Hello everyone. Using the MikroTik Wiki plus other online sources, I setup a PPTP VPN connection that includes a pool of VPN IPs. I am able to connect to the tunnel but can only access the MikroTik itself. I found an older thread with similar issues but don't quite understand the fix he posted.

I don't do much in the Terminal so I posted my personal notes then printed the output. Any help would be greatly appreciated.

MikroTik LAN IP: 192.168.25.1
LAN DHCP: 192.168.25.100-200

1. IP > Pool > Add New
Name: PPTP-pool
Addresses: 192.168.25.90-192.168.25.99

/ip pool print
# NAME RANGES
0 default-dhcp 192.168.25.100-192.168.25.200
1 PPTP-pool 192.168.25.90-192.168.25.99


2. PPP > Profiles > Add New
Name: PPTP-profile
Local Address: 192.168.25.1
Remote Address: PPTP-pool
Use IPv6: No
Use Encryption: Yes

/ppp profile print detail
0 * name="default" remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default
use-compression=default use-vj-compression=default use-encryption=default
only-one=default change-tcp-mss=yes address-list=""

1 name="PPTP-profile" local-address=192.168.25.1 remote-address=PPTP-pool
remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=default
use-compression=default use-vj-compression=default use-encryption=yes
only-one=default change-tcp-mss=default address-list=""

2 * name="default-encryption" remote-ipv6-prefix-pool=none use-ipv6=yes
use-mpls=default use-compression=default use-vj-compression=default
use-encryption=yes only-one=default change-tcp-mss=yes address-list=""


3. PPP > Secrets > Add New
Name: username
Password: password
Service: pptp
Profile: PPTP-profile

/ppp secret print detail
0 name="username" service=pptp caller-id="" password="password"
profile=PPTP-profile routes="" limit-bytes-in=0 limit-bytes-out=0


4. PPP > Interface > PPTP Server
Enabled: Yes
Max MTU: 1460
Max MRU: 1460
Default Profile: PPTP-profile
Only check mschap2

/interface pptp-server server print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: PPTP-profile


5. Firewall > Filter Rules > Add New
Chain: input
Protocol: 6 (tcp)
Dst. Port: 1723
Comment: PPTP configuration
Drag the new config to the top of the list (under the Protocol: 1 (icmp) rule)

6. Firewall > Filter Rules > Add New
Chain: input
Protocol: gre
Drag under the Port 1723 rule

/ip firewall filter print detail
0 ;;; default configuration
chain=input action=accept protocol=icmp in-interface=!ether1-gateway
log=no log-prefix=""

1 ;;; PPTP configuration
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""

2 chain=input action=accept protocol=gre log=no log-prefix=""

3 ;;; default configuration
chain=input action=accept connection-state=established log=no
log-prefix=""

4 ;;; default configuration
chain=input action=accept connection-state=related log=no log-prefix=""

5 ;;; default configuration
chain=input action=drop in-interface=sfp1-gateway log=no log-prefix=""

6 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway log=no log-prefix=""


7. Interfaces > ether2
ARP: proxy-arp

/interface ethernet print
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 R ether1-g... 1500 D4:CA:6D:1C:85:F8 enabled none switch1
1 RS ether2 1500 D4:CA:6D:1C:85:F9 proxy-arp none switch1
2 S ether3 1500 D4:CA:6D:1C:85:FA enabled none switch1
3 S ether4 1500 D4:CA:6D:1C:85:FB enabled none switch1
4 S ether5 1500 D4:CA:6D:1C:85:FC enabled none switch1
5 S ether6-m... 1500 D4:CA:6D:1C:85:FD enabled none switch2
6 S ether7-s... 1500 D4:CA:6D:1C:85:FE enabled ether6-master... switch2
7 S ether8-s... 1500 D4:CA:6D:1C:85:FF enabled ether6-master... switch2
8 S ether9-s... 1500 D4:CA:6D:1C:86:00 enabled ether6-master... switch2
9 S ether10-... 1500 D4:CA:6D:1C:86:01 enabled ether6-master... switch2
10 sfp1-gat... 1500 D4:CA:6D:1C:85:F7 enabled none switch1

8. The IP settings of my workstation after connecting:
IP: 192.168.25.98
SUB: 255.255.255.255
DNS1: 192.168.25.1
DNS2: 97.64.183.164 (My ISP)

Try to make masquarade rule like on the picture.

