PPTP, Mikrotik, Routing... What am I doing wrong?

Hello! Faced with this problem:
Created a PPTP tunnel between the two Microtinae:

Mikrotik A c "White IP" is set in the main office, is used as a gateway for users, it is lifted VPN PPTP Server.
The configuration is this:
LAN: 192.168.0.0/24
PPP>Interface>PPTP Server Binding:
user1 (for example)
PPP>Secrets:
Name: user1
Local address: 192.168.200.1
Remote address: 192.168.200.2
Added routing:
IP>Routes:
Dst.Adress: 192.168.1.0/24
Gateway: 192.168.200.2

Mikrotik B c "White IP" is set in the branch, is used as a gateway for users, it also configured a VPN PPTP Client.
The configuration is this:
LAN: 192.168.1.0/24
PPP>Interface>PPTP Client:
user1
Added routing:
IP>Routes:
Dst.Adress: 192.168.0.0/24
Gateway: 192.168.200.1

The connection is established. However, ping does not pass from the network ..1.0 ..0.0 network, rather it is only from Mikrotik Mikrotik A to B. on the contrary - timeout... from the units in the LAN, so the same timeout...
Help to understand, please...
July 12th 19 at 17:09
4 answers
July 12th 19 at 17:11
Solution
a couple of thousand times I heard that, 99% were the fault of Windows firewall, which by default allow connect only from addresses from the same network.
don't forget that the firewall should be configured in Windows and not disable
Of course, I'll check the firewall on your server. In the first stage I took the connection profile for Mikrotik B/C and set up the client on Windows, so it worked. - kristy13 commented on July 12th 19 at 17:14
Pardon my skepticism, vindovyh firewall was a bigger part of the problem. - kristy13 commented on July 12th 19 at 17:17
July 12th 19 at 17:13
/ip firewall export
in the Studio
/ip firewall filter
add chain=input comment="accept remote winbox" disabled=yes in-interface=ether1-WAN port=8291,80 protocol=tcp
add chain=input comment="accept PPTP tunels" dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input comment="accept l2tp tunels" port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add chain=input comment="allow related connections" connection-state=related
add chain=input comment="allow established connections" connection-state=established
add chain=input in-interface=!ether1-WAN src-address=192.168.0.0/24
add chain=output comment="accept everything to internet" out-interface=ether1-WAN
add chain=output comment="accept everything to non internet" out-interface=!ether1-WAN
add chain=output comment="accept everything"
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=input comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade out-interface=ether1-WAN - kristy13 commented on July 12th 19 at 17:16
Try the NAT rules on both routers to specify the src. address - the internal network for each router, and out. interface be omitted. - kristy13 commented on July 12th 19 at 17:19
:
Mikrotik B
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade out-interface=pppoe-out1
add action=masquerade chain=srcnat src-address=192.168.0.0/24

Now it looks like. Ping from the 192.168.0.0 network is not..
But if the IP addresses inside the tunnel to enter in the subnet 192.168.0.0/24? - kristy13 commented on July 12th 19 at 17:22
add action=masquerade chain=srcnat comment=Masquerade out-interface=pppoe-out1

And here is why? - carli96 commented on July 12th 19 at 17:25
On A Mikrotik you need to:
/ip firewall nat
add action=masquerade chain=srcnat comment=Wan src-address=192.168.0.0/24

On Mikrotik B:
/ip firewall nat
add action=masquerade chain=srcnat comment=Wan src-address=192.168.1.0/24
- kristy13 commented on July 12th 19 at 17:28
:
add action=masquerade chain=srcnat comment=Masquerade out-interface=pppoe-out1

And here is why?


It's NAT for Internet access, if I understand correctly.

