which is turned on in my config).

Any help is much apreciated as if I cannot sort this out I will have to turn the hijack RB1000 into a router without NAT and put a non RouterOS NAT behind that, which I obviously do not want to do...

Anything obvious? I have attached the config.

Many thanks....



/interface ethernet
set 0 arp=proxy-arp auto-negotiation=yes comment=ISP disabled=no full-duplex=\
yes l2mtu=1600 mac-address=00:0C:42:20:68:E4 mtu=1500 name=ether1 speed=\
100Mbps
set 1 arp=proxy-arp auto-negotiation=yes comment=Management disabled=no \
full-duplex=yes l2mtu=1600 mac-address=00:0C:42:20:68:E5 mtu=1500 name=\
ether2 speed=100Mbps
set 2 arp=proxy-arp auto-negotiation=yes comment=Premium disabled=no \
full-duplex=yes l2mtu=1600 mac-address=00:0C:42:20:68:E6 mtu=1500 name=\
ether3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes comment=Guest disabled=no full-duplex=\
yes l2mtu=1600 mac-address=00:0C:42:20:68:E7 mtu=1500 name=ether4 speed=\
100Mbps
/ip dhcp-server option
add code=66 name=SIP_P value=10.10.0.3
add code=66 name=SIP_G value=10.20.0.3
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
add dns-name="" hotspot-address=10.20.0.1 html-directory=GuestLogin \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=Guest nas-port-type=ethernet radius-accounting=yes \
radius-default-domain="" radius-interim-update=received \
radius-location-id="" radius-location-name="" radius-mac-format=\
XX:XX:XX:XX:XX:XX rate-limit=768k/5M smtp-server=0.0.0.0 \
split-user-domain=no use-radius=yes
add dns-name="" hotspot-address=10.10.0.1 html-directory=PremiumLogin \
http-cookie-lifetime=3w http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=Premium nas-port-type=ethernet radius-accounting=yes \
radius-default-domain="" radius-interim-update=received \
radius-location-id="" radius-location-name="" radius-mac-format=\
XX:XX:XX:XX:XX:XX rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=yes
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default rate-limit=\
512k/2048k shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip pool
add name=Guest ranges=10.20.0.50-10.20.2.254
add name=Premium ranges=10.10.0.50-10.10.2.254
add name=Management ranges=10.1.1.50-10.1.1.199
add name=DMZ ranges=10.99.0.150-10.99.3.253
/ip dhcp-server
add address-pool=Premium authoritative=after-2sec-delay bootp-support=static \
disabled=no interface=ether3 lease-time=3h name=Premium
add address-pool=Guest authoritative=after-2sec-delay bootp-support=static \
disabled=no interface=ether4 lease-time=3h name=Guest
add address-pool=Management authoritative=after-2sec-delay bootp-support=\
static disabled=no interface=ether2 lease-time=1w name=Management
/ip hotspot
add address-pool=Guest addresses-per-mac=1 disabled=no idle-timeout=5m \
interface=ether4 keepalive-timeout=none name=Guest profile=Guest
add address-pool=Premium addresses-per-mac=1 disabled=no idle-timeout=5m \
interface=ether3 keepalive-timeout=none name=Premium profile=Premium
/port
set 0 baud-rate=115200 data-bits=8 flow-control=none name=serial0 parity=none \
stop-bits=1
/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default \
use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption \
only-one=default use-compression=default use-encryption=yes \
use-vj-compression=default
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
add kind=pcq name=pcq-download pcq-classifier=dst-address pcq-limit=50 \
pcq-rate=0 pcq-total-limit=2000
add kind=pcq name=pcq-upload pcq-classifier=src-address pcq-limit=50 \
pcq-rate=0 pcq-total-limit=2000
set default-small kind=pfifo name=default-small pfifo-limit=10
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=guest_down packet-mark=guest parent=ether4 priority=8 \
queue=pcq-download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=premium-down packet-mark=premium parent=ether3 priority=\
8 queue=pcq-download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=premium_up packet-mark=premium parent=ether1 priority=8 \
queue=pcq-upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=guest_up packet-mark=guest parent=ether1 priority=8 \
queue=pcq-upload
/routing bgp instance
set default as=65530 client-to-client-reflection=yes comment="" disabled=no \
ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
redistribute-static=no router-id=0.0.0.0
/routing ospf area
set backbone area-id=0.0.0.0 authentication=none disabled=no name=backbone \
type=default
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-file-count=5 disk-file-name=log disk-lines-per-file=1000 \
disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote bsd-syslog=no name=remote remote=10.1.0.204:514 src-address=\
0.0.0.0 syslog-facility=daemon syslog-severity=auto target=remote
add disk-file-count=5 disk-file-name=FirewallHits disk-lines-per-file=1000 \
disk-stop-on-full=no name=FirewallHits target=disk
add bsd-syslog=no name=sendToProxylizer remote=10.1.0.205:514 src-address=\
0.0.0.0 syslog-facility=daemon syslog-severity=auto target=remote
add disk-file-count=100 disk-file-name=CF1/Hotspot disk-lines-per-file=10000 \
disk-stop-on-full=no name=Hotspot target=disk
/user group
add comment="" name=read policy="local,telnet,ssh,reboot,read,test,winbox,pass\
word,web,sniff,sensitive,!ftp,!write,!policy"