Thank you, BartoszP! That solved it. I can see everything in the network now.

Here are my updated, unorthodox notes plus printouts. Hopefully they help someone in the future:

Example:
MikroTik LAN IP: 192.168.25.1
LAN DHCP: 192.168.25.100-200

1. IP > Pool > Add New
Name: PPTP-pool
Addresses: 192.168.25.88/29 (192.168.25.88-95)

/ip pool print
# NAME RANGES
0 default-dhcp 192.168.25.100-192.168.25.200
1 PPTP-pool 192.168.25.88/29


2. PPP > Profiles > Add New
Name: PPTP-profile
Local Address: 192.168.25.1
Remote Address: PPTP-pool
Use IPv6: No
Use Encryption: Yes
DNS: 8.8.8.8

/ppp profile print detail
1 name="PPTP-profile" local-address=192.168.25.1 remote-address=PPTP-pool
remote-ipv6-prefix-pool=*0 use-ipv6=no use-mpls=default
use-compression=default use-vj-compression=default use-encryption=yes
only-one=default change-tcp-mss=default address-list="" dns-server=8.8.8.8


3. PPP > Secrets > Add New
Name: username
Password: password
Service: pptp
Profile: PPTP-profile

/ppp secret print detail
0 name="username" service=pptp caller-id="" password="password"
profile=PPTP-profile routes="" limit-bytes-in=0 limit-bytes-out=0


4. PPP > Interface > PPTP Server
Enabled: Yes
Max MTU: 1460
Max MRU: 1460
Default Profile: PPTP-profile
Only check mschap2

/interface pptp-server server print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: PPTP-profile


5. Firewall > Filter Rules > Add New
Chain: input
Protocol: 6 (tcp)
Dst. Port: 1723
Comment: PPTP configuration
Drag the new rule to the top of the list (under the Protocol: 1 (icmp) rule)

6. Firewall > Filter Rules > Add New
Chain: input
Protocol: gre
Drag under the Port 1723 rule

/ip firewall filter print detail
0 ;;; default configuration
chain=input action=accept protocol=icmp in-interface=!ether1-gateway
log=no log-prefix=""
1 ;;; PPTP configuration
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""
2 chain=input action=accept protocol=gre log=no log-prefix=""


7. Set up proxy-arp on the local interface.
Interfaces > ether2
ARP: proxy-arp

/interface ethernet print
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 R ether1-g... 1500 D4:CA:6D:1C:85:F8 enabled none switch1
1 RS ether2 1500 D4:CA:6D:1C:85:F9 proxy-arp none switch1


8. IP > Firewall > NAT > Add rule
Chain: srcnat
Src. Address: 192.168.25.88/29
Dst. Address: !192.168.25.88/29
Action: masquerade
Comment: PPTP NAT Rule

/ip firewall nat print detail
34 ;;; PPTP NAT Rule
chain=srcnat action=masquerade src-address=192.168.25.88/29
dst-address=!192.168.25.88/29 log=no log-prefix=""

I have some trouble, but with L2TP IPsec VPN.
My VPN devices(iPhone or MBA) don't see local network. But internet(web sites, etc) work fine.

