Per VLAN PPTP with RouterOS and Mikrotik

When you have multiple isolated VLAN’s in a network it would come in handy to be able to set up a PPTP VPN connection so you would be part of that network. This can be easily done with a Mikrotik and RouterOS.

Please look at the picture for the explanation.

The devices in each VLAN are isolated from each other but are able to communicate to the outside. When a PPTP user logs in the user can only access the devices in the attached VLAN. The HP Switch receives packets from the mikrotik in vlan 4,5 and 6 tagged and vlan 1 untagged. The client devices attached to the switch get the appropriate VLAN untagged.

The following limitations are present in this setup:

- Only one PPTP user can connect

In my final setup (we use this for a management network) I’ve solved this issue by changing the firewall rules from interface PPTP to IP addresses (the reason is that RouterOS creates a new interface for each PPTP connection).

To handle multiple users you would also need to setup an address pool for PPTP users and a PPTP profile to handle the pool.

The following files are available:

Mikrotik config – There is no admin password

Network drawing in PDF