I.e. the other rules NAT is not needed? - carli96 commented on July 12th 19 at 17:31
Yes. just what I wrote. if you do not specify the external interface in the NAT rule, Mikrotik'll see where to send the package. For example, the routing rules. 192.168.1.0/24 will go to the VPN, and everything else in ether1-wan. - carli96 commented on July 12th 19 at 17:34
OK, did as you said still timeout... - kristy13 commented on July 12th 19 at 17:37
The routing table MT B in the Studio, please. - carli96 commented on July 12th 19 at 17:40
:
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
 0 ADS 0.0.0.0/0 10.73.***.*** 0
 1 ADC 10.73.***.****/32 46.147.***.*** pppoe-out1 0
 2 A S 192.168.0.0/24 pptp-out-msk 1
 3 ADC 192.168.1.0/24 192.168.1.1 rov.local.bridge 0
 4 ADC 192.168.200.1/192.168.200.2 32 pptp-out-msk 0
- kristy13 commented on July 12th 19 at 17:43
:
2 A S 192.168.0.0/24 pptp-out-msk 1
should not refer to the interface and on the ip, ie, 192.168.200.1; otherwise NAT will not work - cheyanne.Altenwerth20 commented on July 12th 19 at 17:46
: not exactly put it - not on the ip interface, and ip gate. - kristy13 commented on July 12th 19 at 17:49
:
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
 0 ADS 0.0.0.0/0 10.73.***.** 0
 1 ADC 10.73.***.**/32 46.147.**.*** pppoe-out1 0
 2 A S 192.168.0.0/24 192.168.200.1 1
 3 ADC 192.168.1.0/24 192.168.1.1 rov.local.bridge 0
 4 ADC 192.168.200.1/192.168.200.2 32 pptp-out-msk 0

Timeout... - cheyanne.Altenwerth20 commented on July 12th 19 at 17:52
:
Purely just in case the firewall on the first router doesn't cut the incoming icmp? - cheyanne.Altenwerth20 commented on July 12th 19 at 17:55
:
Here I see in the listing rules of the firewall the last rule, dropaway all <other> incoming connections, but do not see before them something to allow inbound icmp - kristy13 commented on July 12th 19 at 17:58
:
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp

You create an extra chain, but don't ask for them the rules... why? - cheyanne.Altenwerth20 commented on July 12th 19 at 18:01
:
/ip firewall filter
add chain=input comment="accept remote winbox" disabled=yes in-interface=ether1-WAN port=8291,80 protocol=tcp
add chain=input in-interface=<pptp-pptp_rov-1> protocol=icmp</pptp-pptp_rov-1>


Added this rule started to walk pings between the routers inside networks ping no...
Chains of firewall came from a script I found somewhere on the Internet. I still do not have enough knowledge for independent and meaningful settings firewall...
These rules I disabled. the strange thing is that I completely disabled the firewall and the ping still didn't go.. - cheyanne.Altenwerth20 commented on July 12th 19 at 18:04
:
Google -> manual iptables
+
https://habrahabr.ru/post/188718/
QoS You don't need yet, but the article is chewed that where and whence goes inside Mikrotik.

In the meantime, try to temporarily disable
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp

But better give a link to the script... maybe he still in addition to the filter and mangle climbs... - cheyanne.Altenwerth20 commented on July 12th 19 at 18:07
: Here is the firewall script:
/ip firewall filter

# INPUT
add chain=input connection-state=invalid action=drop comment="drop invalid connections" 
add chain=input connection-state=related action=accept comment="allow related connections"
add chain=input connection-state=established action=accept comment="allow established connections"

# ext input

# local input
add chain=input src-address=192.168.0.1/24 action=accept in-interface=!ether1-WAN
# drop all other input
add chain=input action=drop comment="drop everything else"

# OUTPUT
add chain=output action=accept out-interface=ether1-WAN comment="accept everything to internet"
add chain=output action=accept out-interface=!ether1-WAN comment="accept everything to non internet"
add chain=output action=accept comment="accept everything"

# FORWARD
add chain=forward connection-state=invalid action=drop comment="drop invalid connections" 
add chain=forward connection-state=established action=accept comment="allow already established connections" 
add chain=forward connection-state=related action=accept comment="allow related connections"

add chain=forward src-address=0.0.0.0/8 action=drop 
add chain=forward dst-address=0.0.0.0/8 action=drop 
add chain=forward src-address=127.0.0.0/8 action=drop 
add chain=forward dst-address=127.0.0.0/8 action=drop 
add chain=forward src-address=224.0.0.0/3 action=drop 
add chain=forward dst-address=224.0.0.0/3 action=drop

# (1) jumping
add chain=forward protocol=tcp action=jump jump-target=tcp 
add chain=forward protocol=udp action=jump jump-target=udp 
add chain=forward protocol=icmp action=jump jump-target=icmp

# (3) forward accept from local to internet
add chain=forward action=accept in-interface=!ether1-WAN out-interface=ether1-gateway \
 comment="accept from local to internet"