1.> ip pool print
# NAME RANGES
0 dhcp 192.168.1.2-192.168.1.50
1 vpn_pool 192.168.1.88/29

2. > ppp profile print
Flags: * - default
1 ;;; VPN L2TP IPsec
name="L2TP" local-address=192.168.1.1 remote-address=vpn_pool
bridge=bridge-local use-mpls=default use-compression=default
use-encryption=default only-one=default change-tcp-mss=yes
address-list="" dns-server=192.168.1.1

3. > ppp secret print detail
Flags: X - disabled
0 ;;; VPN Account -
name="username" service=l2tp caller-id="" password="password"
profile=L2TP routes="" limit-bytes-in=0 limit-bytes-out=0

4. > interface l2tp-server server print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: L2TP
use-ipsec: yes
ipsec-secret: password

5. > ip firewall filter print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; =====VPN=====
chain=input action=accept connection-state=new protocol=udp dst-address=my IP (ISP) in-interface=WAN
dst-port=500,1701,4500 log=no log-prefix=""

1 chain=input action=accept connection-state=new protocol=ipsec-esp dst-address=my IP (ISP)
in-interface=WAN log=no log-prefix=""

6. > interface ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 RS ;;; =====Local Network=====
LAN1-PC 1500 MAC enabled none switch1
1 S LAN2-PS4 1500 MAC enabled LAN1-PC switch1
2 RS LAN3 1500 MAC enabled LAN1-PC switch1
3 RS LAN4 1500 MAC enabled LAN1-PC switch1
4 R ;;; =====Internet=====
WAN 1500 MAC enabled none switch1

7. > ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=WAN log=no log-pr

1 chain=srcnat action=masquerade src-address=192.168.1.88/29 dst-address=!192.168.1.88/29 l
log-prefix=""

8. > ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.1.1/24 network=192.168.1.0 interface=bridge-local actual-interface=bridge-local

1 D address=my IP ISP network=ISP interface=WAN actual-interface=WAN

2 D address=192.168.1.1/32 network=192.168.1.95 interface=<l2tp-vpn> actual-interface=<l2tp-vpn>

9. > ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=ISP gateway-status=ISP reachable via WAN distance=1 scope=30 target-scope=10 vrf-interface=WAN

1 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=bridge-local gateway-status=bridge-local reachable distance=0 scope=10

2 ADC dst-address=192.168.1.95/32 pref-src=192.168.1.1 gateway=<l2tp-vpn> gateway-status=<l2tp-vpn> reachable distance=0 scope=10

3 ADC dst-address=ISP pref-src=ISP gateway=WAN gateway-status=WAN reachable distance=0 scope=10

Internet from iPhone work fine, but no access to local network, can't ping 192.168.1.3 or http://192.168.1.3.
I use arp-proxy for bridge-local and LAN1-PC, but useless.

Please help me ;(

Try to not use nat for local network

/ip firewall nat 
add chain=srcnat src-adress=LAN dst-address=!LAN out-interface=WAN action=masquarade (or src-nat to-address)

I read this thread and still have issues with being able to ping the local network. I cannot see anything beyond the MT ip address. I do not understand the Masquarade post or what i am supposed to do or why this thing worked fine 4 two years and all of a sudden it doesn't

Hello!

I had same problems.
1. But also now I can't ping the vpn client. How to solve it?
(Solved by deactivating firewall on client workstation)
2. I can't "see" windows workstations by it's name (only using IP). Is it posible to solve it?
3. To see workstations of LAN I had to add the rule to firewall:
chain=forward action=accept in-interface=pptp-UserName out-interface=LANBridge
Each new client creates new interface.Do I have to add the rule for each Interface?

Kincaidc and overdriven: Since this post, I have moved on from PPTP to SSTP. I'm also a MikroTik amateur. However, if you will print out your config, I can take a look and try to troubleshoot.

Look through my final post from when I had it working (Post #3). For each step, I documented both using Winbox and Terminal.

