Can't create VPN RUT241

I have a problem with my RUT 241.
I have setup a PPTP VPN pointing to my server at (QNAP NAS) and after all, this is what i get:

  • I can connect to the vpn if I use the same network (ethernet cable);
  • I can’t connect to the vpn if I use another external internet source (like my tethering phone) and I get the error that say in shortly max connection reached or too latency. I’m sure that is not the max connection reached becouse I’m the only one and set up 20 max connections.


  • I can access on internet from the RUT241;
  • I can access on internet from my external internet source;
  • DNS and on the server
  • Enabled VPN PPTP from router from the page services>pptp as server
  • I prefer PPTP, but I tried it with even openVPN and qbelt (qnap software). Same problem.
  • Server FW up to date

I’m missing something?

Below some screen from router config pages:
Immagine 2023-07-05 112623


Could you clarify what role the RUT241 has in your configuration?
From the query, I understand that PPTP service of the RUT241 is not being used, however, your screenshot includes the PPTP configuration on the RUT241.
If you simply need to reach your QNAP NAS server from the internet, then port forwarding is all that is needed. Navigate to Network → Firewall → Port Forwards, and create a rule, which will forward the traffic from WAN to LAN on port 1723 (the default for PPTP) and the traffic should be sent to
Otherwise, please clarify your topology - which device is the server, which is the client, and what role does the RUT241 play.

Best regards,

I just need to reach it from internet so I can connect and browse the shared folder from windows explorer.
The RUT 241 is the router (with SIM) where i have the server.
I have already set up a Port Forward from wan to lan at port 1723 (see 4^ screen, or below).
PS. Tried to disable the VPN feature and leaving only the port forwarding, but same problem.

I want to add that if I try to check the port status with online tools, they say its closed

im having the same issue. i have ssh,http,https remote access enabled but none of my port forwards work. the ports say filtered/closed but i have them set in the firewall so why aren’t they working? even the mobile sim public ip address is not accessible when trying it from a different network other than the router. this should not be so difficult. these units should be plug and play with minimal set up needed.

No port forwarding is needed for any of the VPNs, all of the rules will be created automatically. The online tools might not show the port as open, as it only accepts the PPTP protocol traffic. Could you share the first 16 bits of your mob1s1a1 interface address? The address format is, so please share only the yyy.yyy part. Thanks.
@tlamothe I will ask you to do the same.

Best regards,


Im having the same trouble.

We are using RUT240 and RUT241, with the 240 the configuration works well, same configuration, same SIM Card in RUT241 does not work.

In RUT240 im using the firmware
I just upgrade the RUT241 to the lastest firmware in the download site but it still not working.

The “yyy” parts of one of the connections failing is 37.13, but anyway it did work in RUT240 so i dont think the problem is public or private ips.

Edit: My case is somehow different but can be affected by the same problem i think.

Im not using the routers as VPN servers, just client while i have a mikrotik for the server. My problem really is that even if both routers connect to the VPN, the 241 wont have access to it or neither ping in any direction (vpn server cant ping router, router cant ping vpn server but in vpn server i see the connection is up)

With the RUT240 everything is working fine.


The RUT240 and RUT241 use the same operating system - RutOS, so I doubt that the issue is device-specific. Instead, there might be some configuration issues. These could be caused by migration from older firmware versions or incorrect options.
Since the Mikrotik shows the connection as established, the issue is unlikely to be within the PPTP package itself, but rather the firewall. Can you verify that your firewall zones (Network → Firewall → General Settings) looks like so:

Additionally, could you clarify what authentification (PAP, CHAP, etc.) is being used by the Mikrotik?

Best regards,


Im using mschap2 as autentication in the mikrotik.

And yes, the configuration in my RUT241 looks the same you send to me (the red squares at least) but it is the same config on my RUT240 and is working so i think is not this :

I dont think it is a device fault, but a firmware fault because when i was configuring the 240, first thing i did was update the firmwares, but the newest got failures with the actual configuration of the routers, so i had to downgrade after it to 07.03.4.

Anyways please tell me if you need more test. I live in spain so my timezone is pretty diferent but i will checking the thread.

Greetings and thanks for the fast response


Thank you for the information.
I will ask you to log into the CLI of the device (username root, password is the same as the WebUI), and run this command: vi /etc/ppp/options.pptp
Once the configuration file opens up, using the arrow keys navigate to the option refuse-mschap, press the i letter on the keyboard to enter the editing mode, and delete this line. After it’s deleted, press the Esc key, and enter :wq to save and quit.
After the editing window has closed, run the command /etc/init.d/pptpd restart and check if the Mikrotik network is still unreachable.

Best regards,


I tried this, and the results were te same.

I did it then i tryed to ping in both directions (router → vpn , vpn → router) none of them works.
After the trys i checked again the config and the line “refuse-mschap” was deleted correctly so it saved and did not work.

I rebooted it afterwards but it did nothing too.

Just to clarify, have you tried pinging the Mikrotik tunnel address via the CLI of the RUT241?

Sorry for the confusion,

I did the ping via the troubleshoot section in the administration page after the changes in the CLI.

When it failed i try to reboot the device, try again and how it wasnt working i checked the config still the same without the line “refuse-mschamp” i had deleted before.

It is any difference to make the ping via the CLI or via the troubleshoot section?

I just tried it but it didnt work from the CLI neither.


Pinging from the WebUI is fine.
Could you post the output of the command ifconfig from the CLI?
There should be a line with the PPTP instance name, this is the information I’m interested in. If you cannot find this line, the tunnel is most likely not established.
Additionally, as per my last comment, are you trying to ping the LAN IP of the Mikrotik, or the virtual tunnel IP?

Best regards,