add comment="" name=write policy="local,telnet,ssh,reboot,read,write,test,winb\
ox,password,web,sniff,sensitive,!ftp,!policy"
add comment="" name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy\
,test,winbox,password,web,sniff,sensitive"
/user
add address=10.1.0.0/23 comment="system default user" disabled=no group=full \
name=admin
add address=10.1.0.0/23 comment="" disabled=no group=read name=user
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
no
/interface ethernet mirror
set
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
default-encryption enabled=yes max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
default enabled=no keepalive-timeout=60 mac-address=FE:E3:CD:24:6D:CC \
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
default-encryption enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=\
1460 mrru=disabled
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=10.1.0.1/23 broadcast=10.1.1.255 comment="" disabled=no \
interface=ether2 network=10.1.0.0
add address=10.10.0.1/22 broadcast=10.10.3.255 comment="" disabled=no \
interface=ether3 network=10.10.0.0
add address=10.20.0.1/22 broadcast=10.20.3.255 comment="" disabled=no \
interface=ether4 network=10.20.0.0
add address=192.168.2.2/24 broadcast=192.168.2.255 comment="" disabled=no \
interface=ether1 network=192.168.2.0
/ip dhcp-client
add add-default-route=yes comment="" default-route-distance=0 disabled=yes \
interface=ether1
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=10.1.0.0/23 comment=Management dns-server=10.1.0.1 domain=\
local gateway=10.1.0.1 ntp-server=10.1.0.1
add address=10.10.0.0/22 comment=Premium dhcp-option=SIP_P dns-server=\
10.10.0.1 domain= gateway=10.10.0.1 ntp-server=10.10.0.1
add address=10.20.0.0/22 comment=Guest dns-server=10.20.0.1 domain=\
local gateway=10.20.0.1 ntp-server=10.20.0.1
add address=10.99.0.0/22 comment=DMZ dns-server=10.99.0.1 domain=\
local gateway=10.99.0.1 ntp-server=10.99.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 primary-dns=208.67.222.222 secondary-dns=\
208.67.220.220
/ip firewall address-list
add address=192.168.2.0/24 comment="" disabled=no list=DMZ
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment="Allow Established connections" \
connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" \
connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid disabled=no
add action=accept chain=input comment="Allow UDP" disabled=no protocol=udp \
src-address=10.0.0.0/8
add action=accept chain=input comment="Allow limited pings" disabled=no \
limit=50/5s,2 protocol=icmp src-address=0.0.0.0/0
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=\
icmp
add action=drop chain=input comment="Drop pings external" disabled=no \
protocol=icmp
add action=accept chain=input comment="SSH for secure shell" disabled=no \
dst-port=222 protocol=tcp src-address=10.1.0.0/23
add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
protocol=tcp src-address=10.1.0.0/23
add action=accept chain=input comment=\
"Allow access to router from known network" disabled=no src-address=\
10.1.0.0/23
add action=drop chain=input comment="detect and drop port scan connections" \
disabled=no protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
3,32 disabled=no protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="detect DoS attack" \
connection-limit=10,32 disabled=no dst-port=!8080 protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" disabled=no \
jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" disabled=no \
jump-target=services
add action=accept chain=input comment="Allow Broadcast Traffic" disabled=no \
dst-address-type=broadcast
add action=log chain=input comment="" disabled=no log-prefix=Filter:
add action=log chain=input comment="Log everything else" disabled=no \
log-prefix="DROP INPUT"
add action=drop chain=input comment="drop everything else" disabled=no
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no \
icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no \
icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no \
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no \
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" disabled=no \
protocol=icmp
add action=accept chain=services comment="accept localhost" disabled=no \
dst-address=127.0.0.1 src-address=127.0.0.1
add action=accept chain=services comment="allow MACwinbox " disabled=no \
dst-port=20561 protocol=udp
add action=accept chain=services comment="Bandwidth server" disabled=no \
dst-port=2000 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=services comment=" MT Discovery Protocol" disabled=\
yes dst-port=5678 protocol=udp
add action=accept chain=services comment="allow SNMP" disabled=yes dst-port=\
161 protocol=tcp
add action=accept chain=services comment="Allow BGP" disabled=yes dst-port=\
179 protocol=tcp
add action=accept chain=services comment="allow BGP" disabled=yes dst-port=\
5000-5100 protocol=udp
add action=accept chain=services comment="allow NTP" disabled=no dst-port=123 \
protocol=udp src-address=10.0.0.0/8
add action=accept chain=services comment="allow PPTP" disabled=no dst-port=\
1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" disabled=no \
protocol=gre
add action=accept chain=services comment="allow DNS request" disabled=no \