Fill in the following information:
Your MikroTik LAN IP:
Your LAN DHCP Range:

Enter the following in terminal and post your results:
/ip pool print
/ppp profile print detail
/ppp secret print detail (change your username to 'username' and your password to 'password')
/interface pptp-server server print
/ip firewall filter print detail (This is for steps 5 & 6)
/interface ethernet print
/ip firewall nat print detail

Hopefully me (or someone more qualified) can help.

Kincaidc and overdriven: Since this post, I have moved on from PPTP to SSTP. I'm also a MikroTik amateur. However, if you will print out your config, I can take a look and try to troubleshoot.

Look through my final post from when I had it working (Post #3). For each step, I documented both using Winbox and Terminal.

Fill in the following information:
Your MikroTik LAN IP:
Your LAN DHCP Range:

Enter the following in terminal and post your results:
/ip pool print
/ppp profile print detail
/ppp secret print detail (change your username to 'username' and your password to 'password')
/interface pptp-server server print
/ip firewall filter print detail (This is for steps 5 & 6)
/interface ethernet print
/ip firewall nat print detail

Hopefully me (or someone more qualified) can help.

hello
i have the same problem too
as you told attach the information
here is the log of my mikrotik
please help to solve my problem too
thanks

Your MikroTik LAN IP:
192.168.0.102

Your LAN DHCP Range:

Lan DHCP Is Set In Windows Server


/ip pool print

# NAME RANGES
0 pool1 172.25.20.1-172.25.20.30
1 pool195 172.26.1.1-172.26.1.100
2 poolremote 197.168.0.150-197.168.0.200
3 dhcp_pool1-wifi 192.168.90.100/30
4 hs-pool-3 192.168.0.1-192.168.0.101
192.168.0.103-192.168.0.254
5 TEST-Pool 192.168.0.0-192.168.0.254


/ppp profile print detail

Flags: * - default
0 * name="default" local-address=172.26.1.200 remote-address=pool195 use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=default use-upnp=default address-list="" dns-server=8.8.8.8 on-up="" on-down=""

1 name="profileremote" local-address=94.74.146.178 remote-address=poolremote use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=default use-upnp=default address-list="" on-up="" on-down=""

2 * name="default-encryption" local-address=2.2.2.2 remote-address=pool1 use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" dns-server=217.218.155.155,8.8.8.8 on-up=""
on-down=""


/ppp secret print detail (change your username to 'username' and your password to 'password')

[admin@Mikrotik] > /ppp secret print detail
Flags: X - disabled
0 X name="username " service=any caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=jan/01/1970 00:00:00

1 X name="username" service=pptp caller-id="" password="password" profile=profileremote routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=aug/01/2017 10:42:18

2 name="username" service=pptp caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=oct/14/2017 18:12:24

3 name="username" service=any caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=oct/14/2017 15:19:20

4 name="username" service=any caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=aug/13/2017 11:46:08

5 name="username" service=any caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=oct/14/2017 17:16:10

6 name="username" service=any caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=aug/18/2017 09:35:54

/interface pptp-server server print

enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: disabled
default-profile: default


/ip firewall filter print detail (This is for steps 5 & 6)

Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

/interface ethernet print

# NAME MTU ARP MASTER-PORT SWITCH
0 R ether1-MSP 1500 enabled none switch1
1 R ether2 1500 proxy-arp none switch1
2 ether3 1500 enabled none switch1
3 R ether4 1500 enabled none switch1
4 ether5 1500 enabled none switch1
5 ether6 1500 enabled none switch2
6 ether7 1500 enabled none switch2
7 ether8 1500 enabled none switch2
8 ether9 1500 enabled none switch2
9 ether10 1500 enabled none switch2
10 sfp1 1500 enabled none switch1

/ip firewall nat print detail

Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 ;;; Internet Access Trough VPN
chain=srcnat action=masquerade src-address=172.26.1.0/24 dst-address=!172.26.1.0/24 log=no log-prefix=""

Try to change to proxy-arp the LAN interface on the VPN server side.