# (4) drop all other forward
add chain=forward action=drop comment="drop everything else"

# (2) deny some types common types
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"

# (5) drop all other forward
add chain=forward action=drop comment="drop (2) everything else"


In Mangla only dynamically created rules...
0 D chain=forward action=change-mss new-mss=1410 passthrough=yes tcp-flags=syn protocol=tcp out-interface=all-ppp tcp-mss=1411-65535 
 log=no log-prefix="" 

 1 D chain=forward action=change-mss new-mss=1360 passthrough=yes tcp-flags=syn protocol=tcp in-interface=all-ppp tcp-mss=1361-65535 log=no 
 log-prefix=""
- kristy13 commented on July 12th 19 at 18:10
And, Yes, the same chain I've disconnected...
If the default policy to allow all MikrotikŠ°, why not ping with firewall completely disabled? - cheyanne.Altenwerth20 commented on July 12th 19 at 18:13
:
In the script there are many more than You indicated in your first comments.
On account of the question - I would in your place zabekapit configs, banged them, and set up from scratch, razbiraya the points pptp, nat, and firewall.
On guesswork more time we can spend :) - kristy13 commented on July 12th 19 at 18:16
:
It's not as scary and not as difficult as it seems at first glance - did it all three years ago just passed :) Then docks at the Tiki was significantly less in Runet. - kristy13 commented on July 12th 19 at 18:19
: Yes, indeed in the script more rules than I have, however, established ones that I showed you. I already came to mind to break and rebuild, but I still wouldn't want to do it because of MT And acts more in the role of a VPN L2TP server for remote operation managers, and they work almost always.
Of course, if they can't find a solution, and you will have to raise from scratch, but I'd like to avoid it. - cheyanne.Altenwerth20 commented on July 12th 19 at 18:22
:
Toggle, again, backup configs, and the demolition of all the filter rules and set up only. It is possible for this script, but examining every line.
It is most likely that most of it you just do not need, but useful in any case.
//I, in particular, made for the fact that when a large number of rules using jump-target wildly convenient :) - cheyanne.Altenwerth20 commented on July 12th 19 at 18:25
July 12th 19 at 17:15
but if on the ether2 interface to input parameter ARP : proxy-arp ?
proxy-arp exhibited at the local knickers. That should be enough, I think. - kristy13 commented on July 12th 19 at 17:18
at all in the subject, proxy-arp for the wrong - kristy13 commented on July 12th 19 at 17:21
July 12th 19 at 17:17
I did not understand
add action=masquerade chain=srcnat comment=Masquerade out-interface=pppoe-out1 - there is a rule or not?
Now no. Rather it is, but disabled. Now this:
Mikrotik A:
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade disabled=yes out-interface=ether1-WAN
add action=masquerade chain=srcnat comment=wan src-address=192.168.0.0/24

Mikrotik B:
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade disabled=yes \
out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=wan src-address=192.168.2.0/24 - kristy13 commented on July 12th 19 at 17:20
add action=masquerade chain=srcnat comment=wan src-address=192.168.0.0/24
 add action=masquerade chain=srcnat comment=wan src-address=192.168.2.0/24

what is it? o_O you do realize that A before sending the packet to the network 192.168.1.0/24 change the address in the packet to 192.168.2.1? and when you answer, B has changed address to 192.168.2.2? well, they talked to each other, what more do you want? - kristy13 commented on July 12th 19 at 17:23
:
Sorry, copied and not corrected... it settings third router (Mikrotik C), he of course has its own subnet 192.168.2.0/24. It will also connect as a client to MT A. I decided not to mention to try while on a bunch of MT And - MT V. - kristy13 commented on July 12th 19 at 17:26
: so in the end, you can give the current settings of the router without your intervention in the conclusion? from the first review of Alexander Koryukin with the settings all OK, but the farther into the forest, the more the feeling that you edit the config before us to show and test psychic abilities - carli96 commented on July 12th 19 at 17:29
: Can of course. I don't care what you told me how to do, but to understand how it works and how correctly it all set up. For starters, I decided to set everything on MT And - MT V. If you insist, here:

Mikrotik A VPN PPTP Server.
Configuration:
LAN: 192.168.0.0/24
PPP>Interface>PPTP Server Binding:
user1 (for example)
PPP>Secrets:
Name: user1
Local address: 192.168.200.1
Remote address: 192.168.200.2

b>PPP>Interface>PPTP Server Binding:
user2 (for example)
PPP>Secrets:
Name: user2
Local address: 192.168.200.1
Remote address: 192.168.200.3