dst-port=53 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=services comment="allow DNS request" disabled=no \
dst-port=53 protocol=udp src-address=10.0.0.0/8
add action=accept chain=services comment=UPnP disabled=yes dst-port=1900 \
protocol=udp
add action=accept chain=services comment=UPnP disabled=yes dst-port=2828 \
protocol=tcp
add action=accept chain=services comment="allow DHCP" disabled=no dst-port=\
67-68 in-interface=!ether1 protocol=udp
add action=accept chain=services comment="allow Web Proxy" disabled=no \
dst-port=8080 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=services comment="allow IPIP" disabled=yes protocol=\
ipencap
add action=accept chain=services comment="allow https for Hotspot" disabled=\
no dst-port=443 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=services comment="allow Socks for Hotspot" disabled=\
no dst-port=1080 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=services comment="allow IPSec connections" disabled=\
yes dst-port=500 protocol=udp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol=\
ipsec-esp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol=\
ipsec-ah
add action=accept chain=services comment="allow RIP" disabled=yes dst-port=\
520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" disabled=yes protocol=\
ospf
add action=return chain=services comment="" disabled=no
add action=drop chain=forward comment="block p2p" disabled=no p2p=all-p2p
add action=accept chain=forward comment="" disabled=no dst-address=10.20.0.10 \
src-address=0.0.0.0/0
add action=accept chain=forward comment="" disabled=no dst-address=0.0.0.0/0 \
src-address=10.1.0.0/23
add action=accept chain=forward comment="" disabled=no dst-address=10.1.1.244 \
src-address=10.10.0.0/22
add action=accept chain=forward comment="" disabled=no dst-address=\
10.1.0.0/23 src-address=10.10.0.2-10.10.0.49
add action=drop chain=forward comment="" disabled=no dst-address=10.1.0.0/23 \
src-address=10.10.0.0/22
add action=drop chain=forward comment="" disabled=no dst-address=10.1.0.0/23 \
src-address=10.20.0.0/22
add action=drop chain=forward comment="" disabled=no dst-address=10.1.0.0/23 \
src-address=10.99.0.0/24
/ip firewall mangle
add action=mark-connection chain=forward comment="Guest mark connection" \
disabled=no new-connection-mark=guest_con passthrough=yes src-address=\
10.20.0.0/22
add action=mark-packet chain=forward comment="Guest mark packet" \
connection-mark=guest_con disabled=no new-packet-mark=guest passthrough=\
yes
add action=mark-connection chain=forward comment="Premium mark connection" \
disabled=no new-connection-mark=premium_con passthrough=yes src-address=\
10.10.0.0/22
add action=mark-packet chain=forward comment="Premium mark packet" \
connection-mark=premium_con disabled=no new-packet-mark=premium \
passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="main NAT" disabled=no \
out-interface=ether1 src-address=10.0.0.0/8
add action=redirect chain=dstnat comment="transparent proxy" disabled=no \
dst-address-list=!DMZ dst-port=80 protocol=tcp src-address=10.0.0.0/8 \
to-ports=8080
add action=dst-nat chain=dstnat comment="force DNS to local" disabled=no \
dst-port=53 protocol=tcp src-address=10.20.0.0/22 to-addresses=10.20.0.1 \
to-ports=53
add action=dst-nat chain=dstnat comment="force DNS to local" disabled=no \
dst-port=53 protocol=udp src-address=10.20.0.0/22 to-addresses=10.20.0.1 \
to-ports=53
add action=dst-nat chain=dstnat comment="force DNS to local" disabled=no \
dst-port=53 protocol=tcp src-address=10.10.0.0/22 to-addresses=10.10.0.1 \
to-ports=53
add action=dst-nat chain=dstnat comment="force DNS to local" disabled=no \
dst-port=53 protocol=udp src-address=10.10.0.0/22 to-addresses=10.10.0.1 \
to-ports=53
add action=dst-nat chain=dstnat comment="port forward IAX" disabled=no \
dst-port=4569 in-interface=ether1 protocol=udp to-addresses=10.10.0.2 \
to-ports=4569
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no ports=1723
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot walled-garden
add action=allow comment="place hotspot rules here" disabled=yes
add action=allow comment="events IP redirect" disabled=no
add action=allow comment="" disabled=no dst-host=www.paypal.com
add action=allow comment="" disabled=no dst-host=www.paypalobjects.com \
dst-port=443
add action=allow comment="" disabled=no dst-host=\
http://www.paypalobjects.com.edgekey.net
add action=allow comment="" disabled=no dst-host=\
http://www.paypalobjects.com.akadns.net
add action=allow comment="" disabled=no dst-host=www.southamptonboatshow.com
add action=allow comment=Paypal disabled=no dst-host=altfarm.mediaplex.com
add action=allow comment="" disabled=no dst-host=msenta.galatheasts.com
add action=allow comment="" disabled=no dst-host=webmail.seatem.net
add action=allow comment="" disabled=no dst-host=\
mail.emea.microsoftonline.com
add action=allow comment="" disabled=no
add action=allow comment="" disabled=no
add action=allow comment="" disabled=no
add action=allow comment="" disabled=no dst-host=msenta.galatheasts.com \
dst-port=443
add action=allow comment="" disabled=no dst-host=msenta.galatheasts.com
add action=allow comment="" disabled=no dst-host=msenta.galatheasts.com \
dst-port=443