Thanks I've the same problem and I will try it out

Hello,
i have very similar problem. Maybe someone can help me find out what is wrong.
i am able to connect to VPN, but cant access Internet and LAN devices on it. Only Mikrotik local IP is pinging.

My conf:

/ppp profile print detail
name="default" remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""
name="pptp-profile" local-address=10.0.10.254 remote-address=pptp-pool remote-ipv6-prefix-pool=*0 use-ipv6=yes use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=default use-upnp=default
address-list="" dns-server=10.0.10.254 on-up="" on-down=""
name="default-encryption" remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" dns-server=8.8.8.8,8.8.4.4 on-up="" on-down=""

/ppp secret print detail
name="username" service=any caller-id="" password="password" profile=pptp-profile routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=feb/02/2017 02:24:56

/interface pptp-server server print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: default-encryption

/ip firewall filter print detail
chain=forward action=accept connection-state="" in-interface=ether5 log=no log-prefix=""
chain=forward action=accept in-interface=ether1 log=no log-prefix=""
chain=forward action=accept in-interface=ether3 log=no log-prefix=""
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""
chain=input action=accept protocol=gre log=no log-prefix=""
chain=forward action=drop log=no log-prefix=""
chain=input action=drop protocol=icmp in-interface=ether5 icmp-options=8:0-255 log=no log-prefix=""


/interface ethernet print
0 ;;; LAN
ether1 1500 00: proxy-arp none
1 RS ether2 1500 00: proxy-arp ether3 switch1
2 R ether3 1500 00: proxy-arp none switch1
3 ether4 1500 00: proxy-arp none switch1
4 R ;;; WAN
ether5 1500 00:0C:42:8A:71:17 enabled none switch1

/ip firewall nat print detail
chain=srcnat action=masquerade src-address=10.0.10.88/29 dst-address=!10.0.10.88/29 out-interface=ether5 log=no log-prefix=""
chain=srcnat action=masquerade src-address=10.0.10.0/24 log=no log-prefix=""

well try to use proxy then

well try to use proxy then

what do you mean?

any ideas?

I had the same problem, but for me it was quite simple to resolve :

I'm at home and want to connect to office.

The problem is that I have the same IP range in both side, 192.168.1.0/24 at home and the same at office.

So, while connected though VPN, if I try to reach, by exemple, one of our office switch my mac try to reach it on my home office, even if VPN is set to send ALL TRAFFIC to VPN....

for me it's just a range conflict, my mac can't understand on which 192.168.1.0/24 network i ask him to go......

If I connect my mac using a 4G dongle (in 172.0.0.0/24) I'm able to reach all devices in my office network

cheers

Hi,

I had the same problem. I got this to work by putting the VPN on it's own network like below. I'm not that experienced with RouterOs, so this may not be the best way. Hope this helps,

Add IP Pool for L2TP - (called l2tp)
ip/ipool 192.168.99.190-192.168.99.199

Add IP Address
192.168.99.1/24 network 192.168.89.0 on the bridge

On L2TP Profile
configure this to use 192.168.99.2 as its local address, remote is l2tp.

Try to make masquarade rule like on the picture.
L2TP.PNG

Hi, i can't see the image, can you repost the picture again or write the command to create the rule?

Thank u so much!!

Hello

I have a problem, I need to access to a network device web config which is in another city remotely, so I connected a USB 3G modem to my Mikrotik router for internet and then I have connected my network device to the Lan2 of Mikrotik router by setting a nat my network device is connected to the Internet but as 3G modem doesn't support DMZ or port forwarding I can't access to my network device web config page, for solution I have set up a OpenVpn client interface on the router and it connected to the server public server then from office I also connect to the OpenVpn server so now I can have my router and my pc in a same network from office and also I can ping my router through the IP address of OpenVpn interface and even can connect to it with WinBox but the problem is I don't have access to the device which is connected to the Lan2, what could be a solution or a better approach ?