Added routing:
For Mikrotik B
IP>Routes:
Dst.Adress: 192.168.1.0/24
Gateway: 192.168.200.2

For Mikrotik C
IP>Routes:
Dst.Adress: 192.168.2.0/24
Gateway: 192.168.200.3

B Mikrotik VPN PPTP Client.
The configuration is this:
LAN: 192.168.1.0/24
PPP>Interface>PPTP Client:
user1
Added routing:
IP>Routes:
Dst.Adress: 192.168.0.0/24
Gateway: 192.168.200.1

C Mikrotik VPN PPTP Client.
The configuration is this:
LAN: 192.168.2.0/24
PPP>Interface>PPTP Client:
user2
Added routing:
IP>Routes:
Dst.Adress: 192.168.0.0/24
Gateway: 192.168.200.1

The configuration of the Firewall is identical on all three devices except Mikrotik A, where PPTP is allowed. - kristy13 commented on July 12th 19 at 17:32
in General, the algorithm is this:
1) allow the gateways forwarding (or default is resolved and/or until an appropriate ban should be an allow rule).
2) prescribe the routing on the gateways. masquerading must be disabled (otherwise, the meaning of the routing is lost)

if successful ping 192.168.200.1 to 192.168.200.2 (or Vice versa), then you're hiding something, maybe from the above diagram, everything is OK - carli96 commented on July 12th 19 at 17:35
:

if successful ping 192.168.200.1 to 192.168.200.2 (or Vice versa), then you're hiding something, maybe from the above diagram, everything is OK

From Mikrotik A (192.168.200.1) to Mikrotik B (192.168.200.2) ping is, and Vice versa no. - carli96 commented on July 12th 19 at 17:38
well, figure out why or show unedited config - kristy13 commented on July 12th 19 at 17:41
: What show? - carli96 commented on July 12th 19 at 17:44
/ip firewall export
A and B
loose on And in the filter table chain input packets on the pptp interface and again propinquity - kristy13 commented on July 12th 19 at 17:47
In yet available, but With

Mikrotik A
/ip firewall filter
add chain=input comment="accept remote winbox" disabled=yes in-interface=ether1-WAN port=8291,80 protocol=tc
add chain=input in-interface=<pptp-pptp_rov-1>
add chain=input comment="accept PPTP tunels" dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input comment="accept l2tp tunels" port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add chain=input comment="allow related connections" connection-state=related
add chain=input comment="allow established connections" connection-state=established
add chain=input in-interface=!ether1-WAN src-address=192.168.0.0/24
add chain=output comment="accept everything to internet" out-interface=ether1-WAN
add chain=output comment="accept everything to non internet" out-interface=!ether1-WAN
add chain=output comment="accept everything"
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=input comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment=wan src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment=Masquerade disabled=yes out-interface=ether1-WAN</pptp-pptp_rov-1>


Mikrotik C
/ip firewall filter
add chain=input comment="accept Winbox remote" in-interface=pppoe-out1 port=8291 protocol=tcp
add chain=output comment="accept everything to internet" out-interface=ether1-WAN
add chain=output comment="accept everything to non internet" out-interface=!ether1-WAN
add chain=output comment="accept everything"
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment=wan src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment=Masquerade disabled=yes out-interface=pppoe-out1


Input a rule helped. Ping goes to the router, but the network (192.168.0.0) ping does not pass. - cheyanne.Altenwerth20 commented on July 12th 19 at 17:50
:
1) allow the gateways forwarding (or default is resolved and/or until an appropriate ban should be an allow rule).

And how to do it? - kristy13 commented on July 12th 19 at 17:53
on And remove
add action=masquerade chain=srcnat comment=wan src-address=192.168.0.0/24
With accordingly
add action=masquerade chain=srcnat comment=wan src-address=192.168.2.0/24