add action=allow comment="" disabled=no dst-host=www.adobe.com
/ip hotspot walled-garden ip
add action=accept comment="Paypal / Paypalobjects" disabled=no dst-address=\
66.211.169.2
add action=accept comment="Paypal / Paypalobjects" disabled=no dst-address=\
66.211.169.65
add action=accept comment="Paypal / Paypalobjects" disabled=no dst-address=\
64.4.241.33
add action=accept comment="Paypal / Paypalobjects" disabled=no dst-address=\
64.4.241.49
add action=accept comment="Paypal / Paypalobjects" disabled=no dst-address=\
88.221.160.146
add action=accept comment=Server1 disabled=no dst-address=10.10.0.11
add action=accept comment=Seatem disabled=yes dst-address=87.84.223.133
add action=accept comment="" disabled=yes dst-address=217.33.145.197
add action=accept comment="" disabled=yes dst-address=217.33.145.194
add action=accept comment="" disabled=yes dst-address=90.152.2.10
/ip neighbor discovery
set ether1 discover=yes
set ether2 discover=yes
set ether3 discover=yes
set ether4 discover=yes
/ip proxy
set always-from-cache=no cache-administrator=cachemaster \
cache-hit-dscp=4 cache-on-disk=yes enabled=yes max-cache-size=6114000KiB \
max-client-connections=1000 max-fresh-time=3d max-server-connections=1000 \
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\
no src-address=0.0.0.0
/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.2.3 scope=30 target-scope=10
/ip service
set telnet address=10.1.0.0/23 disabled=no port=23
set ftp address=10.1.0.0/23 disabled=no port=21
set www address=10.1.0.0/23 disabled=no port=800
set ssh address=10.1.0.0/23 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=10.1.0.0/23 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=yes \
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
/radius
add accounting-backup=no accounting-port=1813 address=127.0.0.1 \
authentication-port=1812 called-id="" comment="" disabled=no domain="" \
realm="" service=hotspot timeout=300ms
/radius incoming
set accept=no port=3799
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
0.0.0.0 timeout=1m ttl=50
/routing ospf
set distribute-default=never metric-bgp=20 metric-connected=20 \
metric-default=1 metric-rip=20 metric-static=20 mpls-te-area=unspecified \
mpls-te-router-id=unspecified redistribute-bgp=no redistribute-connected=\
no redistribute-rip=no redistribute-static=no router-id=0.0.0.0
/routing pim
set switch-to-spt=no switch-to-spt-bytes=0 switch-to-spt-interval=0s
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no \
timeout-timer=3m update-timer=30s
/store
add comment="" disabled=no disk=CF1 name=user-manager2 type=user-manager
add comment="" disabled=no disk=CF1 name=web-proxy2 type=web-proxy
/system clock
set time-zone-name=Europe/London
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00
/system console
add disabled=no port=serial0 term=vt102
/system health
set fan-mode=auto use-fan=main
/system identity
set name=RB1000pri
/system logging
add action=sendToProxylizer disabled=no prefix="" topics=web-proxy,!debug
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=disk disabled=no prefix="" topics=info,!firewall
add action=echo disabled=no prefix="" topics=critical
add action=disk disabled=no prefix="" topics=error
add action=disk disabled=no prefix="" topics=warning
add action=memory disabled=no prefix="" topics=info
add action=FirewallHits disabled=no prefix="" topics=firewall
add action=remote disabled=no prefix="" topics=error
add action=remote disabled=no prefix="" topics=warning
add action=remote disabled=no prefix="" topics=critical
add action=Hotspot disabled=no prefix="" topics=hotspot
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=194.238.48.2 secondary-ntp=\
82.219.4.30
/system ntp server
set broadcast=no enabled=yes manycast=yes multicast=no
/system routerboard settings
set baud-rate=115200 boot-delay=2s boot-device=nand-only boot-protocol=bootp \
enable-jumper-reset=yes enter-setup-on=any-key force-backup-booter=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
100
/tool graphing
set page-refresh=300 store-every=5min
/tool graphing interface
add allow-address=10.1.0.0/24 disabled=no interface=all store-on-disk=yes
/tool mac-server
add disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no
/tool sniffer
set file-limit=10 file-name="" filter-address1=0.0.0.0/0:0-65535 \
filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only filter-stream=\
yes interface=all memory-limit=10 only-headers=no streaming-enabled=no \
streaming-server=0.0.0.0
/tool user-manager credit
add comment="" extend-price=unavailable full-price=250 name=GuestHour \
subscriber=admin time=1h
add comment="" extend-price=unavailable full-price=600 name=ExhibitorHour \
subscriber=admin time=1d
add comment="" extend-price=unavailable full-price=1000 name=GuestDay \
subscriber=admin time=1d
/tool user-manager customer
add comment="" disabled=no login=admin parent=admin paypal-accept-pending=no \
paypal-allowed=no paypal-secure-response=no permissions=owner \
signup-allowed=no subscriber=admin time-zone=+00:00
/tool user-manager router
add comment="" disabled=no ip-address=127.0.0.1 log=\
auth-ok,auth-fail,acct-ok,acct-fail name=localhost shared-secret=123456 \
subscriber=admin
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no