I need to open the web config of my network device which is http on port 80.

Your MikroTik LAN IP: 192.168.20.20 (LAN2)
Your LAN DHCP Range:192.168.20.21 - 192.168.20.22 (LAN2)

/ip pool print
# NAME RANGES
0 dhcp_pool 192.168.20.21-192.168.20.22

/ppp profile print detail
1 name="OVPN-client" use-mpls=no use-compression=no use-encryption=required only-one=default change-tcp-mss=yes use-upnp=default
address-list="" on-up="" on-down=""

/interface ovpn-client print
Flags: X - disabled, R - running
0 R name="OPENVPN" mac-address=FE:14:B2:5E:B4:33 max-mtu=1500 connect-to=x.x.xx port=434 mode=ip user="user"
password="pass" profile=OVPN-client certificate=client.crt_0 verify-server-certificate=no auth=sha1 cipher=blowfish128
add-default-route=yes

/ip firewall filter print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; allow established connections
chain=forward connection-state=established

1 ;;; allow related connections
chain=forward connection-state=related

2 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid

/interface ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP SWITCH
0 R LAN1 1500 D4:CA:6D:29:6F:B7 enabled switch1
1 LAN2 1500 D4:CA:6D:29:6F:B8 enabled switch1
2 LAN3 1500 D4:CA:6D:29:6F:B9 enabled switch1
3 LAN4 1500 D4:CA:6D:29:6F:BA enabled switch1
4 WAN 1500 D4:CA:6D:29:6F:B6 enabled switch1

/ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.20.0/24
out-interface=OPENVPN log=no log-prefix=""

OPENVPN ip is 10.8.0.26

my pc ip address is 10.8.0.30

any idea ?

hello,

"Try to make masquarade rule like on the picture."

could you please reupload the picture

thanks
angel

Try to change to proxy-arp the LAN interface on the VPN server side.

This worked for me.

Kincaidc and overdriven: Since this post, I have moved on from PPTP to SSTP. I'm also a MikroTik amateur. However, if you will print out your config, I can take a look and try to troubleshoot.

Look through my final post from when I had it working (Post #3). For each step, I documented both using Winbox and Terminal.

Fill in the following information:
Your MikroTik LAN IP:
Your LAN DHCP Range:

Enter the following in terminal and post your results:
/ip pool print
/ppp profile print detail
/ppp secret print detail (change your username to 'username' and your password to 'password')
/interface pptp-server server print
/ip firewall filter print detail (This is for steps 5 & 6)
/interface ethernet print
/ip firewall nat print detail

Hopefully me (or someone more qualified) can help.

I have the same problem, the connection happens, I have access to equipment with external IP (modem) but not access to the host LAN, the internal network.
see:

1. MK Lan IP = 192.168.0.3

• LAN DHCP= 192.168.0.0/24

• ppp profile = default (dns-server=192.168.0.3 - gateway of my Local LAN server)

• 0 name="meuusuario" service=l2tp caller-id="" password="minhasenha"
  profile=default local-address=192.168.0.3 remote-address=192.168.0.5
  routes="" limit-bytes-in=0 limit-bytes-out=0

• enabled: yes
  max-mtu: 1460
  max-mru: 1460
  mrru: disabled
  authentication: mschap1,mschap2
  keepalive-timeout: 30
  max-sessions: unlimited
  default-profile: default
  use-ipsec: no
  ipsec-secret:
  caller-id-type: ip-address
  one-session-per-host: yes
  allow-fast-path: no

• 1 chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""
  2 chain=input action=accept protocol=gre log=no log-prefix=""
  3 chain=input action=accept connection-state="" protocol=udp
  dst-address=192.168.0.5 dst-port=500,1701,4500 log=no log-prefix=""
  4 chain=input action=accept connection-state="" protocol=ipsec-esp
  dst-address=192.168.0.5 log=no log-prefix=""
  (rules for PPTP and L2TP)