in Mikrotik standard policies allow. I was confused by the jumps in the chain, yet - thought they are cut - cheyanne.Altenwerth20 commented on July 12th 19 at 17:56
: alegzz: T. E. NAT at all in any rules should not be?
Jampa turned off - cheyanne.Altenwerth20 commented on July 12th 19 at 17:59
: for Ethernet - no. if you want NAT, so please address 192.168.201-203, not 192.168.0.x.
Yes, if you want routing between B and C, you will need to enable proxy arp on the pptp interface on Mikrotik And - kristy13 commented on July 12th 19 at 18:02
masquerading is needed for devices for which there is no routing to their ip addresses. TK in the Internet is not routed packets to private addresses, the Internet masquerading needed.
add action=masquerade chain=srcnat comment=Masquerade disabled=yes out-interface=ether1-WAN
that's so right (allow rule)
add action=masquerade chain=srcnat comment=wan src-address=192.168.0.0/24
that's so wrong, maybe without specifying the interface address would be changed for all packets from 192.168.0.0/24, including the network 192.168.1-2.0/24 - cheyanne.Altenwerth20 commented on July 12th 19 at 18:05
How to connect to the Internet without NAT rules? Maybe I don't understand something... - cheyanne.Altenwerth20 commented on July 12th 19 at 18:08
: I wrote to you.
add action=masquerade chain=srcnat comment=Masquerade disabled=yes out-interface=ether1-WAN

specify the interface (let rule above) - cheyanne.Altenwerth20 commented on July 12th 19 at 18:11
: Did the ping in the LAN there. Only routers pinouts - kristy13 commented on July 12th 19 at 18:14
so that made it? - cheyanne.Altenwerth20 commented on July 12th 19 at 18:17
: well, let's /ip route print then it is on both routers - kristy13 commented on July 12th 19 at 18:20
:
Put masquarding, like you said. Here is the routing:
Mikrotik A
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
 0 A S 0.0.0.0/0 188.64.***.* 1
 1 ADC 188.64.***.*/24 188.64.***.** ether1-WAN 0
 2 ADC 192.168.0.0/24 192.168.0.1 dm.local.bridge 0
 3 ADC 192.168.0.171/32 192.168.0.93 <l2tp-krr.offic... 0 4 32 adc 192.168.0.173 192.168.0.33 <l2tp-loginova-1> 0
 5 A S 192.168.1.0/24 192.168.200.2 1
 6 A S 192.168.2.0/24 192.168.200.3 1
 7 S 192.168.3.0/24 pptp-in-zdorovie 1
 8 A S 192.168.11.0/24 pptp-out-kemerovo 1
 9 ADC 192.168.20.30/32 192.168.20.31 pptp-out-kemerovo 0
10 ADC 192.168.200.2/32 192.168.200.1 <pptp-pptp_krr> 0
11 ADC 192.168.200.3/32 192.168.200.1 <pptp-pptp_rov-1> 0</pptp-pptp_rov-1></pptp pptp_krr></l2tp-krr.offic...>

Mikrotik C
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
 0 ADS 0.0.0.0/0 10.73.***.** 0
 1 ADC 10.73.***.**/32 46.147.**.*** pppoe-out1 0
 2 A S 192.168.0.0/24 192.168.200.1 1
 3 ADC 192.168.2.0/24 192.168.2.1 rov.local.bridge 0
 4 ADC 192.168.200.1/32 192.168.200.3 pptp-out-msk 0
- kristy13 commented on July 12th 19 at 18:23
well then otlavlivatsya a packet sniffer on both routers and see where the package went in and came out (or went out and not included) - cheyanne.Altenwerth20 commented on July 12th 19 at 18:26
Launched a sniffer, launched ping with the MT (192.168.0.2) at MT And (192.168.0.1).
On MT With
Packages go back and forth (rx / tx) src. port 55871 dst.port 5678
On MT And
Also return true of the field src. port and dst.port empty.

launched ping with the MT (192.168.0.2) to the address within the network (192.168.0.100)
On MT With
Packets going in one direction (tx) field src. port 55871 dst.port 5678.
On MT And
Packets going in one direction (rx) field src. port and dst.port empty.

still slips like this package:
On the sniffer MT
Outbound (tx) src.address: 192.168.200.3 src.port 55871 dst.adress 255.255.255.255 dst.port 5678 size 140
On the sniffer MT A
Incoming (rx) src.address: 192.168.200.3 src.port 55871 dst.adress 255.255.255.255 dst.port 5678 size 140 - cheyanne.Altenwerth20 commented on July 12th 19 at 18:29
This feeling just does not work routing... - kristy13 commented on July 12th 19 at 18:32
: why is 192.168.0.2 and 192.168.0.1? O_o - cheyanne.Altenwerth20 commented on July 12th 19 at 18:35
: hurry. 192.168.2.1 192.168.0.1, of course. - kristy13 commented on July 12th 19 at 18:38

Find more questions by tags MikrotikNetwork administration