Maybe a way to add vpn destination ip to list, and if it matches another vpn connection push the tunnel out a different ip address with a mangle rule somehow?

Somewhat similiar to the iNAT function of nomadix:

iNAT is important to public access network operators and venue owners because it allows two employees from the same company to access the same VPN termination server at the same time (e.g. at night from their respective hotel rooms). Without iNAT, the VPN server at their corporation will “see” two tunnels originating from the same IP address (the IP address of the venue’s router) and would not connect them due to a potential security breach. Therefore, one or both users would not be allowed to connect back to their corporate resources creating an unsatisfactory user experience, which can result in costly customer support calls for the public access network operator.

you are using private ips on your interfaces, does this mean your getting natted a second time before the internet? Double NAT and VPNs definately dont play well.

The PPTP helper service will allow many PPTP tunnels to come up without problems, but thats assuming there isnt another nat device downstream.

You have established/related rules on the input chain, but not on the forward chain. You should have those also on forward before any of the other rules.
Are those 5s/10s timeouts the default? They seem short for some reason.

@jherrick
I only have one IP way out unfortunately... the way you explain it would mean thought that this problem should also happen through a basic NAT, i.e. basic Netgear router?

@changeip
In this case there was a load balancer upstream but I see the same problem when the ISP facing interface has a public IP, i.e. single NAT.
The connection tracking settings are default. Any idea how the tracker affects the traffic? Could the issue be related as in the OS struggles to track multiple VPN tunnels so would turning it off help?

I will add the rule to the forward and see if that makes a difference.

As you're on I use the changeip script successfully and believe there was an automatic update to OpenDNS in the pipeline?

Thanks for your help...