• interface LAN with arp=proxy-arp

• (all Out WAN here) 0 ;;; Marcared WAN
  chain=srcnat action=masquerade out-interface-list=Lista_wan log=no
  log-prefix=""
  1 ;;; Marcared VPN
  chain=srcnat action=masquerade src-address=192.168.0.5
  dst-address=!192.168.0.5 log=no log-prefix=""

Comments:

• I turned off the hosts firewall

• the modems are in bridge

• In MK terminal, do not drop to client VPN, appears unreachable (192.168.0.5 - Time out)

my LAN speed on VPN is really slow, but internet is ok!
Can somebody help me?

if firewall nat add chain=srcnat action=masquerade out-interface=bridge

that will help)

Hi everybody.
I'm totally new in Mikrotik.
Im using my HapAc2 as a PPTP CLIENT ,
Everything is working from the client side - i can reach the internet and i can ping all devices located in server's LAN.
But - I CANNOT ping the Mikrotik Router LAN from the server side .
The Srever is running on DD-WRT - i got also another PPTP client ( onDD-WRT) - eveything works here - pinging form slient to server LAN and from server to client LAN.
This means that the server settings are right.
What should i do in Mikrotik to solve this problem ?
Please help me beacause i think i have tried everything.
Here are my settings:

MikroTik LAN IP: 192.168.4.1
LAN DHCP Range: 192.168.4.2-192.168.4.254
--------------
/ip pool print
# NAME RANGES
0 dhcp 192.168.4.2-192.168.4.254
--------------
/ppp profile print detail
Flags: * - default
0 * name="default" use-mpls=default use-compression=default
use-encryption=default only-one=default change-tcp-mss=yes
use-upnp=default address-list="" on-up="" on-down=""

1 * name="default-encryption" use-mpls=default use-compression=default
use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default
address-list="" on-up="" on-down=""
--------------
/ppp secret print detail
Flags: X - disabled
-------------
/interface pptp-client print
Flags: X - disabled, R - running
0 R name="VPN-PPTP" max-mtu=1450 max-mru=1450 mrru=disabled
connect-to=192.168.1.31 user="USER" password="PASSWORD"
profile=default-encryption keepalive-timeout=60 add-default-route=no
dial-on-demand=no allow=pap,chap,mschap1,mschap2
--------------
/ip firewall filter print detail
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

2 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

3 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

4 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

5 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

6 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
----------------
/interface ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP SWITCH
0 R ether1 1500 08:55:31:83:4D:F1 proxy-arp switch1
1 S ether2 1500 08:55:31:83:4D:F2 proxy-arp switch1
2 S ether3 1500 08:55:31:83:4D:F3 proxy-arp switch1
3 S ether4 1500 08:55:31:83:4D:F4 proxy-arp switch1
4 S ether5 1500 08:55:31:83:4D:F5 proxy-arp switch1
-----------------
/ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

1 chain=srcnat action=masquerade src-address=192.168.4.2-192.168.4.254 out-interface=VPN-PPTP log=no
log-prefix=""
-------------------
/ip route> print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=192.168.1.1 gateway-status=192.168.1.1 reachable via ether1 distance=1
scope=30 target-scope=10 vrf-interface=ether1

1 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.27 gateway=ether1 gateway-status=ether1 reachable distance=0
scope=10

2 A S dst-address=192.168.2.0/24 gateway=VPN-PPTP gateway-status=VPN-PPTP reachable distance=1 scope=30
target-scope=10

3 ADC dst-address=192.168.2.253/32 pref-src=192.168.2.201 gateway=VPN-PPTP gateway-status=VPN-PPTP reachable
distance=0 scope=10

4 ADC dst-address=192.168.4.0/24 pref-src=192.168.4.1 gateway=bridge gateway-status=bridge reachable distance=0
scope=10
---------------------------------